Merge branch 'main' into js/move-cors-query-from-experimental

2026-04-19 05:54:00 +02:00 · 2025-09-05 12:11:09 +02:00
parent d8c4d6deb4 e719dd912d
commit b2feaaceea
106 changed files with 14432 additions and 8745 deletions
--- a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
@@ -76,7 +76,7 @@ module TaintedUrlSuffix {
    //
    //   x [tainted-url-suffix] --> x.split('#') [array element 1] [taint]
    //
-    // Technically we should also preverse tainted-url-suffix when entering the first array element of such
+    // Technically we should also preserve tainted-url-suffix when entering the first array element of such
    // a split, but this mostly leads to FPs since we currently don't track if the taint has been through URI-decoding.
    // (The query/fragment parts are often URI-decoded in practice, but not the other URL parts are not)
    state1.isTaintedUrlSuffix() and
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
@@ -10,6 +10,7 @@

 import javascript
 import RemotePropertyInjectionCustomizations::RemotePropertyInjection
+private import semmle.javascript.DynamicPropertyAccess

 /**
 * A taint-tracking configuration for reasoning about remote property injection.
@@ -24,6 +25,10 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
    node = StringConcatenation::getRoot(any(ConstantString str).flow())
  }

+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1 = node2.(EnumeratedPropName).getSourceObject()
+  }
+
  predicate observeDiffInformedIncrementalMode() { any() }
 }