JS: Convert 'split' taint step to legacy taint step

asgerf · asgerf · commit da696817a326 · 2024-09-12T13:42:05.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -356,6 +356,16 @@ module TaintTracking {
     }
   }
 
+  private class LegacySplitTaintStep extends LegacyTaintStep {
+    override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node target) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = "split" and
+        pred = call.getReceiver() and
+        target = call
+      )
+    }
+  }
+
   /**
    * A taint propagating data flow edge arising from string manipulation
    * functions defined in the standard library.
@@ -372,9 +382,8 @@ module TaintTracking {
               [
                 "anchor", "big", "blink", "bold", "concat", "fixed", "fontcolor", "fontsize",
                 "italics", "link", "padEnd", "padStart", "repeat", "replace", "replaceAll", "slice",
-                "small", "split", "strike", "sub", "substr", "substring", "sup",
-                "toLocaleLowerCase", "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim",
-                "trimLeft", "trimRight"
+                "small", "strike", "sub", "substr", "substring", "sup", "toLocaleLowerCase",
+                "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim", "trimLeft", "trimRight"
               ]
             or
             // sorted, interesting, properties of Object.prototype
