hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-16 04:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
53b63bed00a877a6fd9feb2876efd31f99e3d4d7
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/PropertyInjectionShared.qll
Andrew Eisenberg 45d1fa7f01 Packaging: Rafactor Javascript core libraries 
Extract the external facing `qll` files into the codeql/javascript-all
query pack.
2021-08-25 12:15:56 -07:00

34 lines
1.0 KiB
Plaintext
Raw Blame History

/**
* Provides predicates for reasoning about flow of user-controlled values that are used
* as property names.
*/
import javascript
module PropertyInjection {
/**
* Holds if the methods of the given value are unsafe, such as `eval`.
*/
predicate hasUnsafeMethods(DataFlow::SourceNode node) {
// eval and friends can be accessed from the global object.
node = DataFlow::globalObjectRef()
or
// document.write can be accessed
node = DOM::documentRef()
or
// 'constructor' property leads to the Function constructor.
node.analyze().getAValue() instanceof AbstractCallable
or
// Assume that a value that is invoked can refer to a function.
exists(node.getAnInvocation())
}
/**
* Holds if the `node` is of form `Object.create(null)` and so it has no prototype.
*/
predicate isPrototypeLessObject(DataFlow::MethodCallNode node) {
node = DataFlow::globalVarRef("Object").getAMethodCall("create") and
node.getArgument(0).asExpr() instanceof NullLiteral
}
}
Reference in New Issue View Git Blame Copy Permalink