Skip to content

Commit e4d891c

Browse files
committed
JS: Add tests for flow through replace
1 parent 9cfbb90 commit e4d891c

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,11 @@ typeInferenceMismatch
124124
| static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:27:14:27:22 | RegExp.$1 |
125125
| static-capture-groups.js:32:17:32:24 | source() | static-capture-groups.js:38:10:38:18 | RegExp.$1 |
126126
| static-capture-groups.js:42:12:42:19 | source() | static-capture-groups.js:43:14:43:22 | RegExp.$1 |
127+
| string-replace.js:3:13:3:20 | source() | string-replace.js:14:10:14:13 | data |
128+
| string-replace.js:3:13:3:20 | source() | string-replace.js:18:10:18:13 | data |
129+
| string-replace.js:3:13:3:20 | source() | string-replace.js:21:6:21:41 | safe(). ... taint) |
130+
| string-replace.js:3:13:3:20 | source() | string-replace.js:22:6:22:48 | safe(). ... taint) |
131+
| string-replace.js:3:13:3:20 | source() | string-replace.js:24:6:24:45 | taint.r ... + '!') |
127132
| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
128133
| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
129134
| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
import 'dummy';
2+
3+
let taint = source();
4+
5+
taint.replace('foo', data => {
6+
sink(data); // OK - can only be the value 'foo'
7+
});
8+
9+
taint.replace(/\d+/, data => {
10+
sink(data); // OK - can only be digits
11+
});
12+
13+
taint.replace(/[^a-z]+/, data => {
14+
sink(data); // NOT OK
15+
});
16+
17+
taint.replace(/&[^&]+;/, data => {
18+
sink(data); // NOT OK
19+
});
20+
21+
sink(safe().replace('foo', data => taint)); // NOT OK
22+
sink(safe().replace('foo', data => data + taint)); // NOT OK
23+
24+
sink(taint.replace('foo', data => data + '!')); // NOT OK -- propagates through replace call

0 commit comments

Comments
 (0)