hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

handlebars taint step: conservatively assume unknown templates have no flow to helpers

Browse Source
This commit is contained in:
Stephan Brandauer
2022-04-13 09:27:59 +02:00
parent 2cbb25acaa
commit fb66ccff39
3 changed files with 8 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
javascript/ql/lib/semmle/javascript/frameworks/Handlebars.qll
View File

@@ -135,21 +135,12 @@ private module HandlebarsTaintSteps {
DataFlow::FunctionNode helperFunction
|
templatingCall = compiledTemplate(compileCall).getACall() and
(
exists(string templateText, string paramName, int argIdx |
compileCall.getArgument(0).mayHaveStringValue(templateText)
|
pred =
templatingCall.getArgument(0).getALocalSource().getAPropertyWrite(paramName).getRhs() and
isTemplateHelperCallArg(templateText, helperName, argIdx, paramName) and
succ = getRegisteredHelperParam(helperName, helperFunction, argIdx)
)
or
// When we don't have a string value, we can't be sure
// and we assume a step to all parameters of all helpers.
not exists(string s | compileCall.getArgument(0).mayHaveStringValue(s)) and
pred = templatingCall.getArgument(0).getALocalSource().getAPropertyWrite().getRhs() and
succ = getRegisteredHelperParam(helperName, helperFunction, _)
exists(string templateText, string paramName, int argIdx |
compileCall.getArgument(0).mayHaveStringValue(templateText)
|
pred = templatingCall.getArgument(0).getALocalSource().getAPropertyWrite(paramName).getRhs() and
isTemplateHelperCallArg(templateText, helperName, argIdx, paramName) and
succ = getRegisteredHelperParam(helperName, helperFunction, argIdx)
)
)
}