JS: Add comment about allowImplicitRead in PostMessageStar

asgerf · asgerf · commit 406b080ce360 · 2024-03-13T11:30:52.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
@@ -34,6 +34,7 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
+    // If an object leaks, all of its properties have leaked
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
`35`	`35`
`36`	`36`	`predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {`
	`37`	`+ // If an object leaks, all of its properties have leaked`
`37`	`38`	`isSink(node) and contents = DataFlow::ContentSet::anyProperty()`
`38`	`39`	`}`
`39`	`40`	`}`