hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add taint flow for Commander.js direct property access and action callbacks

Browse Source
This commit is contained in:
Napalys Klicius
2025-08-01 13:24:19 +02:00
parent 39170f327c
commit d6508f34b6
3 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll
View File

@@ -96,8 +96,17 @@ private class ArgsParseStep extends TaintTracking::SharedTaintStep {
)
or
exists(API::Node commanderNode | commanderNode = commander() |
pred = commanderNode.getMember("parse").getACall().getAnArgument() and
succ = commanderNode.getMember("opts").getACall()
pred = commanderNode.getMember(["parse", "parseAsync"]).getACall().getAnArgument() and
succ =
[
commanderNode.getMember("opts").getACall(), commanderNode.getAMember().asSource(),
commander()
.getMember("action")
.getACall()
.getArgument(0)
.(DataFlow::FunctionNode)
.getAParameter()
]
)
or
exists(DataFlow::MethodCallNode methodCall | methodCall = yargs() |