Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 95122b2

Browse files
asgerfasgerf
committed
JS: Support Argument[this] token
1 parent d476f97 commit 95122b2

4 files changed

Lines changed: 23 additions & 1 deletion

File tree

javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,10 @@ bindingset[token]
133133
API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken token) {
134134
token.getName() = "Instance" and
135135
result = node.getInstance()
136+
or
137+
token.getName() = "Argument" and
138+
token.getAnArgument() = "this" and
139+
result.getARhs() = node.(DataFlow::CallNode).getReceiver()
136140
}
137141

138142
/**

javascript/ql/test/library-tests/frameworks/data/test.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ taintFlow
3333
| test.js:95:17:95:24 | source() | test.js:95:17:95:24 | source() |
3434
| test.js:96:17:96:24 | source() | test.js:96:17:96:24 | source() |
3535
| test.js:97:17:97:24 | source() | test.js:97:17:97:24 | source() |
36+
| test.js:102:16:102:34 | testlib.getSource() | test.js:103:8:103:13 | source |
37+
| test.js:102:16:102:34 | testlib.getSource() | test.js:104:8:104:24 | source.continue() |
3638
isSink
3739
| test.js:54:18:54:25 | source() | test-sink |
3840
| test.js:55:22:55:29 | source() | test-sink |

javascript/ql/test/library-tests/frameworks/data/test.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,3 +97,10 @@ function testSinks() {
9797
testlib.sink3(source()); // NOT OK
9898
testlib.sink4(source()); // OK
9999
}
100+
101+
function testFlowThroughReceiver() {
102+
let source = testlib.getSource();
103+
sink(source); // NOT OK
104+
sink(source.continue()); // NOT OK
105+
sink(source.blah()); // OK
106+
}

javascript/ql/test/library-tests/frameworks/data/test.ql

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ class Steps extends ModelInput::SummaryModelCsv {
1212
"testlib;;Member[taintIntoCallbackThis];Argument[0];Argument[1..2].Parameter[this];taint",
1313
"testlib;;Member[preserveArgZeroAndTwo];Argument[0,2];ReturnValue;taint",
1414
"testlib;;Member[preserveAllButFirstArgument];Argument[1..];ReturnValue;taint",
15-
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint"
15+
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint",
16+
"testlib;;Member[getSource].ReturnValue.Member[continue];Argument[this];ReturnValue;taint",
1617
]
1718
}
1819
}
@@ -36,11 +37,19 @@ class Sinks extends ModelInput::SinkModelCsv {
3637
}
3738
}
3839

40+
class Sources extends ModelInput::SourceModelCsv {
41+
override predicate row(string row) {
42+
row = "testlib;;Member[getSource].ReturnValue;test-source"
43+
}
44+
}
45+
3946
class BasicTaintTracking extends TaintTracking::Configuration {
4047
BasicTaintTracking() { this = "BasicTaintTracking" }
4148

4249
override predicate isSource(DataFlow::Node source) {
4350
source.(DataFlow::CallNode).getCalleeName() = "source"
51+
or
52+
source = ModelOutput::getASourceNode("test-source").getAnImmediateUse()
4453
}
4554

4655
override predicate isSink(DataFlow::Node sink) {

0 commit comments

Comments
 (0)