22 * Provides a flow label for reasoning about URLs with a tainted query and fragment part,
33 * which we collectively refer to as the "suffix" of the URL.
44 */
5+
56import javascript
67
78/**
@@ -17,9 +18,7 @@ module TaintedUrlSuffix {
1718 * Can also be accessed using `TaintedUrlSuffix::label()`.
1819 */
1920 class TaintedUrlSuffixLabel extends FlowLabel {
20- TaintedUrlSuffixLabel ( ) {
21- this = "tainted-url-suffix"
22- }
21+ TaintedUrlSuffixLabel ( ) { this = "tainted-url-suffix" }
2322 }
2423
2524 /**
@@ -30,7 +29,7 @@ module TaintedUrlSuffix {
3029 /** Holds for `pred -> succ` is a step of form `x -> x.p` */
3130 private predicate isSafeLocationProp ( DataFlow:: PropRead read ) {
3231 // Ignore properties that refer to the scheme, domain, port, auth, or path.
33- exists ( string name | name = read .getPropertyName ( ) |
32+ exists ( string name | name = read .getPropertyName ( ) |
3433 name = "protocol" or
3534 name = "scheme" or
3635 name = "host" or
@@ -86,10 +85,14 @@ module TaintedUrlSuffix {
8685 name = "get"
8786 or
8887 // Methods on URL objects from the Closure library
89- name = "getDecodedQuery" or
90- name = "getFragment" or
91- name = "getParameterValue" or
92- name = "getParameterValues" or
88+ name = "getDecodedQuery"
89+ or
90+ name = "getFragment"
91+ or
92+ name = "getParameterValue"
93+ or
94+ name = "getParameterValues"
95+ or
9396 name = "getQueryData"
9497 )
9598 or
0 commit comments