mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
25 lines
853 B
Plaintext
25 lines
853 B
Plaintext
/**
|
|
* @name Taint-tracking to 'eval' calls (with path visualization)
|
|
* @description Tracks user-controlled values into 'eval' calls (special case of js/code-injection),
|
|
* and generates a visualizable path from the source to the sink.
|
|
* @kind path-problem
|
|
* @tags security
|
|
* @id js/cookbook/eval-taint-path
|
|
*/
|
|
|
|
import javascript::DataFlow
|
|
import DataFlow::PathGraph
|
|
|
|
class EvalTaint extends TaintTracking::Configuration {
|
|
EvalTaint() { this = "EvalTaint" }
|
|
|
|
override predicate isSource(Node node) { node instanceof RemoteFlowSource }
|
|
|
|
override predicate isSink(Node node) { node = globalVarRef("eval").getACall().getArgument(0) }
|
|
}
|
|
|
|
from EvalTaint cfg, PathNode source, PathNode sink
|
|
where cfg.hasFlowPath(source, sink)
|
|
select sink.getNode(), source, sink, "Eval with user-controlled input from $@.", source.getNode(),
|
|
"here"
|