CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.6.3 (changelog, source)
Search

Module TaintTracking

Provides classes for modeling taint propagation.

Import path

import javascript

Predicates

arrayStep

Holds if pred -> succ is a taint propagating data flow edge through an array.

defaultSanitizer

Holds if node is seen as a barrier for taint-tracking.

defaultTaintStep

Holds if there is a taint step from node1 to node2.

deserializeStep

Holds if predsucc should be considered a taint-propagating data flow edge through data deserialization, such as JSON.parse.

heapStep

Holds if pred -> succ is a taint propagating data flow edge through the heap.

isNumberGuard

Holds if guard is a test that checks if operand is a number.

isStringTypeGuard

A test for the value of typeof x, restricting the potential types of x.

isTypeofGuard

Holds if test is a guard that checks if operand is typeof tag.

isUrlSearchParams

Holds if params is a construction of a URLSearchParams that parses the parameters in input.

persistentStorageStep

Holds if pred -> succ is a taint propagating data flow edge through persistent storage.

promiseStep

Holds if predsucc should be considered a taint-propagating data flow edge through a promise.

serializeStep

Holds if predsucc should be considered a taint-propagating data flow edge through data serialization, such as JSON.stringify.

sharedTaintStep

Holds if pred -> succ is an edge used by all taint-tracking configurations in the old data flow library.

stringConcatenationStep

Holds if pred -> succ is a taint propagating data flow edge through string concatenation.

stringManipulationStep

Holds if pred -> succ is a taint propagating data flow edge through string manipulation (other than concatenation).

uriStep

Holds if predsucc should be considered a taint-propagating data flow edge through a URI library function.

viewComponentStep

Holds if pred -> succ is a taint propagating data flow edge through the properties of a view compenent, such as the state or props of a React component.

Classes

AdHocWhitelistCheckSanitizer

A check of the form if(<isWhitelisted>(x)), which sanitizes x in its “then” branch.

AdditionalBarrierGuard

A barrier guard that applies to all taint-tracking configurations.

AdditionalSanitizerGuardNode

DEPRECATED. This class was part of the old data flow library which is now deprecated. Use TaintTracking::AdditionalBarrierGuard instead.

AdditionalTaintStep

A taint-propagating data flow edge that should be added to all taint tracking configurations, but only those that use the new data flow library.

Configuration

DEPRECATED. Subclasses of this class should be replaced by a module implementing the new ConfigSig or StateConfigSig interface. See the migration guide for more details.

ErrorConstructorTaintStep

A taint step through an exception constructor, such as x to new Error(x).

InSanitizer

A check of the form if(x in o), which sanitizes x in its “then” branch.

IsEmptyGuard

A test of form x.length === "0", preventing x from being tainted.

LabeledSanitizerGuardNode

A sanitizer guard node that only blocks specific flow labels.

LegacyTaintStep

A taint-propagating data flow edge that should be used with the old data flow library.

MembershipTestSanitizer

A check of the form whitelist.includes(x) or equivalent, which sanitizes x in its “then” branch.

PositiveIndexOfSanitizer

A check of form x.indexOf(y) > 0 or similar, which sanitizes y in the “then” branch.

SanitizerGuardNode

A node that can act as a sanitizer when appearing in a condition.

SanitizingRegExpTest

A conditional checking a tainted string against a regular expression, which is considered to be a sanitizer for all configurations.

SharedTaintStep

A taint-propagating data flow edge that should be added to all taint tracking configurations in addition to standard data flow edges.

StringConcatenationTaintStep

A taint propagating data flow edge arising from string concatenations.

TypeOfUndefinedSanitizer

A check of the form type x === "undefined", which sanitized x in its “then” branch.

UndefinedCheckSanitizer

A check of the form if(o[x] != undefined), which sanitizes x in its “then” branch.

UtilInspectTaintStep

A taint step through the Node.JS function util.inspect(..).

WhitelistContainmentCallSanitizer

A check of the form if(o.<contains>(x)), which sanitizes x in its “then” branch.

Modules

AdditionalTaintStep

Contains predicates for accessing the taint steps used by taint-tracking configurations in the new data flow library.

Aliases

AdHocWhitelistCheckSanitizer

Barrier nodes derived from the AdHocWhitelistCheckSanitizer class.