diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst index 7fc5ffd56af..cb99bd2a676 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst @@ -439,23 +439,24 @@ additional taint step from the first argument of ``resolveSymlinks`` to its resu } We might even consider adding this as a default taint step to be used by all taint-tracking configurations. In order to do this, we need -to wrap it in a new subclass of ``TaintTracking::AdditionalTaintStep`` like this: +to wrap it in a new subclass of ``TaintTracking::SharedTaintStep`` like this: .. code-block:: ql - class StepThroughResolveSymlinks extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode { - StepThroughResolveSymlinks() { this = DataFlow::moduleImport("resolve-symlinks").getACall() } - + class StepThroughResolveSymlinks extends TaintTracking::SharedTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - pred = this.getArgument(0) and - succ = this + exists(DataFlow::CallNode c | + c = DataFlow::moduleImport("resolve-symlinks").getACall() and + pred = c.getArgument(0) and + succ = c + ) } } If we add this definition to the standard library, it will be picked up by all taint-tracking configurations. Obviously, one has to be careful when adding such new additional taint steps to ensure that they really make sense for `all` configurations. -Analogous to ``TaintTracking::AdditionalTaintStep``, there is also a class ``DataFlow::AdditionalFlowStep`` that can be extended to add +Analogous to ``TaintTracking::SharedTaintStep``, there is also a class ``DataFlow::AdditionalFlowStep`` that can be extended to add extra steps to all data-flow configurations, and hence also to all taint-tracking configurations. Exercises diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll index 92f61f4ae8f..85dde941e37 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll @@ -100,7 +100,7 @@ module PrototypePollutingAssignment { // users wouldn't bother to call Object.create in that case. result = DataFlow::globalVarRef("Object").getAMemberCall("create") or - // Allow use of AdditionalFlowSteps and AdditionalTaintSteps to track a bit further + // Allow use of AdditionalFlowSteps to track a bit further exists(DataFlow::Node mid | prototypeLessObject(t.continue()).flowsTo(mid) and any(DataFlow::AdditionalFlowStep s).step(mid, result) diff --git a/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql b/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql index ee55f91d23e..6d9261b9786 100644 --- a/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql +++ b/javascript/ql/test/tutorials/Analyzing data flow in JavaScript/Global data flow/query5.ql @@ -1,11 +1,12 @@ import javascript -class StepThroughResolveSymlinks extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode { - StepThroughResolveSymlinks() { this = DataFlow::moduleImport("resolve-symlinks").getACall() } - +class StepThroughResolveSymlinks extends TaintTracking::SharedTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - pred = this.getArgument(0) and - succ = this + exists(DataFlow::CallNode c | + c = DataFlow::moduleImport("resolve-symlinks").getACall() and + pred = c.getArgument(0) and + succ = c + ) } }