hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add sanitizer for "in" exprs

Browse Source
This commit is contained in:
Asger F
2019-11-26 15:14:19 +00:00
committed by Asger Feldthaus
parent 7ac30e2289
commit 9bd3c4a11c
3 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
View File

@@ -286,6 +286,7 @@ class PropNameTracking extends DataFlow::Configuration {
node instanceof BlacklistEqualityGuard or
node instanceof WhitelistEqualityGuard or
node instanceof HasOwnPropertyGuard or
node instanceof InExprGuard or
node instanceof InstanceOfGuard or
node instanceof TypeofGuard or
node instanceof BlacklistInclusionGuard or
@@ -353,6 +354,25 @@ class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode, CallNode {
}
}
/**
* Sanitizer guard for `key in dst`.
*
* Since `"__proto__" in obj` and `"constructor" in obj` is true for most objects,
* this is seen as a sanitizer for `key` in the false outcome.
*/
class InExprGuard extends DataFlow::BarrierGuardNode, DataFlow::ValueNode {
override InExpr astNode;
InExprGuard() {
// Exclude tests of form `key in src` for the same reason as in HasOwnPropertyGuard
not arePropertiesEnumerated(astNode.getRightOperand().flow().getALocalSource())
}
override predicate blocks(boolean outcome, Expr e) {
e = astNode.getLeftOperand() and outcome = false
}
}
/**
* Sanitizer guard for `instanceof` expressions.
*