hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 22:44:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Remove taint step from array element to whole array

Browse Source
This commit is contained in:
Asger F
2024-08-14 14:33:52 +02:00
parent 5084d0260f
commit ac1dd1850e
5 changed files with 30 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -260,6 +260,14 @@ module TaintTracking {
)
}
private class HeapLegacyTaintStep extends LegacyTaintStep {
override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
// arrays with tainted elements are tainted (in old data flow)
succ.(DataFlow::ArrayCreationNode).getAnElement() = pred and
not any(PromiseAllCreation call).getArrayNode() = succ
}
}
/**
* A taint propagating data flow edge through object or array elements and
* promises.
@@ -274,10 +282,6 @@ module TaintTracking {
// spreading a tainted value into an array literal gives a tainted array
succ.(DataFlow::ArrayCreationNode).getASpreadArgument() = pred
or
// arrays with tainted elements and objects with tainted property names are tainted
succ.(DataFlow::ArrayCreationNode).getAnElement() = pred and
not any(PromiseAllCreation call).getArrayNode() = succ
or
// reading from a tainted object yields a tainted result
succ.(DataFlow::PropRead).getBase() = pred and
not (