@@ -216,6 +216,45 @@ For example, the **mysql** model that is included with the CodeQL JS analysis in
216216
217217 - ["mysql.Connection", "mysql", "Member[createConnection].ReturnValue"]
218218
219+
220+ -------------------------------------------------
221+
222+ In this example, we'll show how to add flow through calls to `decodeURIComponent `:
223+
224+ .. code-block :: js
225+
226+ let y = decodeURIComponent (x); // add taint flow from 'x' to 'y'
227+
228+
229+
230+ .. code-block :: yaml
231+
232+ extensions :
233+ - addsTo :
234+ pack : codeql/javascript-all
235+ extensible : summaryModel
236+ data :
237+ - [
238+ " global" ,
239+ " Member[decodeURIComponent]" ,
240+ " Argument[0]" ,
241+ " ReturnValue" ,
242+ " taint" ,
243+ ]
244+
245+
246+
247+ - Since we're adding flow *through * a function call, we add a tuple to the **summaryModel ** extension point.
248+ - The first column, **"global" **, begins the search for relevant calls at references to the global object.
249+ In JavaScript, global variables are properties of the global object, so this lets us access global variables or functions.
250+ - The second column, **Member[decodeURIComponent] **, is a path leading to the function calls we wish to model.
251+ In this case, we select references to the **decodeURIComponent ** member from the global object, that is,
252+ the global variable named **decodeURIComponent **.
253+ - The third column, **Argument[0] **, indicates the input of the flow. In this case, the first argument to the function call.
254+ - The fourth column, **ReturnValue **, indicates the output of the flow. In this case, the return value of the function call.
255+ - The last column, **taint **, indicates the kind of flow to add. The value **taint ** means the output is not necessarily equal
256+ to the input, but was was derived from the input in a taint-preserving way.
257+
219258Reference material
220259------------------
221260
0 commit comments