hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Support barrier guards that are reflective calls

Browse Source
This commit is contained in:
Asger F
2019-11-01 15:22:03 +00:00
parent d6158427c5
commit f48d16fcb7
6 changed files with 42 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -75,6 +75,8 @@ typeInferenceMismatch
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:15:10:15:15 | this.x |
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:21:14:21:19 | this.x |
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:26:9:26:14 | this.x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:45:8:45:8 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| spread.js:2:15:2:22 | source() | spread.js:4:8:4:19 | { ...taint } |
| spread.js:2:15:2:22 | source() | spread.js:5:8:5:43 | { f: 'h ... orld' } |
| spread.js:2:15:2:22 | source() | spread.js:7:8:7:19 | [ ...taint ] |

6
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.ql
View File

@@ -1,7 +1,11 @@
import javascript
import semmle.javascript.dataflow.InferredTypes
DataFlow::CallNode getACall(string name) { result.getCalleeName() = name }
DataFlow::CallNode getACall(string name) {
result.getCalleeName() = name
or
result.getCalleeNode().getALocalSource() = DataFlow::globalVarRef(name)
}
class Sink extends DataFlow::Node {
Sink() { this = getACall("sink").getAnArgument() }

3
javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View File

@@ -50,6 +50,9 @@
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:15:10:15:15 | this.x |
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:21:14:21:19 | this.x |
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:26:9:26:14 | this.x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:45:8:45:8 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:52:10:52:10 | x |
| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |

14
javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js
View File

@@ -38,3 +38,17 @@ class C {
});
}
}
function reflective() {
let x = source();
sink(x); // NOT OK
if (isSafe.call(x)) {
sink(x); // NOT OK - `isSafe` does not sanitize the receiver
}
if (isSafe.call(null, x)) {
sink(x); // OK
}
}