JS: Disallow implicit reads before an optional step

asgerf · asgerf · commit bc04131c72d3 · 2024-09-12T13:42:22.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -61,5 +61,7 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {
 bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, ContentSet c) {
   exists(node) and
-  c = [ContentSet::promiseValue(), ContentSet::arrayElement()]
+  c = [ContentSet::promiseValue(), ContentSet::arrayElement()] and
+  // Optional steps are added through isAdditionalFlowStep but we don't want the implicit reads
+  not optionalStep(node, _, _)
 }

Original file line number	Diff line number	Diff line change
`@@ -61,5 +61,7 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {`
`61`	`61`	`bindingset[node]`
`62`	`62`	`predicate defaultImplicitTaintRead(DataFlow::Node node, ContentSet c) {`
`63`	`63`	`exists(node) and`
`64`		`- c = [ContentSet::promiseValue(), ContentSet::arrayElement()]`
	`64`	`+ c = [ContentSet::promiseValue(), ContentSet::arrayElement()] and`
	`65`	`+ // Optional steps are added through isAdditionalFlowStep but we don't want the implicit reads`
	`66`	`+ not optionalStep(node, _, _)`
`65`	`67`	`}`