@@ -150,11 +150,11 @@ module AsyncPackage {
150150 *
151151 * For example: `data -> item` in `async.each(data, (item, cb) => {})`.
152152 */
153- private class IterationInputTaintStep extends TaintTracking:: AdditionalTaintStep , IterationCall {
153+ private class IterationInputTaintStep extends TaintTracking:: SharedTaintStep {
154154 override predicate step ( DataFlow:: Node pred , DataFlow:: Node succ ) {
155- exists ( DataFlow:: FunctionNode iteratee |
156- iteratee = getIteratorCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
157- pred = getCollection ( ) and
155+ exists ( DataFlow:: FunctionNode iteratee , IterationCall call |
156+ iteratee = call . getIteratorCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
157+ pred = call . getCollection ( ) and
158158 succ = iteratee .getParameter ( 0 )
159159 )
160160 }
@@ -166,20 +166,19 @@ module AsyncPackage {
166166 *
167167 * For example: `item + taint()` -> result` in `async.map(data, (item, cb) => cb(null, item + taint()), (err, result) => {})`.
168168 */
169- private class IterationOutputTaintStep extends TaintTracking:: AdditionalTaintStep , IterationCall {
170- IterationOutputTaintStep ( ) {
171- name = "concat" or
172- name = "map" or
173- name = "reduce" or
174- name = "reduceRight"
175- }
176-
169+ private class IterationOutputTaintStep extends TaintTracking:: SharedTaintStep {
177170 override predicate step ( DataFlow:: Node pred , DataFlow:: Node succ ) {
178- exists ( DataFlow:: FunctionNode iteratee , DataFlow:: FunctionNode final , int i |
179- iteratee = getIteratorCallback ( ) .getALocalSource ( ) and
180- final = getFinalCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
171+ exists ( DataFlow:: FunctionNode iteratee , DataFlow:: FunctionNode final , int i , IterationCall call |
172+ iteratee = call . getIteratorCallback ( ) .getALocalSource ( ) and
173+ final = call . getFinalCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
181174 pred = getLastParameter ( iteratee ) .getACall ( ) .getArgument ( i ) and
182- succ = final .getParameter ( i )
175+ succ = final .getParameter ( i ) and
176+ exists ( string name | name = call .getName ( ) |
177+ name = "concat" or
178+ name = "map" or
179+ name = "reduce" or
180+ name = "reduceRight"
181+ )
183182 )
184183 }
185184 }
@@ -189,17 +188,13 @@ module AsyncPackage {
189188 *
190189 * For example: `data -> result` in `async.sortBy(data, orderingFn, (err, result) => {})`.
191190 */
192- private class IterationPreserveTaintStep extends TaintTracking:: AdditionalTaintStep , IterationCall {
193- IterationPreserveTaintStep ( ) {
194- name = "sortBy"
195- // We don't currently include `filter` and `reject` as they could act as sanitizers.
196- }
197-
191+ private class IterationPreserveTaintStep extends TaintTracking:: SharedTaintStep {
198192 override predicate step ( DataFlow:: Node pred , DataFlow:: Node succ ) {
199- exists ( DataFlow:: FunctionNode final |
200- final = getFinalCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
201- pred = getCollection ( ) and
202- succ = final .getParameter ( 1 )
193+ exists ( DataFlow:: FunctionNode final , IterationCall call |
194+ final = call .getFinalCallback ( ) and // Require a closure to avoid spurious call/return mismatch.
195+ pred = call .getCollection ( ) and
196+ succ = final .getParameter ( 1 ) and
197+ call .getName ( ) = "sortBy"
203198 )
204199 }
205200 }
0 commit comments