hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15893 from erik-krogh/more-filter-taint

Browse Source 
JS: allow more flow through .filter()
This commit is contained in:
Erik Krogh Kristensen
2024-03-13 16:19:28 +01:00
committed by GitHub
parent 53502a8662 129286aa1c
commit bd121b98ae
4 changed files with 61 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/lib/semmle/javascript/Arrays.qll
View File

@@ -36,7 +36,8 @@ module ArrayTaintTracking {
succ = call
)
or
// `array.filter(x => x)` and `array.filter(x => !!x)` keeps the taint
// `array.filter(x => x)` and `array.filter(x => !<something>)` keeps the taint
// the latter is assumed to filter away only specific values, thus keeping the taint
call.(DataFlow::MethodCallNode).getMethodName() = "filter" and
pred = call.getReceiver() and
succ = call and
@@ -47,7 +48,7 @@ module ArrayTaintTracking {
|
param = ret
or
param = DataFlow::exprNode(ret.asExpr().(LogNotExpr).getOperand().(LogNotExpr).getOperand())
ret.asExpr() instanceof LogNotExpr
)
or
// `array.reduce` with tainted value in callback