JS: add support for dis- and conjunctions in SanitizingFunction

2026-04-28 18:25:24 +02:00 · 2018-11-12 10:23:52 +01:00
parent ffc3d6ba49
commit eaad84bb4f
4 changed files with 12 additions and 3 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -824,6 +824,12 @@ module TaintTracking {
      exists(Expr e |
        exists(Expr returnExpr |
          returnExpr = sanitizer.asExpr()
+          or
+          // ad hoc support for conjunctions:
+          returnExpr.(LogAndExpr).getAnOperand() = sanitizer.asExpr() and sanitizerOutcome = true
+          or
+          // ad hoc support for disjunctions:
+          returnExpr.(LogOrExpr).getAnOperand() = sanitizer.asExpr() and sanitizerOutcome = false
          |
          exists(SsaExplicitDefinition ssa |
            ssa.getDef().getSource() = returnExpr and