File tree Expand file tree Collapse file tree
javascript/ql/lib/semmle/javascript/dataflow Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -716,11 +716,40 @@ module TaintTracking {
716716 */
717717 private class JsonStringifyTaintStep extends SharedTaintStep {
718718 override predicate serializeStep ( DataFlow:: Node pred , DataFlow:: Node succ ) {
719- exists ( JsonStringifyCall call |
720- pred = call .getArgument ( 0 ) and
719+ exists ( JsonStringifyCall call , DataFlow:: Node arg |
720+ arg = call .getArgument ( 0 ) and
721+ (
722+ pred = arg or
723+ findInObject ( arg .asExpr ( ) , pred .asExpr ( ) )
724+ ) and
721725 succ = call
722726 )
723727 }
728+
729+ // find target in root object recursively
730+ private predicate findInObject ( Expr root , Expr target ) {
731+ // when root is Object
732+ exists ( ObjectExpr object , Property property , Expr propertyVal |
733+ object = root and
734+ property = object .getAProperty ( ) and
735+ propertyVal = property .getInit ( ) and
736+ (
737+ target = property .getNameExpr ( ) or
738+ target = propertyVal or
739+ findInObject ( propertyVal , target )
740+ )
741+ )
742+ or
743+ // when root is Array
744+ exists ( ArrayExpr array , Expr child |
745+ array = root and
746+ child = array .getAChildExpr ( ) and
747+ (
748+ target = child or
749+ findInObject ( child , target )
750+ )
751+ )
752+ }
724753 }
725754
726755 /**
You can’t perform that action at this time.
0 commit comments