hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Comment about manually applying taint steps

Browse Source
This commit is contained in:
Asger F
2024-03-13 12:26:56 +01:00
parent 406b080ce3
commit ea4bc9cdbb
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
View File

@@ -43,6 +43,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::step(src, trg, inlbl, outlbl)
or
// We're not using a taint-tracking config because taint steps would then apply to all flow states.
// So we use a plain data flow config and manually add the default taint steps.
inlbl.isTaint() and
TaintTracking::defaultTaintStep(src, trg) and
inlbl = outlbl

2
javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll
View File

@@ -39,6 +39,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
) {
TaintedObject::step(src, trg, inlbl, outlbl)
or
// We're not using a taint-tracking config because taint steps would then apply to all flow states.
// So we use a plain data flow config and manually add the default taint steps.
inlbl.isTaint() and
TaintTracking::defaultTaintStep(src, trg) and
inlbl = outlbl