JS: Add: String.protytpe.toWellFormed to StringManipulationTaintStep

2026-04-26 17:25:19 +02:00 · 2024-11-20 17:42:25 +01:00
parent 09f73d8d6f
commit afc2d3e6d2
3 changed files with 9 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -612,7 +612,7 @@ module TaintTracking {
                "italics", "link", "padEnd", "padStart", "repeat", "replace", "replaceAll", "slice",
                "small", "split", "strike", "sub", "substr", "substring", "sup",
                "toLocaleLowerCase", "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim",
-                "trimLeft", "trimRight"
+                "trimLeft", "trimRight", "toWellFormed"
              ]
            or
            // sorted, interesting, properties of Object.prototype
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -209,6 +209,10 @@ typeInferenceMismatch
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:27:14:27:22 | RegExp.$1 |
 | static-capture-groups.js:32:17:32:24 | source() | static-capture-groups.js:38:10:38:18 | RegExp.$1 |
 | static-capture-groups.js:42:12:42:19 | source() | static-capture-groups.js:43:14:43:22 | RegExp.$1 |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:3:10:3:25 | x.toWellFormed() |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:6:10:6:20 | wellFormedX |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:9:10:9:26 | concatWellFormedX |
+| string-immutable-operations.js:11:10:11:17 | source() | string-immutable-operations.js:11:10:11:32 | source( ... ormed() |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:14:10:14:13 | data |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:18:10:18:13 | data |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:21:6:21:41 | safe(). ...  taint) |
--- a/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
+++ b/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
@@ -1,12 +1,12 @@
 function test() {
    let x = source();
-    sink(x.toWellFormed()); // NOT OK -- Currently not tainted, but should be
+    sink(x.toWellFormed()); // NOT OK

    const wellFormedX = x.toWellFormed();
-    sink(wellFormedX); // NOT OK -- Currently not tainted, but should be
+    sink(wellFormedX); // NOT OK

    const concatWellFormedX = "/" + wellFormedX + "!";
-    sink(concatWellFormedX); // NOT OK -- Currently not tainted, but should be
+    sink(concatWellFormedX); // NOT OK

-    sink(source().toWellFormed()); // NOT OK -- Currently not tainted, but should be
+    sink(source().toWellFormed()); // NOT OK
 }