JavaScript: Respect barriers on return edges.

2026-04-28 18:25:24 +02:00 · 2018-08-29 15:36:11 +01:00
parent 18a74a2163
commit f3239cbec9
4 changed files with 29 additions and 6 deletions
--- a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql
+++ b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql
@@ -22,6 +22,12 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
  override predicate isSanitizer(DataFlow::Node src, DataFlow::Node snk) {
    src = src and
    snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    exists (Function f |
+      f.getName().matches("%noReturnTracking%") and
+      src = f.getAReturnedExpr().flow() and
+      snk.(DataFlow::InvokeNode).getACallee() = f
+    )
  }
 }