JS: Remove taint step from array element to whole array

2026-04-24 16:25:15 +02:00 · 2024-08-14 14:33:52 +02:00
parent 5084d0260f
commit ac1dd1850e
5 changed files with 30 additions and 22 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -260,6 +260,14 @@ module TaintTracking {
    )
  }

+  private class HeapLegacyTaintStep extends LegacyTaintStep {
+    override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
+      // arrays with tainted elements are tainted (in old data flow)
+      succ.(DataFlow::ArrayCreationNode).getAnElement() = pred and
+      not any(PromiseAllCreation call).getArrayNode() = succ
+    }
+  }
+
  /**
   * A taint propagating data flow edge through object or array elements and
   * promises.
@@ -274,10 +282,6 @@ module TaintTracking {
      // spreading a tainted value into an array literal gives a tainted array
      succ.(DataFlow::ArrayCreationNode).getASpreadArgument() = pred
      or
-      // arrays with tainted elements and objects with tainted property names are tainted
-      succ.(DataFlow::ArrayCreationNode).getAnElement() = pred and
-      not any(PromiseAllCreation call).getArrayNode() = succ
-      or
      // reading from a tainted object yields a tainted result
      succ.(DataFlow::PropRead).getBase() = pred and
      not (
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,5 +1,17 @@
 legacyDataFlowDifference
+| array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h | only flow with OLD data flow library |
+| array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i | only flow with OLD data flow library |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] | only flow with OLD data flow library |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:33:8:33:13 | arr[0] | only flow with OLD data flow library |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:35:8:35:13 | arr[2] | only flow with OLD data flow library |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:36:8:36:13 | arr[3] | only flow with OLD data flow library |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:37:8:37:13 | arr[4] | only flow with OLD data flow library |
 | bound-function.js:27:8:27:15 | source() | bound-function.js:30:10:30:10 | y | only flow with OLD data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:24:8:24:11 | arg1 | only flow with NEW data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:32:6:32:35 | foo1.ap ... e, ""]) | only flow with NEW data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:34:6:34:29 | foo1_ap ... e, ""]) | only flow with NEW data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:41:6:41:28 | foo1_ca ... ource]) | only flow with OLD data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:59:10:59:21 | arguments[1] | only flow with OLD data flow library |
 | call-apply.js:45:8:45:15 | source() | call-apply.js:55:6:55:13 | foo(obj) | only flow with NEW data flow library |
 | callbacks.js:37:17:37:24 | source() | callbacks.js:38:35:38:35 | x | only flow with NEW data flow library |
 | callbacks.js:37:17:37:24 | source() | callbacks.js:41:10:41:10 | x | only flow with NEW data flow library |
@@ -35,18 +47,11 @@ flow
 | array-mutation.js:19:18:19:25 | source() | array-mutation.js:20:8:20:8 | e |
 | array-mutation.js:23:13:23:20 | source() | array-mutation.js:24:8:24:8 | f |
 | array-mutation.js:27:16:27:23 | source() | array-mutation.js:28:8:28:8 | g |
-| array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
-| array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
 | array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:28:8:28:13 | arr[1] |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:33:8:33:13 | arr[0] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:34:8:34:13 | arr[1] |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:35:8:35:13 | arr[2] |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:36:8:36:13 | arr[3] |
-| arrays-init.js:2:16:2:23 | source() | arrays-init.js:37:8:37:13 | arr[4] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:38:8:38:13 | arr[5] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:43:10:43:15 | arr[i] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:55:10:55:15 | arr[i] |
@@ -69,11 +74,8 @@ flow
 | call-apply.js:27:14:27:21 | source() | call-apply.js:24:8:24:11 | arg1 |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:29:6:29:32 | foo1.ca ... ce, "") |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:32:6:32:35 | foo1.ap ... e, ""]) |
-| call-apply.js:27:14:27:21 | source() | call-apply.js:33:6:33:35 | foo2.ap ... e, ""]) |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:34:6:34:29 | foo1_ap ... e, ""]) |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:40:6:40:28 | foo1_ca ... e, ""]) |
-| call-apply.js:27:14:27:21 | source() | call-apply.js:41:6:41:28 | foo1_ca ... ource]) |
-| call-apply.js:27:14:27:21 | source() | call-apply.js:59:10:59:21 | arguments[1] |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:62:10:62:21 | arguments[0] |
 | call-apply.js:45:8:45:15 | source() | call-apply.js:55:6:55:13 | foo(obj) |
 | call-apply.js:81:17:81:24 | source() | call-apply.js:78:8:78:11 | this |
--- a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -1,6 +1,8 @@
 legacyDataFlowDifference
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:38:8:38:13 | arr[5] | only flow with NEW data flow library |
 | bound-function.js:27:8:27:15 | source() | bound-function.js:30:10:30:10 | y | only flow with OLD data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:24:8:24:11 | arg1 | only flow with NEW data flow library |
+| call-apply.js:27:14:27:21 | source() | call-apply.js:32:6:32:35 | foo1.ap ... e, ""]) | only flow with NEW data flow library |
 | call-apply.js:27:14:27:21 | source() | call-apply.js:34:6:34:29 | foo1_ap ... e, ""]) | only flow with NEW data flow library |
 | call-apply.js:45:8:45:15 | source() | call-apply.js:55:6:55:13 | foo(obj) | only flow with NEW data flow library |
 | callbacks.js:37:17:37:24 | source() | callbacks.js:38:35:38:35 | x | only flow with NEW data flow library |
--- a/javascript/ql/test/library-tests/TaintTracking/arrays-init.js
+++ b/javascript/ql/test/library-tests/TaintTracking/arrays-init.js
@@ -24,17 +24,17 @@

  console.log("=== access by index (init by [...]) ===");
  var arr = [str, source];
-  sink(arr[0]);       // OK [INCONSISTENCY]
+  sink(arr[0]);       // OK
  sink(arr[1]);       // NOT OK
  sink(str);          // OK

  console.log("=== access by index (init by [...], array.lenght > 5) ===");
  var arr = [str, source, 'b', 'c', 'd', source];
-  sink(arr[0]);      // OK [INCONSISTENCY]
+  sink(arr[0]);      // OK
  sink(arr[1]);      // NOT OK
-  sink(arr[2]);      // OK [INCONSISTENCY]
-  sink(arr[3]);      // OK [INCONSISTENCY]
-  sink(arr[4]);      // OK [INCONSISTENCY]
+  sink(arr[2]);      // OK
+  sink(arr[3]);      // OK
+  sink(arr[4]);      // OK
  sink(arr[5]);      // NOT OK

  console.log("=== access in for (init by [...]) ===");
--- a/javascript/ql/test/library-tests/TaintTracking/call-apply.js
+++ b/javascript/ql/test/library-tests/TaintTracking/call-apply.js
@@ -30,7 +30,7 @@ sink(foo1.call(null, source, "")); // NOT OK
 sink(foo2.call(null, source, "")); // OK

 sink(foo1.apply(null, [source, ""])); // NOT OK
-sink(foo2.apply(null, [source, ""])); // OK [INCONSISTENCY]
+sink(foo2.apply(null, [source, ""])); // OK
 sink(foo1_apply([source, ""])); // NOT OK

 foo1_apply_sink([source, ""]); // This works, because we don't need a return after a call (the sink is inside the called function).
@@ -38,7 +38,7 @@ foo1_apply_sink([source, ""]); // This works, because we don't need a return aft
 sink(foo1_apply.apply(["", source])); // OK

 sink(foo1_call([source, ""])); // NOT OK
-sink(foo1_call(["", source])); // OK [INCONSISTENCY]
+sink(foo1_call(["", source])); // OK


 var obj = {
@@ -56,7 +56,7 @@ sink(foo(obj)); // NOT OK

 function argumentsObject() {
  function sinkArguments1() {
-    sink(arguments[1]); // OK [INCONSISTENCY]
+    sink(arguments[1]); // OK
  }
  function sinkArguments0() {
    sink(arguments[0]); // NOT OK