hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Restrict "get" step to Map objects

Browse Source
This commit is contained in:
Asger F
2025-01-06 13:17:32 +01:00
parent 4c9f406e34
commit e2af19b946
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
View File

@@ -24,6 +24,17 @@ deprecated private class ConcreteMaybeFromProto extends MaybeFromProto {
ConcreteMaybeFromProto() { this = this }
}
/** Gets a data flow node referring to an instance of `Map`. */
private DataFlow::SourceNode mapObject(DataFlow::TypeTracker t) {
t.start() and
result = DataFlow::globalVarRef("Map").getAnInstantiation()
or
exists(DataFlow::TypeTracker t2 | result = mapObject(t2).track(t2, t))
}
/** Gets a data flow node referring to an instance of `Map`. */
private DataFlow::SourceNode mapObject() { result = mapObject(DataFlow::TypeTracker::end()) }
/**
* A taint-tracking configuration for reasoning about unvalidated dynamic method calls.
*/
@@ -67,7 +78,9 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig {
not PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource())
)
or
exists(DataFlow::SourceNode base, DataFlow::CallNode get | get = base.getAMethodCall("get") |
exists(DataFlow::CallNode get |
get = mapObject().getAMethodCall("get") and
get.getNumArgument() = 1 and
node1 = get.getArgument(0) and
node2 = get
) and