Skip to content

Commit f1e95a8

Browse files
NapalysNapalys
committed
JS: Add: taint step test cases for findLastIndex, findLast, find
1 parent c03d69a commit f1e95a8

File tree

5 files changed

+396
-137
lines changed

5 files changed

+396
-137
lines changed

javascript/ql/test/library-tests/Arrays/DataFlow.ql

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,10 @@ import javascript
33
class ArrayFlowConfig extends DataFlow::Configuration {
44
ArrayFlowConfig() { this = "ArrayFlowConfig" }
55

6-
override predicate isSource(DataFlow::Node source) { source.asExpr().getStringValue() = "source" }
6+
override predicate isSource(DataFlow::Node source) {
7+
source.asExpr().getStringValue() = "source" or
8+
source.(DataFlow::CallNode).getCalleeName() = "source"
9+
}
710

811
override predicate isSink(DataFlow::Node sink) {
912
sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()

javascript/ql/test/library-tests/Arrays/TaintFlow.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,3 +35,5 @@
3535
| arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
3636
| arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
3737
| arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
38+
| arrays.js:131:17:131:24 | source() | arrays.js:133:10:133:17 | element1 |
39+
| arrays.js:137:17:137:24 | source() | arrays.js:139:10:139:17 | element1 |

javascript/ql/test/library-tests/Arrays/TaintFlow.ql

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,10 @@ import javascript
33
class ArrayTaintFlowConfig extends TaintTracking::Configuration {
44
ArrayTaintFlowConfig() { this = "ArrayTaintFlowConfig" }
55

6-
override predicate isSource(DataFlow::Node source) { source.asExpr().getStringValue() = "source" }
6+
override predicate isSource(DataFlow::Node source) {
7+
source.asExpr().getStringValue() = "source" or
8+
source.(DataFlow::CallNode).getCalleeName() = "source"
9+
}
710

811
override predicate isSink(DataFlow::Node sink) {
912
sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()

javascript/ql/test/library-tests/Arrays/arrays.js

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,4 +127,21 @@
127127
const element = list.findLastIndex((item) => sink(item)); // NOT OK
128128
sink(element); // OK
129129
}
130+
{
131+
const arr = source();
132+
const element1 = arr.find((item) => sink(item)); // NOT OK - only found with taint-tracking.
133+
sink(element1); // NOT OK
134+
}
135+
136+
{
137+
const arr = source();
138+
const element1 = arr.findLast((item) => sink(item)); // NOT OK - only found with taint-tracking.
139+
sink(element1); // NOT OK
140+
}
141+
142+
{
143+
const arr = source();
144+
const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK - only found with taint-tracking.
145+
sink(element1); // OK
146+
}
130147
});

0 commit comments

Comments
 (0)