Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 895cb87

Browse files
committed
JS: Add taint into dynamic argument array
1 parent 079a622 commit 895cb87

2 files changed

Lines changed: 14 additions & 6 deletions

File tree

javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
private import javascript
22
private import semmle.javascript.dataflow.internal.DataFlowPrivate
3+
private import semmle.javascript.dataflow.internal.DataFlowNode
34
private import semmle.javascript.dataflow.internal.Contents::Public
45
private import semmle.javascript.dataflow.internal.sharedlib.FlowSummaryImpl as FlowSummaryImpl
56
private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
@@ -18,6 +19,13 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)
1819
or
1920
FlowSummaryPrivate::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(),
2021
ContentSet::arrayElement(), node2.(FlowSummaryNode).getSummaryNode())
22+
or
23+
// If the spread argument itself is tainted (not inside a content), store it into the dynamic argument array.
24+
exists(InvokeExpr invoke, Content c |
25+
node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and
26+
node2 = TDynamicArgumentStoreNode(invoke, c) and
27+
c.isUnknownArrayElement()
28+
)
2129
}
2230

2331
predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2, string model) {

javascript/ql/test/library-tests/TripleDot/tst.js

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -115,24 +115,24 @@ function t10() {
115115

116116
function t11() {
117117
function target(x, y) {
118-
sink(x); // $ MISSING: hasTaintFlow=t11.1
119-
sink(y); // $ MISSING: hasTaintFlow=t11.1
118+
sink(x); // $ hasTaintFlow=t11.1
119+
sink(y); // $ hasTaintFlow=t11.1
120120
}
121121
target(...source('t11.1'));
122122
}
123123

124124
function t12() {
125125
function target(x, y) {
126-
sink(x);
127-
sink(y); // $ MISSING: hasTaintFlow=t12.1
126+
sink(x); // $ SPURIOUS: hasTaintFlow=t12.1
127+
sink(y); // $ hasTaintFlow=t12.1
128128
}
129129
target("safe", ...source('t12.1'));
130130
}
131131

132132
function t13() {
133133
function target(x, y, ...rest) {
134-
sink(x);
135-
sink(y); // $ MISSING: hasTaintFlow=t13.1
134+
sink(x); // $ SPURIOUS: hasTaintFlow=t13.1
135+
sink(y); // $ hasTaintFlow=t13.1
136136
sink(rest); // $ MISSING: hasTaintFlow=t13.1
137137
sink(rest[0]); // $ MISSING: hasTaintFlow=t13.1
138138
}

0 commit comments

Comments
 (0)