JS: Track trusted type policy callbacks

asgerf · asgerf · commit 0affd898dec7 · 2023-03-07T10:22:26.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll b/javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll
@@ -25,8 +25,7 @@ module TrustedTypes {
 
     /** Gets the function passed as the given option. */
     DataFlow::FunctionNode getPolicyCallback(string method) {
-      // Require local callback to avoid potential call/return mismatch in the uses below
-      result = getOptionArgument(1, method).getALocalSource()
+      result = getParameter(1).getMember(method).getAValueReachingSink()
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,7 @@ module TrustedTypes {`
`25`	`25`
`26`	`26`	`/** Gets the function passed as the given option. */`
`27`	`27`	`DataFlow::FunctionNode getPolicyCallback(string method) {`
`28`		`- // Require local callback to avoid potential call/return mismatch in the uses below`
`29`		`- result = getOptionArgument(1, method).getALocalSource()`
	`28`	`+ result = getParameter(1).getMember(method).getAValueReachingSink()`
`30`	`29`	`}`
`31`	`30`	`}`
`32`	`31`