add taint step through flatten libraries

2026-04-30 19:26:02 +02:00 · 2021-07-15 12:36:07 +02:00
parent 77f4d56cd9
commit d2c74480b9
4 changed files with 26 additions and 1 deletions
--- a/javascript/change-notes/2021-07-15-array-libs.md
+++ b/javascript/change-notes/2021-07-15-array-libs.md
@@ -8,4 +8,8 @@ lgtm,codescanning
    [array-ify](https://npmjs.com/package/array-ify),
    [array-union](https://npmjs.com/package/array-union),
    [array-uniq](https://npmjs.com/package/array-uniq),
-    [uniq](https://npmjs.com/package/uniq)
+    [uniq](https://npmjs.com/package/uniq),
+    [array-flatten](https://npmjs.com/package/array-flatten),
+    [arr-flatten](https://npmjs.com/package/arr-flatten),
+    [flatten](https://npmjs.com/package/flatten),
+    [array.prototype.flat](https://npmjs.com/package/array.prototype.flat)
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -389,4 +389,21 @@ private module ArrayLibraries {
      )
    }
  }
+
+  /**
+   * A taint step through a call to `Array.prototype.flat` or a polyfill implementing array flattening.
+   */
+  private class ArrayFlatStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call | succ = call |
+        call.(DataFlow::MethodCallNode).getMethodName() = "flat" and
+        pred = call.getReceiver()
+        or
+        call =
+          API::moduleImport(["array-flatten", "arr-flatten", "flatten", "array.prototype.flat"])
+              .getACall() and
+        pred = call.getAnArgument()
+      )
+    }
+  }
 }
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -15,6 +15,7 @@ typeInferenceMismatch
 | arrays.js:2:15:2:22 | source() | arrays.js:5:10:5:20 | arrify(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:8:10:8:22 | arrayIfy(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:11:10:11:28 | union(["bla"], foo) |
+| arrays.js:2:15:2:22 | source() | arrays.js:14:10:14:18 | flat(foo) |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
--- a/javascript/ql/test/library-tests/TaintTracking/arrays.js
+++ b/javascript/ql/test/library-tests/TaintTracking/arrays.js
@@ -9,4 +9,7 @@ function test() {

    const union = require("array-union");
    sink(union(["bla"], foo)); // NOT OK
+
+    const flat = require("arr-flatten");
+    sink(flat(foo)); // NOT OK
 }