codeql/tainted-url-suffix-arguments.js at e08ae22ceb0d2469becc1d13e747fc4a1663b867 - codeql - Gitea: Git with a cup of tea

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00

Files

Asger F 4568967a76 JS: Do not use legacy taint steps in TaintedUrlSuffix

Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.

These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.

2024-08-29 13:48:30 +02:00

14 lines

274 B

JavaScript

Raw Blame History

 import 'dummy';
 function foo(x, y, z) {
     arguments; // ensure 'arguments' are used
     document.writeln(x); // OK
     document.writeln(y); // NOT OK
     document.writeln(z); // OK
 }
 function bar() {
     const url = window.location.href;
     foo('safe', url, 'safe');
 }