JS: StringConcatStep

asgerf · asgerf · commit 7a5f9f6a6939 · 2021-03-17T13:25:59.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -421,11 +421,8 @@ module TaintTracking {
    * Note that since we cannot easily distinguish string append from addition,
    * we consider any `+` operation to propagate taint.
    */
-  class StringConcatenationTaintStep extends AdditionalTaintStep {
-    StringConcatenationTaintStep() { StringConcatenation::taintStep(_, this) }
-
+  class StringConcatenationTaintStep extends SharedTaintStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      succ = this and
       StringConcatenation::taintStep(pred, succ)
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -421,11 +421,8 @@ module TaintTracking {`
`421`	`421`	`* Note that since we cannot easily distinguish string append from addition,`
`422`	`422`	* we consider any `+` operation to propagate taint.
`423`	`423`	`*/`
`424`		`- class StringConcatenationTaintStep extends AdditionalTaintStep {`
`425`		`- StringConcatenationTaintStep() { StringConcatenation::taintStep(_, this) }`
`426`		`-`
	`424`	`+ class StringConcatenationTaintStep extends SharedTaintStep {`
`427`	`425`	`override predicate step(DataFlow::Node pred, DataFlow::Node succ) {`
`428`		`- succ = this and`
`429`	`426`	`StringConcatenation::taintStep(pred, succ)`
`430`	`427`	`}`
`431`	`428`	`}`