JS: Comment about manually applying taint steps

asgerf · asgerf · commit ea4bc9cdbbdd · 2024-03-13T12:30:05.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionQuery.qll
@@ -43,6 +43,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::step(src, trg, inlbl, outlbl)
     or
+    // We're not using a taint-tracking config because taint steps would then apply to all flow states.
+    // So we use a plain data flow config and manually add the default taint steps.
     inlbl.isTaint() and
     TaintTracking::defaultTaintStep(src, trg) and
     inlbl = outlbl
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TemplateObjectInjectionQuery.qll
@@ -39,6 +39,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::step(src, trg, inlbl, outlbl)
     or
+    // We're not using a taint-tracking config because taint steps would then apply to all flow states.
+    // So we use a plain data flow config and manually add the default taint steps.
     inlbl.isTaint() and
     TaintTracking::defaultTaintStep(src, trg) and
     inlbl = outlbl
