Skip to content

Commit 9e949d0

Browse files
committed
JS: Add taint step through destructuring for-of loop
1 parent de3c8bf commit 9e949d0

File tree

4 files changed

+21
-4
lines changed

4 files changed

+21
-4
lines changed

javascript/ql/src/semmle/javascript/Stmt.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -818,6 +818,15 @@ abstract class EnhancedForLoop extends LoopStmt {
818818
result = getIterator().(DeclStmt).getADecl()
819819
}
820820

821+
/**
822+
* Gets the property, variable, or destructuring pattern occurring as the iterator
823+
* expression in this `for`-`in` or `for`-`of` loop.
824+
*/
825+
Expr getLValue() {
826+
result = getIteratorExpr() or
827+
result = getIterator().(DeclStmt).getADecl().getBindingPattern()
828+
}
829+
821830
/**
822831
* Gets an iterator variable of this `for`-`in` or `for`-`of` loop.
823832
*/

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -232,7 +232,7 @@ module TaintTracking {
232232
exists(ForOfStmt fos |
233233
this = DataFlow::valueNode(fos.getIterationDomain()) and
234234
pred = this and
235-
succ = DataFlow::ssaDefinitionNode(SSA::definition(fos.getIteratorExpr()))
235+
succ = DataFlow::lvalueNode(fos.getLValue())
236236
)
237237
}
238238
}

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ typeInferenceMismatch
33
| addexpr.js:4:10:4:17 | source() | addexpr.js:6:3:6:14 | x |
44
| addexpr.js:11:15:11:22 | source() | addexpr.js:17:5:17:18 | value |
55
| addexpr.js:11:15:11:22 | source() | addexpr.js:19:3:19:14 | value |
6+
| destruct.js:20:7:20:14 | source() | destruct.js:13:14:13:19 | [a, b] |
67
#select
78
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
89
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -38,9 +39,11 @@ typeInferenceMismatch
3839
| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
3940
| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
4041
| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
41-
| destruct.js:15:7:15:14 | source() | destruct.js:5:10:5:10 | z |
42-
| destruct.js:15:7:15:14 | source() | destruct.js:8:10:8:10 | w |
43-
| destruct.js:15:7:15:14 | source() | destruct.js:11:10:11:10 | q |
42+
| destruct.js:20:7:20:14 | source() | destruct.js:5:10:5:10 | z |
43+
| destruct.js:20:7:20:14 | source() | destruct.js:8:10:8:10 | w |
44+
| destruct.js:20:7:20:14 | source() | destruct.js:11:10:11:10 | q |
45+
| destruct.js:20:7:20:14 | source() | destruct.js:14:12:14:12 | a |
46+
| destruct.js:20:7:20:14 | source() | destruct.js:15:12:15:12 | b |
4447
| exceptions.js:3:15:3:22 | source() | exceptions.js:5:10:5:10 | e |
4548
| exceptions.js:21:17:21:24 | source() | exceptions.js:23:10:23:10 | e |
4649
| exceptions.js:21:17:21:24 | source() | exceptions.js:24:10:24:21 | e.toString() |

javascript/ql/test/library-tests/TaintTracking/destruct.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@ function test() {
99

1010
let { x: [ { y: q } ] } = obj;
1111
sink(q); // NOT OK
12+
13+
for (let [a, b] of obj) {
14+
sink(a); // NOT OK
15+
sink(b); // NOT OK
16+
}
1217
}
1318

1419
function g() {

0 commit comments

Comments
 (0)