hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-05 18:50:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

use strings in isTypeofGard

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-12-22 13:26:49 +01:00
parent df95562f8f
commit f7f88689c4
9 changed files with 27 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
View File

@@ -396,18 +396,18 @@ class InstanceOfGuard extends DataFlow::LabeledBarrierGuardNode, DataFlow::Value
class TypeofGuard extends DataFlow::LabeledBarrierGuardNode, DataFlow::ValueNode {
override EqualityTest astNode;
Expr operand;
InferredType type;
TypeofTag tag;
TypeofGuard() { TaintTracking::isTypeofGuard(astNode, operand, type) }
TypeofGuard() { TaintTracking::isTypeofGuard(astNode, operand, tag) }
override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
e = operand and
outcome = astNode.getPolarity() and
(
type = TTObject() and
tag = "object" and
label = "constructor"
or
type = TTFunction() and
tag = "function" and
label = "__proto__"
)
or
@@ -416,10 +416,10 @@ class TypeofGuard extends DataFlow::LabeledBarrierGuardNode, DataFlow::ValueNode
(
// If something is not an object, sanitize object, as both must end
// in non-function prototype object.
type = TTObject() and
tag = "object" and
label instanceof UnsafePropLabel
or
type = TTFunction() and
tag = "function" and
label = "constructor"
)
}