JavaScript: add taint step from return value of 'map' callback

asger-semmle · asger-semmle · commit 66dcd7d4c7fc · 2018-08-13T12:15:24.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -207,6 +207,13 @@ module TaintTracking {
           this = DataFlow::parameterNode(p) and
           pred.asExpr() = m.getReceiver()
         )
+        or
+        // `array.map` with tainted return value in callback
+        exists (MethodCallExpr m, Function f |
+          this.asExpr() = m and
+          m.getMethodName() = "map" and
+          m.getArgument(0) = f and // Require the argument to be a closure to avoid spurious call/return flow
+          pred = f.getAReturnedExpr().flow())
       )
       or
       // reading from a tainted object yields a tainted result

Original file line number	Diff line number	Diff line change
`@@ -207,6 +207,13 @@ module TaintTracking {`
`207`	`207`	`this = DataFlow::parameterNode(p) and`
`208`	`208`	`pred.asExpr() = m.getReceiver()`
`209`	`209`	`)`
	`210`	`+ or`
	`211`	+ // `array.map` with tainted return value in callback
	`212`	`+ exists (MethodCallExpr m, Function f \|`
	`213`	`+ this.asExpr() = m and`
	`214`	`+ m.getMethodName() = "map" and`
	`215`	`+ m.getArgument(0) = f and // Require the argument to be a closure to avoid spurious call/return flow`
	`216`	`+ pred = f.getAReturnedExpr().flow())`
`210`	`217`	`)`
`211`	`218`	`or`
`212`	`219`	`// reading from a tainted object yields a tainted result`