JS: Convert 'split' taint step to legacy taint step

2026-04-26 09:15:12 +02:00 · 2024-09-10 15:21:24 +02:00
parent 133b016c7c
commit da696817a3
1 changed files with 12 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -356,6 +356,16 @@ module TaintTracking {
    }
  }

+  private class LegacySplitTaintStep extends LegacyTaintStep {
+    override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node target) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = "split" and
+        pred = call.getReceiver() and
+        target = call
+      )
+    }
+  }
+
  /**
   * A taint propagating data flow edge arising from string manipulation
   * functions defined in the standard library.
@@ -372,9 +382,8 @@ module TaintTracking {
              [
                "anchor", "big", "blink", "bold", "concat", "fixed", "fontcolor", "fontsize",
                "italics", "link", "padEnd", "padStart", "repeat", "replace", "replaceAll", "slice",
-                "small", "split", "strike", "sub", "substr", "substring", "sup",
-                "toLocaleLowerCase", "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim",
-                "trimLeft", "trimRight"
+                "small", "strike", "sub", "substr", "substring", "sup", "toLocaleLowerCase",
+                "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim", "trimLeft", "trimRight"
              ]
            or
            // sorted, interesting, properties of Object.prototype