Commit Graph

1902 Commits

Author SHA1 Message Date
Asger F
054558d7b5 JS: Include content properties in type-tracker properties
Reminder: we have two PropertyName classes because the one in Contents.qll can't depend on DataFlow::Node.
2024-12-03 09:58:54 +01:00
Asger F
8bca66493f JS: Add test showing lack of inclusion in PropertyName 2024-12-03 09:57:02 +01:00
Asger F
9c6b6981e2 JS: Add test to restrict dependencies 2024-11-29 14:23:56 +01:00
Asger F
2f0c80a98b JS: Include summary steps in type tracking 2024-11-29 14:23:55 +01:00
Asger F
440cbb7f0a JS: Add inline-expectation test for type tracking 2024-11-29 14:23:54 +01:00
Asger F
6349903110 JS: Move FlowSummary/Summaries.qll into testUtilities 2024-11-29 14:23:52 +01:00
Asger F
805fd0b46e JS: Refine speculative step definition 2024-11-26 15:56:56 +01:00
Asger F
8818fcc207 JS: Benign test output changes 2024-11-26 15:47:13 +01:00
Asger F
82d61e4194 Merge branch 'js/shared-dataflow-branch' into js/shared-dataflow-merge-main 2024-11-26 15:36:16 +01:00
Asger F
1ac7591faf JS: Update missed flow in capture-flow.js
We previously caught this flow because of a heuristic in capture flow. We'll have to fix it properly later.
2024-11-21 12:57:34 +01:00
Asger F
84820adf3c Add test for exception flow out of finally() 2024-11-21 11:01:03 +01:00
Asger F
948d21ca07 JS: Propagate exceptions from summarized callables by default 2024-11-21 10:24:31 +01:00
Asger F
dcdb2e5133 JS: Fix callback check so it works without parameters 2024-11-21 10:24:29 +01:00
Asger F
b7dd455aff JS: Add test case 2024-11-21 09:21:36 +01:00
Asger F
d52bc971b8 Merge branch 'main' into js/shared-dataflow-merge-main 2024-11-20 14:05:03 +01:00
Asger F
80a5a5909e JS: Use getUnderlyingValue() a few places in VariableCapture 2024-11-19 13:23:29 +01:00
Asger F
d2daec4c66 JS: Add tests explaining why the IIFE in f2 didn't work 2024-11-19 13:23:24 +01:00
Asger F
37676f41aa JS: Remove jump steps from IIFE steps 2024-11-18 13:38:34 +01:00
Asger F
7f2eae0966 JS: Add test case for false flow through IIFEs
We generate local flow steps into and out of IIFEs, but these come jump steps automatically, resulting in FPs.
2024-11-18 13:34:35 +01:00
Asger F
7acc5689cf JS: Port exception steps to a universal summary 2024-11-18 13:27:58 +01:00
Asger F
5ed362f7d6 JS: Add exception test case 2024-11-18 13:23:09 +01:00
Napalys
bed1f25b3f JS: Fix: Now Array.prototype.with is properly flagged as taint step 2024-11-15 10:35:34 +01:00
Napalys
f04fd5cdcc JS: Add: Test case for Array.protype.with taint step 2024-11-15 10:27:44 +01:00
Napalys Klicius
6fa3ff39a0 Merge branch 'main' into napalys/toSpliced-support 2024-11-14 16:56:32 +01:00
Napalys
b333f523df JS: Fix: now one can determine regex via Array.prototype.toSpliced function call. 2024-11-14 15:35:03 +01:00
Napalys
2b0def1ed3 JS: Add: Test case for checking if regex via using toSpliced 2024-11-14 15:31:38 +01:00
Napalys
52330e834c JS: Add: Test case for checking if regex via using splice 2024-11-14 15:29:05 +01:00
Napalys
84234d59b9 JS: Fix: Ensure toSpliced with spread operator is flagged 2024-11-13 17:21:34 +01:00
Napalys
8512cb44ff JS: Add: Test cases for toSpliced with spread operator 2024-11-13 17:18:09 +01:00
Napalys
cf90430ec0 JS: Add: Missing test case for splice spread operator 2024-11-13 17:07:17 +01:00
Napalys
2df3d1b251 JS: Fix: Ensure toSpliced is flagged by taint tracking in test suite (ed44358143) 2024-11-13 15:58:20 +01:00
Napalys
ed44358143 Added toSpliced test cases for mutation arrays 2024-11-13 15:51:00 +01:00
Napalys
df4b596180 Added toSpliced as part ArraySliceStep and ArraySpliceStep, fixed tests from 2d9bc43506 2024-11-13 13:47:34 +01:00
Napalys
2d9bc43506 Added tests for arrays toSpliced with pop 2024-11-13 12:58:24 +01:00
Napalys
b4c84d3d3c Added taint step for toSpliced, handles test from a65f80ef76 2024-11-13 12:41:41 +01:00
Napalys
a65f80ef76 Added basic taint tracking test for Array.prototype.toSpliced() 2024-11-13 12:28:14 +01:00
Napalys
7427a24ca1 Added test case for Array.prototype.toReversed, which is currently not flagged as a taint sink. 2024-11-12 12:02:37 +01:00
Napalys
3215967cbc Added toReserved test case 2024-11-12 12:02:20 +01:00
Napalys
3f0a54c2e8 Added support for Array.prototype.toSorted function 2024-11-12 12:02:04 +01:00
Napalys
def8d75cb8 Added test case for Array.prototype.toSorted, which is currently not flagged as a taint sink. 2024-11-12 12:01:51 +01:00
Napalys Klicius
6266dab518 Merge pull request #17951 from Napalys/napalys/reverse-support
JS: Added support for reverse function
2024-11-12 10:09:18 +01:00
Napalys
81bc7cd19f Refactored SortTaintStep to ArrayInPlaceManipulationTaintStep to support both sort and reverse functions. Fixed newly added test case. from 8026a99db7 2024-11-11 08:32:03 +01:00
Napalys
1c298f0231 Added test case for Array.prototype.reverse, which is currently not flagged as a potential sink. 2024-11-11 08:32:02 +01:00
Rasmus Wriedt Larsen
c0ad9ba529 Merge branch 'main' into js-threat-models 2024-11-01 10:48:32 +01:00
Rasmus Wriedt Larsen
61e60de969 JS: Model readline as a stdin threat-model source
Technically not always true, but my assumption is that +90% of the time
that's what it will be used for, so while we could be more precise by
adding a taint-step from the `input` part of the construction, I'm not
sure it's worth it in this case.

Furthermore, doing so would break with the current way we model
threat-model sources, and how sources are generally modeled in JS... so
for a very pretty setup it would require changing all the other `file`
threat-model sources to start at the constructors such as
`fs.createReadStream()` and have taint-propagation steps towards the
actual use (like we do in Python)...

I couldn't see an easy path forwards for doing this while keeping the
Concepts integration, so I opted for the simpler solution here.
2024-10-31 14:29:30 +01:00
Rasmus Wriedt Larsen
eca8bf5a35 JS: Do simple modeling of process.stdin as threat-model source 2024-10-31 14:26:45 +01:00
Rasmus Wriedt Larsen
34b86c39c1 JS: Model fs.promises.readFile as file source
You could argue that proper modeling be done in the same way as
`NodeJSFileSystemAccessRead` is done for the callback based `fs` API (in
NodeJSLib.qll). However, that work is straying from the core goals I'm
working towards right now, so I'll argue that "perfect is the enemy of
good", and leave this as is for now.
2024-10-31 14:09:38 +01:00
Rasmus Wriedt Larsen
971f53870e JS: Include fs externs
Makes a difference due to the modeling of NodeJSFileSystemAccessRead depending on these, see
412e841d69/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll (L479-L488)

File copied from 7cef4322e7/javascript/externs/nodejs/fs.js
2024-10-31 13:51:22 +01:00
Rasmus Wriedt Larsen
b47fa77dc6 JS: Add tests for stdin threat-model sources 2024-10-31 12:59:21 +01:00
Rasmus Wriedt Larsen
2b6c27eb60 JS: Add initial file threat-model support
However, as indicated by the `MISSING` annotations, we could do better.
2024-10-29 15:14:39 +01:00