hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Removed taint from ArrayBuffer constructor as it accepts length

Browse Source
This commit is contained in:
Napalys
2025-04-09 13:27:13 +02:00
parent 4bc3e9e736
commit a3e4e62eac
3 changed files with 17 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -40,18 +40,18 @@ legacyDataFlowDifference
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 | only flow with NEW data flow library |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
consistencyIssue
| nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
| stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
| stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:40 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:23 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:28 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:32 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:36 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:42 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
flow
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -342,12 +342,8 @@ flow
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

14
javascript/ql/test/library-tests/TaintTracking/typed-arrays.js
View File

@@ -17,21 +17,23 @@ function test() {
const sub = y.subarray(1, 3)
sink(sub); // NOT OK
const buffer = new ArrayBuffer(x);
const buffer = new ArrayBuffer(8);
const view = new Uint8Array(buffer);
sink(view); // NOT OK
view.set(x, 3);
sink(buffer); // NOT OK -- Should be flagged but it is not.
const sharedBuffer = new SharedArrayBuffer(x);
const sharedBuffer = new SharedArrayBuffer(8);
const view1 = new Uint8Array(sharedBuffer);
sink(view1); // NOT OK
view1.set(x, 3);
sink(sharedBuffer); // NOT OK -- Should be flagged but it is not.
const transfered = buffer.transfer();
const transferedView = new Uint8Array(transfered);
sink(transferedView); // NOT OK
sink(transferedView); // NOT OK -- Should be flagged but it is not.
const transfered2 = buffer.transferToFixedLength();
const transferedView2 = new Uint8Array(transfered2);
sink(transferedView2); // NOT OK
sink(transferedView2); // NOT OK -- Should be flagged but it is not.
var typedArrayToString = (function () {
return function (a) { return String.fromCharCode.apply(null, a); };