JS: Add spread step in TaintedObject

asgerf · asgerf · commit ef52c46aed23 · 2020-12-07T10:16:37.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/TaintedObject.qll b/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
@@ -63,6 +63,14 @@ module TaintedObject {
       src = call.getASourceOperand() and
       trg = call.getDestinationOperand().getALocalSource()
     )
+    or
+    // Spreading into an object preserves deep object taint: `p -> { ...p }`
+    inlbl = label() and
+    outlbl = label() and
+    exists(ObjectLiteralNode obj |
+      src = obj.getASpreadProperty() and
+      trg = obj
+    )
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,14 @@ module TaintedObject {`
`63`	`63`	`src = call.getASourceOperand() and`
`64`	`64`	`trg = call.getDestinationOperand().getALocalSource()`
`65`	`65`	`)`
	`66`	`+ or`
	`67`	+ // Spreading into an object preserves deep object taint: `p -> { ...p }`
	`68`	`+ inlbl = label() and`
	`69`	`+ outlbl = label() and`
	`70`	`+ exists(ObjectLiteralNode obj \|`
	`71`	`+ src = obj.getASpreadProperty() and`
	`72`	`+ trg = obj`
	`73`	`+ )`
`66`	`74`	`}`
`67`	`75`
`68`	`76`	`/**`