Merge rc/1.18 into master.

2026-05-04 05:05:12 +02:00 · 2018-09-05 15:32:30 +01:00
parent 5fcd663e9f 43e1e62d3a
commit f27945216f
145 changed files with 620 additions and 373 deletions
--- a/javascript/ql/src/semmle/javascript/AST.qll
+++ b/javascript/ql/src/semmle/javascript/AST.qll
@@ -208,6 +208,11 @@ class TopLevel extends @toplevel, StmtContainer {
  override string toString() {
    result = "<toplevel>"
  }
+
+  override predicate isAmbient() {
+    getFile().getFileType().isTypeScript() and
+    getFile().getBaseName().matches("%.d.ts")
+  }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -214,6 +214,9 @@ module TaintTracking {
          m.getMethodName() = "map" and
          m.getArgument(0) = f and // Require the argument to be a closure to avoid spurious call/return flow
          pred = f.getAReturnedExpr().flow())
+        or
+        // `array.push(e)`: if `e` is tainted, then so is `array`
+        succ.(DataFlow::SourceNode).getAMethodCall("push").getAnArgument() = pred
      )
      or
      // reading from a tainted object yields a tainted result
@@ -508,6 +511,19 @@ module TaintTracking {
    }
  }

+  /**
+   * A taint propagating data flow edge arising from sorting.
+   */
+  private class SortTaintStep extends AdditionalTaintStep, DataFlow::MethodCallNode {
+    SortTaintStep() {
+      getMethodName() = "sort"
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getReceiver() and succ = this
+    }
+  }
+
  /**
   * A conditional checking a tainted string against a regular expression, which is
   * considered to be a sanitizer for all configurations.