hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Track flow into (simple) higher-order function calls.

Browse Source 
The only case we support for now are functions that invoke one of their arguments, passing another argument as input.
This commit is contained in:
Max Schaefer
2019-01-11 08:05:54 +00:00
parent 414ab8ea8c
commit edc5117dfd
7 changed files with 92 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected
View File

@@ -1,6 +1,7 @@
| a.js:1:15:1:23 | "tainted" | b.js:4:13:4:40 | whoKnow ... Tainted |
| a.js:1:15:1:23 | "tainted" | b.js:6:13:6:13 | x |
| a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
| callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
| destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |
| destructuring.js:20:15:20:28 | "also tainted" | destructuring.js:15:15:15:15 | r |

1
javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected
View File

@@ -1,6 +1,7 @@
| a.js:1:15:1:23 | "tainted" | b.js:4:13:4:40 | whoKnow ... Tainted |
| a.js:1:15:1:23 | "tainted" | b.js:6:13:6:13 | x |
| a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
| callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
| custom.js:1:14:1:26 | "verschmutzt" | custom.js:2:15:2:20 | quelle |
| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
| destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |

2
javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
View File

@@ -1,6 +1,8 @@
| a.js:1:15:1:23 | "tainted" | b.js:4:13:4:40 | whoKnow ... Tainted |
| a.js:1:15:1:23 | "tainted" | b.js:6:13:6:13 | x |
| a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
| callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
| callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:5:14:5:20 | tainted |
| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
| destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |

23
javascript/ql/test/library-tests/InterProceduralFlow/callback.js Normal file
View File

@@ -0,0 +1,23 @@
function call(f, x) {
return f(x);
}
function map(f, xs) {
const res = [];
for (let i=0;i<xs.length;++i)
res[i] = f(xs[i]);
return res;
}
function store(x) {
let sink = x;
}
let source = "source";
let source2 = "source2";
call(store, source);
call(store, confounder); // call with different argument to make sure the call graph builder
// doesn't resolve the call on line 2 for us
map(store, [source2]);
// semmle-extractor-options: --source-type module