Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: make array taint-step better #7010

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

JS: make array taint-step better #7010

wants to merge 1 commit into from

Conversation

Reviewers

@github/codeql-javascript codeql-javascript

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@japroc @esbena
@japroc
Copy link
Contributor

@japroc japroc commented Oct 31, 2021

Hello! 👋

I have met a case when taint tacking was broken on expression like: filter((x) => !!x). Actually it's pretty straightforward taint-step as filter((x) => x). So i made a PR.

There are also 2 moments to discuss:

  1. I didnt found test case for current filter taint-step
  2. Why you dont consider cases like filter((x) => x.name) as correct taint-step? Because of potential false positives? A have some code:
call.(DataFlow::MethodCallNode).getMethodName() = "filter" and
    pred = call.getReceiver() and
    succ = call and
    exists(DataFlow::FunctionNode callback, Expr retexpr, DataFlow::Node retnode |
      callback = call.getArgument(0).getAFunctionValue() and
      retexpr =
        [
          callback.getAReturn().asExpr(),
          callback.getAReturn().asExpr().(LogNotExpr).getOperand().(LogNotExpr).getOperand()
        ] and
      DataFlow::exprNode(retexpr) = AccessPath::getAReferenceTo(retnode, _) and
      retnode = callback.getParameter(0).getALocalUse() and
      (retexpr instanceof DotExpr or retexpr instanceof VarRef)
    )

It would be interesting to know what you think about this.

I saw in blame that you removed wide taint-step for any filter. 4ac21e9. And of course, filter like (x>5) or x.Includes(allowlist) are incorrect taint steps. But i think that cases like x => x.name, x => !!x, x => !!x.name are points for discussion.

Waiting for your thoughts 😊
@japroc
make array taint-step better
ae282d5
@japroc japroc requested a review from as a code owner Oct 31, 2021
@github-actions github-actions bot added the JS label Oct 31, 2021
@owen-mc owen-mc changed the title make array taint-step better JS: make array taint-step better Oct 31, 2021
@esbena
Copy link
Contributor

@esbena esbena commented Nov 1, 2021

Yes, the reason for the current behaviour is fear of false positives. We think your => !!x, => !!x.p, => x.p cases are generally fine to have as special case propagation steps.

We are happy to merge your suggestion, could you add a test?
Feel free to attempt to support the suggested property presence check as well, either in this PR or another PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment