Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8f750d4

Browse files
asgerfasgerf
committed
JS: UrlSearchParamsTaintStep
1 parent f84a055 commit 8f750d4

1 file changed

Lines changed: 9 additions & 14 deletions

File tree

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -828,13 +828,13 @@ module TaintTracking {
828828
/**
829829
* A taint propagating data flow edge arising from URL parameter parsing.
830830
*/
831-
private class UrlSearchParamsTaintStep extends DataFlow::AdditionalFlowStep, DataFlow::ValueNode {
831+
private class UrlSearchParamsTaintStep extends DataFlow::SharedFlowStep {
832832
/**
833833
* Holds if `succ` is a `URLSearchParams` providing access to the
834834
* parameters encoded in `pred`.
835835
*/
836836
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
837-
isUrlSearchParams(succ, pred) and succ = this
837+
isUrlSearchParams(succ, pred)
838838
}
839839

840840
/**
@@ -847,17 +847,14 @@ module TaintTracking {
847847
* which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
848848
*/
849849
override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
850-
succ = this and
851-
(
852-
prop = ["searchParams", "hash", "search", hiddenUrlPseudoProperty()] and
853-
exists(DataFlow::NewNode newUrl | succ = newUrl |
854-
newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
855-
pred = newUrl.getArgument(0)
856-
)
857-
or
858-
prop = getableUrlPseudoProperty() and
859-
isUrlSearchParams(succ, pred)
850+
prop = ["searchParams", "hash", "search", hiddenUrlPseudoProperty()] and
851+
exists(DataFlow::NewNode newUrl | succ = newUrl |
852+
newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
853+
pred = newUrl.getArgument(0)
860854
)
855+
or
856+
prop = getableUrlPseudoProperty() and
857+
isUrlSearchParams(succ, pred)
861858
}
862859

863860
/**
@@ -869,7 +866,6 @@ module TaintTracking {
869866
override predicate loadStoreStep(
870867
DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
871868
) {
872-
succ = this and
873869
loadProp = hiddenUrlPseudoProperty() and
874870
storeProp = getableUrlPseudoProperty() and
875871
exists(DataFlow::PropRead read | read = succ |
@@ -884,7 +880,6 @@ module TaintTracking {
884880
* This step is used to load the value stored in the pseudo-property `getableUrlPseudoProperty()`.
885881
*/
886882
override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
887-
succ = this and
888883
prop = getableUrlPseudoProperty() and
889884
// this is a call to `get` or `getAll` on a `URLSearchParams` object
890885
exists(string m, DataFlow::MethodCallNode call | call = succ |

0 commit comments

Comments
 (0)