hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Address review comments

Browse Source
This commit is contained in:
Asger Feldthaus
2020-01-14 10:30:28 +00:00
parent 2c05ee8ab8
commit d76859b7df
3 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.qhelp
View File

@@ -41,8 +41,8 @@
<sample src="examples/PrototypePollutionUtility.js"/> <sample src="examples/PrototypePollutionUtility.js"/>
<p> <p>
However, if <code>src</code> is the object <code>{"__proto__": {"xxx": true}}</code>, However, if <code>src</code> is the object <code>{"__proto__": {"isAdmin": true}}</code>,
it will inject the property <code>xxx: true</code> in in <code>Object.prototype</code>. it will inject the property <code>isAdmin: true</code> in in <code>Object.prototype</code>.
</p> </p>
<p> <p>

8
javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
View File

@@ -226,7 +226,13 @@ class UnsafePropLabel extends FlowLabel {
* *
* Note that in the above example, the flow from `key` to the base of the write (`dst`) * Note that in the above example, the flow from `key` to the base of the write (`dst`)
* requires stepping through the recursive call. * requires stepping through the recursive call.
* Such a path would be absent for a shallow copying operation. * Such a path would be absent for a shallow copying operation, where the `dst` object
* isn't derived from a property of the source object.
*
* This configuration can't enforce that all three paths must end at the same
* dynamic property write, so we treat the paths independently here and check
* for coinciding paths afterwards. This means this configuration can't be used as
* a standalone configuration like in most path queries.
*/ */
class PropNameTracking extends DataFlow::Configuration { class PropNameTracking extends DataFlow::Configuration {
PropNameTracking() { this = "PropNameTracking" } PropNameTracking() { this = "PropNameTracking" }

18
javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
View File

@@ -35,6 +35,24 @@ module GlobalAccessPath {
} }
} }
/**
* Provides predicates for associating access paths with data flow nodes.
*
* For example, `AccessPath.getAReferenceTo(x)` can be used to obtain the global access path
* that `x` refers to, as in the following sample:
* ```
* function f() {
* let v = foo.bar; // reference to 'foo.bar'
* v.baz; // reference to 'foo.bar.baz'
* }
*
* (function(ns) {
* ns.x; // reference to 'NS.x'
* })(NS = NS || {});
* ```
*
* A pseudo-property named `[number]` is sometimes used to represent array indices within an access path.
*/
module AccessPath { module AccessPath {
/** /**
* A source node that can be the root of an access path. * A source node that can be the root of an access path.