hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add test with non-guard sanitizer

Browse Source
This commit is contained in:
Asger Feldthaus
2020-02-21 12:56:00 +00:00
parent 83606e7b60
commit a195429471
4 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -73,7 +73,8 @@ typeInferenceMismatch
| nested-props.js:43:13:43:20 | source() | nested-props.js:44:10:44:18 | id(obj).x |
| nested-props.js:67:31:67:38 | source() | nested-props.js:68:10:68:10 | x |
| nested-props.js:77:36:77:43 | source() | nested-props.js:78:10:78:10 | x |
| object-bypass-sanitizer.js:13:13:13:20 | source() | object-bypass-sanitizer.js:6:14:6:18 | x.foo |
| object-bypass-sanitizer.js:23:13:23:20 | source() | object-bypass-sanitizer.js:12:14:12:18 | x.foo |
| object-bypass-sanitizer.js:23:13:23:20 | source() | object-bypass-sanitizer.js:17:10:17:28 | sanitizer_id(x).foo |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |

4
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.ql
View File

@@ -33,6 +33,10 @@ class BasicConfig extends TaintTracking::Configuration {
node instanceof UntaintableNode
}
override predicate isSanitizer(DataFlow::Node node) {
node.(DataFlow::InvokeNode).getCalleeName().matches("sanitizer_%")
}
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
node instanceof BasicSanitizerGuard
}

3
javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View File

@@ -47,6 +47,9 @@
| nested-props.js:35:13:35:20 | source() | nested-props.js:36:10:36:20 | doLoad(obj) |
| nested-props.js:43:13:43:20 | source() | nested-props.js:44:10:44:18 | id(obj).x |
| nested-props.js:67:31:67:38 | source() | nested-props.js:68:10:68:10 | x |
| object-bypass-sanitizer.js:21:7:21:14 | source() | object-bypass-sanitizer.js:15:10:15:24 | sanitizer_id(x) |
| object-bypass-sanitizer.js:23:13:23:20 | source() | object-bypass-sanitizer.js:16:10:16:28 | sanitizer_id(x.foo) |
| object-bypass-sanitizer.js:23:13:23:20 | source() | object-bypass-sanitizer.js:17:10:17:28 | sanitizer_id(x).foo |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |

10
javascript/ql/test/library-tests/TaintTracking/object-bypass-sanitizer.js
View File

@@ -1,10 +1,20 @@
import * as dummy from 'dummy';
function sanitizer_id(x) {
if (really_complicated_reason(x))
return x;
return null;
}
function f(x) {
if (isSafe(x)) {
sink(x);
sink(x.foo); // NOT OK
}
sink(sanitizer_id(x)); // OK
sink(sanitizer_id(x.foo)); // OK
sink(sanitizer_id(x).foo); // NOT OK
}
function g() {