JS: Add taint step for shift()

asgerf · asgerf · commit 3b09bc548e60 · 2024-09-12T13:42:17.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
@@ -486,6 +486,11 @@ class Shift extends SummarizedCallable {
     preservesValue = true and
     input = "Argument[this].ArrayElement[0]" and
     output = "ReturnValue"
+    or
+    // ArrayElement[0] is not automatically converted to a taint step, so add it manually
+    preservesValue = false and
+    input = "Argument[this]" and
+    output = "ReturnValue"
   }
 }
 
diff --git a/javascript/ql/test/library-tests/TripleDot/arrays.js b/javascript/ql/test/library-tests/TripleDot/arrays.js
@@ -13,3 +13,10 @@ function shiftUnknown() {
     sink(array.shift()); // $ hasValueFlow=shift.unkn
     sink(array.shift()); // $ hasValueFlow=shift.unkn
 }
+
+function shiftTaint() {
+    const array = source('shift.directly-tainted');
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+}

Original file line number	Diff line number	Diff line change
`@@ -486,6 +486,11 @@ class Shift extends SummarizedCallable {`
`486`	`486`	`preservesValue = true and`
`487`	`487`	`input = "Argument[this].ArrayElement[0]" and`
`488`	`488`	`output = "ReturnValue"`
	`489`	`+ or`
	`490`	`+ // ArrayElement[0] is not automatically converted to a taint step, so add it manually`
	`491`	`+ preservesValue = false and`
	`492`	`+ input = "Argument[this]" and`
	`493`	`+ output = "ReturnValue"`
`489`	`494`	`}`
`490`	`495`	`}`
`491`	`496`