@@ -259,6 +259,14 @@ module TaintTracking {
259259 */
260260 predicate heapStep ( DataFlow:: Node pred , DataFlow:: Node succ ) { none ( ) }
261261
262+ /**
263+ * Holds if `pred` → `succ` should be considered a taint-propagating
264+ * data flow edge through arrays.
265+ *
266+ * These steps considers an array to be tainted if it contains tainted elements.
267+ */
268+ predicate arrayStep ( DataFlow:: Node pred , DataFlow:: Node succ ) { none ( ) }
269+
262270 /**
263271 * Holds if `pred` → `succ` should be considered a taint-propagating
264272 * data flow edge through the `state` or `props` or a React component.
@@ -342,6 +350,14 @@ module TaintTracking {
342350 any ( SharedTaintStep step ) .heapStep ( pred , succ )
343351 }
344352
353+ /**
354+ * Holds if `pred -> succ` is a taint propagating data flow edge through an array.
355+ */
356+ cached
357+ predicate arrayStep ( DataFlow:: Node pred , DataFlow:: Node succ ) {
358+ any ( SharedTaintStep step ) .arrayStep ( pred , succ )
359+ }
360+
345361 /**
346362 * Holds if `pred -> succ` is a taint propagating data flow edge through the
347363 * properties of a view compenent, such as the `state` or `props` of a React component.
@@ -426,6 +442,7 @@ module TaintTracking {
426442 uriStep ( pred , succ ) or
427443 persistentStorageStep ( pred , succ ) or
428444 heapStep ( pred , succ ) or
445+ arrayStep ( pred , succ ) or
429446 viewComponentStep ( pred , succ ) or
430447 stringConcatenationStep ( pred , succ ) or
431448 stringManipulationStep ( pred , succ ) or
@@ -541,7 +558,7 @@ module TaintTracking {
541558 }
542559 }
543560
544- predicate arrayFunctionTaintStep = ArrayTaintTracking:: arrayFunctionTaintStep / 3 ;
561+ deprecated predicate arrayFunctionTaintStep = ArrayTaintTracking:: arrayFunctionTaintStep / 3 ;
545562
546563 /**
547564 * A taint propagating data flow edge for assignments of the form `o[k] = v`, where
0 commit comments