Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a39cb74

Browse files
asgerfasgerf
committed
JS: Heuristics
1 parent 58a34fc commit a39cb74

2 files changed

Lines changed: 25 additions & 6 deletions

File tree

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -234,6 +234,15 @@ module TaintTracking {
234234
* data flow edge, in the URI category.
235235
*/
236236
predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
237+
238+
/**
239+
* Holds if `pred` → `succ` should be considered a taint-propagating
240+
* data flow edge, in the heuristic category.
241+
*
242+
* Note that this set of steps will be empty unless libraries from
243+
* `semmle.javascript.heuristics` are explicitly imported.
244+
*/
245+
predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
237246
}
238247

239248
/**
@@ -244,6 +253,8 @@ module TaintTracking {
244253
or
245254
any(AdditionalTaintStep step).step(pred, succ)
246255
or
256+
any(SharedTaintStep step).heuristicStep(pred, succ)
257+
or
247258
uriStep(pred, succ)
248259
}
249260

javascript/ql/src/semmle/javascript/heuristics/AdditionalTaintSteps.qll

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -7,16 +7,24 @@
77
import javascript
88

99
/**
10-
* A heuristic additional flow step in a security query.
10+
* DEPRECATED.
11+
*
12+
* The target of a heuristic additional flow step in a security query.
1113
*/
12-
abstract class HeuristicAdditionalTaintStep extends DataFlow::ValueNode { }
14+
deprecated class HeuristicAdditionalTaintStep extends DataFlow::Node {
15+
HeuristicAdditionalTaintStep() {
16+
any(TaintTracking::SharedTaintStep step).heuristicStep(_, this)
17+
}
18+
}
1319

1420
/**
1521
* A call to `tainted.replace(x, y)` that preserves taint.
1622
*/
17-
private class HeuristicStringManipulationTaintStep extends HeuristicAdditionalTaintStep,
18-
TaintTracking::AdditionalTaintStep, StringReplaceCall {
19-
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
20-
pred = getReceiver() and succ = this
23+
private class HeuristicStringManipulationTaintStep extends TaintTracking::SharedTaintStep {
24+
override predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) {
25+
exists(StringReplaceCall call |
26+
pred = call.getReceiver() and
27+
succ = call
28+
)
2129
}
2230
}

0 commit comments

Comments
 (0)