Merge pull request #3625 from erik-krogh/CVE714

Approved by asgerf
2026-05-10 17:29:26 +02:00 · 2020-06-05 12:21:10 +01:00
parent 69a1e11c06 82cf53897f
commit ff6936caa7
3 changed files with 46 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -827,6 +827,26 @@ module TaintTracking {
    override predicate appliesTo(Configuration cfg) { any() }
  }

+  /** A check of the form `type x === "undefined"`, which sanitized `x` in its "then" branch. */
+  class TypeOfUndefinedSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfUndefinedSanitizer() {
+      exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
+        str.getValue() = "undefined" and
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
  /** DEPRECATED. This class has been renamed to `MembershipTestSanitizer`. */
  deprecated class StringInclusionSanitizer = MembershipTestSanitizer;