You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,25 +22,23 @@ will then automatically pick up this new source of remote flow.
22
22
However, this approach requires writing QL code and adding it to the standard library, which is not
23
23
always easy to do. Instead, you can also add a JSON file describing custom sources of untrusted
24
24
input to your code base and have it picked up without needing to modify the standard library. This
25
-
JSON file can be hand-written or generated by another tool, but note that these customizations
26
-
are specific to the code base containing the JSON file. To use them in other code bases, you need
27
-
to copy over the JSON file.
25
+
JSON file can be hand-written or generated by another tool. The custom remote flow sources are only available to the code base containing the JSON file. This means that you need to copy the JSON file into each code base that requires the customizations.
28
26
29
27
Specification format
30
28
--------------------
31
29
32
-
The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` (case-sensitive) and
30
+
The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` and
33
31
can be located anywhere in your code base. It should consist of a single JSON object. The property
34
32
names of this object are interpreted as `source types`. The values they map to should be arrays of
35
33
strings. Each string should be of the form ``window.props``, where ``props`` is a sequence of one
36
-
or more property names separated by dots, specifying that any value reachable from the global window
34
+
or more property names separated by dots. This notation specifies that any value reachable from the global window
37
35
object by this sequence of property names should be considered as untrusted user input of the
38
36
associated source type.
39
37
40
38
Example
41
39
-------
42
40
43
-
As an example, consider the following specification:
0 commit comments