JS: Add taint into dynamic argument array

asgerf · asgerf · commit 895cb872ada8 · 2024-08-27T11:35:24.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -1,5 +1,6 @@
 private import javascript
 private import semmle.javascript.dataflow.internal.DataFlowPrivate
+private import semmle.javascript.dataflow.internal.DataFlowNode
 private import semmle.javascript.dataflow.internal.Contents::Public
 private import semmle.javascript.dataflow.internal.sharedlib.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
@@ -18,6 +19,13 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)
   or
   FlowSummaryPrivate::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(),
     ContentSet::arrayElement(), node2.(FlowSummaryNode).getSummaryNode())
+  or
+  // If the spread argument itself is tainted (not inside a content), store it into the dynamic argument array.
+  exists(InvokeExpr invoke, Content c |
+    node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and
+    node2 = TDynamicArgumentStoreNode(invoke, c) and
+    c.isUnknownArrayElement()
+  )
 }
 
 predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2, string model) {
diff --git a/javascript/ql/test/library-tests/TripleDot/tst.js b/javascript/ql/test/library-tests/TripleDot/tst.js
@@ -115,24 +115,24 @@ function t10() {
 
 function t11() {
     function target(x, y) {
-        sink(x); // $ MISSING: hasTaintFlow=t11.1
-        sink(y); // $ MISSING: hasTaintFlow=t11.1
+        sink(x); // $ hasTaintFlow=t11.1
+        sink(y); // $ hasTaintFlow=t11.1
     }
     target(...source('t11.1'));
 }
 
 function t12() {
     function target(x, y) {
-        sink(x);
-        sink(y); // $ MISSING: hasTaintFlow=t12.1
+        sink(x); // $ SPURIOUS: hasTaintFlow=t12.1
+        sink(y); // $ hasTaintFlow=t12.1
     }
     target("safe", ...source('t12.1'));
 }
 
 function t13() {
     function target(x, y, ...rest) {
-        sink(x);
-        sink(y); // $ MISSING: hasTaintFlow=t13.1
+        sink(x); // $ SPURIOUS: hasTaintFlow=t13.1
+        sink(y); // $ hasTaintFlow=t13.1
         sink(rest); // $ MISSING: hasTaintFlow=t13.1
         sink(rest[0]); // $ MISSING: hasTaintFlow=t13.1
     }

Original file line number	Diff line number	Diff line change
`@@ -115,24 +115,24 @@ function t10() {`
`115`	`115`
`116`	`116`	`function t11() {`
`117`	`117`	`function target(x, y) {`
`118`		`- sink(x); // $ MISSING: hasTaintFlow=t11.1`
`119`		`- sink(y); // $ MISSING: hasTaintFlow=t11.1`
	`118`	`+ sink(x); // $ hasTaintFlow=t11.1`
	`119`	`+ sink(y); // $ hasTaintFlow=t11.1`
`120`	`120`	`}`
`121`	`121`	`target(...source('t11.1'));`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`function t12() {`
`125`	`125`	`function target(x, y) {`
`126`		`- sink(x);`
`127`		`- sink(y); // $ MISSING: hasTaintFlow=t12.1`
	`126`	`+ sink(x); // $ SPURIOUS: hasTaintFlow=t12.1`
	`127`	`+ sink(y); // $ hasTaintFlow=t12.1`
`128`	`128`	`}`
`129`	`129`	`target("safe", ...source('t12.1'));`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`function t13() {`
`133`	`133`	`function target(x, y, ...rest) {`
`134`		`- sink(x);`
`135`		`- sink(y); // $ MISSING: hasTaintFlow=t13.1`
	`134`	`+ sink(x); // $ SPURIOUS: hasTaintFlow=t13.1`
	`135`	`+ sink(y); // $ hasTaintFlow=t13.1`
`136`	`136`	`sink(rest); // $ MISSING: hasTaintFlow=t13.1`
`137`	`137`	`sink(rest[0]); // $ MISSING: hasTaintFlow=t13.1`
`138`	`138`	`}`