mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
1 Commits
codeql-cli
...
hackathon/
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
2468bd978b |
@@ -10,3 +10,6 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
import java
|
import java
|
||||||
|
|
||||||
|
// For the hackathon, make speculative data flow tunable from a central location
|
||||||
|
int speculativity() { result = 5 }
|
||||||
|
|||||||
@@ -23,7 +23,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks the flow of tainted Intents being used to start Android components. */
|
/** Tracks the flow of tainted Intents being used to start Android components. */
|
||||||
module IntentRedirectionFlow = TaintTracking::Global<IntentRedirectionConfig>;
|
module IntentRedirectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<IntentRedirectionConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A sanitizer for sinks that receive the original incoming Intent,
|
* A sanitizer for sinks that receive the original incoming Intent,
|
||||||
|
|||||||
@@ -36,4 +36,4 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for use of broken or risky cryptographic algorithms.
|
* Taint-tracking flow for use of broken or risky cryptographic algorithms.
|
||||||
*/
|
*/
|
||||||
module InsecureCryptoFlow = TaintTracking::Global<InsecureCryptoConfig>;
|
module InsecureCryptoFlow = TaintTracking::SpeculativeGlobal<InsecureCryptoConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -68,7 +68,8 @@ deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToE
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for unvalidated input that is used to run an external process.
|
* Taint-tracking flow for unvalidated input that is used to run an external process.
|
||||||
*/
|
*/
|
||||||
module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
|
module InputToArgumentToExecFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<InputToArgumentToExecFlowConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* DEPRECATED: Use `InputToArgumentToExecFlow` instead.
|
* DEPRECATED: Use `InputToArgumentToExecFlow` instead.
|
||||||
|
|||||||
@@ -31,4 +31,4 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
|
|||||||
* Taint-tracking flow for externally controlled format string vulnerabilities.
|
* Taint-tracking flow for externally controlled format string vulnerabilities.
|
||||||
*/
|
*/
|
||||||
module ExternallyControlledFormatStringFlow =
|
module ExternallyControlledFormatStringFlow =
|
||||||
TaintTracking::Global<ExternallyControlledFormatStringConfig>;
|
TaintTracking::SpeculativeGlobal<ExternallyControlledFormatStringConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -25,4 +25,5 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
|
|||||||
* Taint-tracking flow for unsafe user input
|
* Taint-tracking flow for unsafe user input
|
||||||
* that is used to create Android fragments dynamically.
|
* that is used to create Android fragments dynamically.
|
||||||
*/
|
*/
|
||||||
module FragmentInjectionTaintFlow = TaintTracking::Global<FragmentInjectionTaintConfig>;
|
module FragmentInjectionTaintFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<FragmentInjectionTaintConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -25,4 +25,5 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
* Detect taint flow of unsafe user input
|
* Detect taint flow of unsafe user input
|
||||||
* that is used to evaluate a Groovy expression.
|
* that is used to evaluate a Groovy expression.
|
||||||
*/
|
*/
|
||||||
module GroovyInjectionFlow = TaintTracking::Global<GroovyInjectionConfig>;
|
module GroovyInjectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<GroovyInjectionConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -53,4 +53,4 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
module ImplicitPendingIntentStartFlow =
|
module ImplicitPendingIntentStartFlow =
|
||||||
TaintTracking::GlobalWithState<ImplicitPendingIntentStartConfig>;
|
TaintTracking::SpeculativeGlobalWithState<ImplicitPendingIntentStartConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow from user input to the argument of a method that builds constraint error messages. */
|
/** Tracks flow from user input to the argument of a method that builds constraint error messages. */
|
||||||
module BeanValidationFlow = TaintTracking::Global<BeanValidationConfig>;
|
module BeanValidationFlow = TaintTracking::SpeculativeGlobal<BeanValidationConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A bean validation sink, such as method `buildConstraintViolationWithTemplate`
|
* A bean validation sink, such as method `buildConstraintViolationWithTemplate`
|
||||||
|
|||||||
@@ -26,7 +26,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
|
|||||||
predicate observeDiffInformedIncrementalMode() { any() }
|
predicate observeDiffInformedIncrementalMode() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;
|
module InsecureLdapUrlFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<InsecureLdapUrlConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
|
* A taint-tracking configuration for `simple` basic-authentication in LDAP configuration.
|
||||||
|
|||||||
@@ -103,4 +103,5 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow of a Insecurely random value into a sensitive sink.
|
* Taint-tracking flow of a Insecurely random value into a sensitive sink.
|
||||||
*/
|
*/
|
||||||
module InsecureRandomnessFlow = TaintTracking::Global<InsecureRandomnessConfig>;
|
module InsecureRandomnessFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<InsecureRandomnessConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -31,4 +31,4 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
|
|||||||
* Taint tracking flow for user-provided Intents being returned to third party apps.
|
* Taint tracking flow for user-provided Intents being returned to third party apps.
|
||||||
*/
|
*/
|
||||||
module IntentUriPermissionManipulationFlow =
|
module IntentUriPermissionManipulationFlow =
|
||||||
TaintTracking::Global<IntentUriPermissionManipulationConfig>;
|
TaintTracking::SpeculativeGlobal<IntentUriPermissionManipulationConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
* Tracks unsafe user input that is used to construct and evaluate a JEXL expression.
|
* Tracks unsafe user input that is used to construct and evaluate a JEXL expression.
|
||||||
* It supports both JEXL 2 and 3.
|
* It supports both JEXL 2 and 3.
|
||||||
*/
|
*/
|
||||||
module JexlInjectionFlow = TaintTracking::Global<JexlInjectionConfig>;
|
module JexlInjectionFlow = TaintTracking::SpeculativeGlobal<JexlInjectionConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine
|
* Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine
|
||||||
|
|||||||
@@ -28,7 +28,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unvalidated user input that is used in JNDI lookup */
|
/** Tracks flow of unvalidated user input that is used in JNDI lookup */
|
||||||
module JndiInjectionFlow = TaintTracking::Global<JndiInjectionFlowConfig>;
|
module JndiInjectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<JndiInjectionFlowConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`
|
* A method that does a JNDI lookup when it receives a `SearchControls` argument with `setReturningObjFlag` = `true`
|
||||||
|
|||||||
@@ -22,4 +22,4 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow from remote sources to LDAP injection vulnerabilities. */
|
/** Tracks flow from remote sources to LDAP injection vulnerabilities. */
|
||||||
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionFlowConfig>;
|
module LdapInjectionFlow = TaintTracking::SpeculativeGlobal<LdapInjectionFlowConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -24,4 +24,5 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
|
/** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
|
||||||
module MvelInjectionFlow = TaintTracking::Global<MvelInjectionFlowConfig>;
|
module MvelInjectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<MvelInjectionFlowConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -109,7 +109,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for user input that is used in a numeric cast.
|
* Taint-tracking flow for user input that is used in a numeric cast.
|
||||||
*/
|
*/
|
||||||
module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
|
module NumericCastFlow = TaintTracking::SpeculativeGlobal<NumericCastFlowConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for reasoning about local user input that is
|
* A taint-tracking configuration for reasoning about local user input that is
|
||||||
|
|||||||
@@ -23,4 +23,5 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
|
/** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
|
||||||
module OgnlInjectionFlow = TaintTracking::Global<OgnlInjectionFlowConfig>;
|
module OgnlInjectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<OgnlInjectionFlowConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -23,4 +23,4 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
|
|||||||
|
|
||||||
/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
|
/** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
|
||||||
module PartialPathTraversalFromRemoteFlow =
|
module PartialPathTraversalFromRemoteFlow =
|
||||||
TaintTracking::Global<PartialPathTraversalFromRemoteConfig>;
|
TaintTracking::SpeculativeGlobal<PartialPathTraversalFromRemoteConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -32,4 +32,4 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
|
|||||||
predicate observeDiffInformedIncrementalMode() { any() }
|
predicate observeDiffInformedIncrementalMode() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
|
module RequestForgeryFlow = TaintTracking::SpeculativeGlobal<RequestForgeryConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -38,4 +38,5 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Tracks flow from remote sources to response splitting vulnerabilities.
|
* Tracks flow from remote sources to response splitting vulnerabilities.
|
||||||
*/
|
*/
|
||||||
module ResponseSplittingFlow = TaintTracking::Global<ResponseSplittingConfig>;
|
module ResponseSplittingFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<ResponseSplittingConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
|
/** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
|
||||||
module SpelInjectionFlow = TaintTracking::Global<SpelInjectionConfig>;
|
module SpelInjectionFlow = TaintTracking::SpeculativeGlobal<SpelInjectionConfig, speculativity/0>;
|
||||||
|
|
||||||
/** Default sink for SpEL injection vulnerabilities. */
|
/** Default sink for SpEL injection vulnerabilities. */
|
||||||
private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {
|
private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {
|
||||||
|
|||||||
@@ -27,7 +27,7 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unvalidated user input that is used in SQL queries. */
|
/** Tracks flow of unvalidated user input that is used in SQL queries. */
|
||||||
module QueryInjectionFlow = TaintTracking::Global<QueryInjectionFlowConfig>;
|
module QueryInjectionFlow = TaintTracking::SpeculativeGlobal<QueryInjectionFlowConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it
|
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it
|
||||||
|
|||||||
@@ -131,4 +131,5 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks the flow from a static initialization vector to the initialization of a cipher */
|
/** Tracks the flow from a static initialization vector to the initialization of a cipher */
|
||||||
module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
|
module StaticInitializationVectorFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<StaticInitializationVectorConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -77,7 +77,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow from remote sources to the creation of a path. */
|
/** Tracks flow from remote sources to the creation of a path. */
|
||||||
module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
|
module TaintedPathFlow = TaintTracking::SpeculativeGlobal<TaintedPathConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for tracking flow from local user input to the creation of a path.
|
* A taint-tracking configuration for tracking flow from local user input to the creation of a path.
|
||||||
|
|||||||
@@ -21,4 +21,4 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks server-side template injection (SST) vulnerabilities */
|
/** Tracks server-side template injection (SST) vulnerabilities */
|
||||||
module TemplateInjectionFlow = TaintTracking::Global<TemplateInjectionFlowConfig>;
|
module TemplateInjectionFlow = TaintTracking::SpeculativeGlobal<TemplateInjectionFlowConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -25,4 +25,5 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
|
/** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
|
||||||
module UnsafeContentResolutionFlow = TaintTracking::Global<UnsafeContentResolutionConfig>;
|
module UnsafeContentResolutionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<UnsafeContentResolutionConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -329,7 +329,10 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
|
|||||||
predicate observeDiffInformedIncrementalMode() { any() }
|
predicate observeDiffInformedIncrementalMode() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
|
int speculationLimit() { result = 10 }
|
||||||
|
|
||||||
|
module UnsafeDeserializationFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<UnsafeDeserializationConfig, speculationLimit/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets a safe usage of the `use` method of Flexjson, which could be:
|
* Gets a safe usage of the `use` method of Flexjson, which could be:
|
||||||
|
|||||||
@@ -202,4 +202,4 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for URL forwarding.
|
* Taint-tracking flow for URL forwarding.
|
||||||
*/
|
*/
|
||||||
module UrlForwardFlow = TaintTracking::Global<UrlForwardFlowConfig>;
|
module UrlForwardFlow = TaintTracking::SpeculativeGlobal<UrlForwardFlowConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -20,4 +20,4 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for URL redirections.
|
* Taint-tracking flow for URL redirections.
|
||||||
*/
|
*/
|
||||||
module UrlRedirectFlow = TaintTracking::Global<UrlRedirectConfig>;
|
module UrlRedirectFlow = TaintTracking::SpeculativeGlobal<UrlRedirectConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -19,4 +19,4 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for XPath injection vulnerabilities.
|
* Taint-tracking flow for XPath injection vulnerabilities.
|
||||||
*/
|
*/
|
||||||
module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
|
module XPathInjectionFlow = TaintTracking::SpeculativeGlobal<XPathInjectionConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -27,7 +27,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Tracks flow from unvalidated user input to XSLT transformation.
|
* Tracks flow from unvalidated user input to XSLT transformation.
|
||||||
*/
|
*/
|
||||||
module XsltInjectionFlow = TaintTracking::Global<XsltInjectionFlowConfig>;
|
module XsltInjectionFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<XsltInjectionFlowConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A set of additional taint steps to consider when taint tracking XSLT related data flows.
|
* A set of additional taint steps to consider when taint tracking XSLT related data flows.
|
||||||
|
|||||||
@@ -25,4 +25,4 @@ module XssConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow from remote sources to cross site scripting vulnerabilities. */
|
/** Tracks flow from remote sources to cross site scripting vulnerabilities. */
|
||||||
module XssFlow = TaintTracking::Global<XssConfig>;
|
module XssFlow = TaintTracking::SpeculativeGlobal<XssConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -25,4 +25,4 @@ module XxeConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
|
* Detect taint flow of unvalidated remote user input that is used in XML external entity expansion.
|
||||||
*/
|
*/
|
||||||
module XxeFlow = TaintTracking::Global<XxeConfig>;
|
module XxeFlow = TaintTracking::SpeculativeGlobal<XxeConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow from archive entries to file creation. */
|
/** Tracks flow from archive entries to file creation. */
|
||||||
module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
|
module ZipSlipFlow = TaintTracking::SpeculativeGlobal<ZipSlipConfig, speculativity/0>;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A sink that represents a file creation, such as a file write, copy or move operation.
|
* A sink that represents a file creation, such as a file write, copy or move operation.
|
||||||
|
|||||||
@@ -49,4 +49,5 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
|
module PolynomialRedosFlow =
|
||||||
|
TaintTracking::SpeculativeGlobal<PolynomialRedosConfig, speculativity/0>;
|
||||||
|
|||||||
@@ -21,4 +21,4 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
/**
|
/**
|
||||||
* Taint-tracking flow for untrusted user input used to construct regular expressions.
|
* Taint-tracking flow for untrusted user input used to construct regular expressions.
|
||||||
*/
|
*/
|
||||||
module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;
|
module RegexInjectionFlow = TaintTracking::SpeculativeGlobal<RegexInjectionConfig, speculativity/0>;
|
||||||
|
|||||||
Reference in New Issue
Block a user