CodeQL library for JavaScript
Search

Module TaintTracking

Provides classes for modelling taint propagation.

Import path

import javascript

Predicates

arrayStep

Holds if pred -> succ is a taint propagating data flow edge through an array.

deserializeStep

Holds if predsucc should be considered a taint-propagating data flow edge through data deserialization, such as JSON.parse.

heapStep

Holds if pred -> succ is a taint propagating data flow edge through the heap.

isTypeofGuard

Holds if test is a guard that checks if operand is typeof tag.

isUrlSearchParams

Holds if params is a construction of a URLSearchParams that parses the parameters in input.

localTaintStep

Holds if taint propagates from pred to succ in one local (intra-procedural) step.

persistentStorageStep

Holds if pred -> succ is a taint propagating data flow edge through persistent storage.

promiseStep

Holds if predsucc should be considered a taint-propagating data flow edge through a promise.

serializeStep

Holds if predsucc should be considered a taint-propagating data flow edge through data serialization, such as JSON.stringify.

sharedTaintStep

Holds if pred -> succ is an edge used by all taint-tracking configurations.

stringConcatenationStep

Holds if pred -> succ is a taint propagating data flow edge through string concatenation.

stringManipulationStep

Holds if pred -> succ is a taint propagating data flow edge through string manipulation (other than concatenation).

stringStep

Holds if pred -> succ is a taint propagating data flow edge through a string operation.

uriStep

Holds if predsucc should be considered a taint-propagating data flow edge through a URI library function.

viewComponentStep

Holds if pred -> succ is a taint propagating data flow edge through the properties of a view compenent, such as the state or props of a React component.

Classes

AdHocWhitelistCheckSanitizer

A check of the form if(<isWhitelisted>(x)), which sanitizes x in its “then” branch.

AdditionalSanitizerGuardNode

A SanitizerGuardNode that controls which taint tracking configurations it is used in.

Configuration

A data flow tracking configuration that considers taint propagation through objects, arrays, promises and strings in addition to standard data flow.

ConstantComparison

A check of the form if(x == 'some-constant'), which sanitizes x in its “then” branch.

ErrorConstructorTaintStep

A taint step through an exception constructor, such as x to new Error(x).

InSanitizer

A check of the form if(x in o), which sanitizes x in its “then” branch.

IsEmptyGuard

A test of form x.length === "0", preventing x from being tainted.

LabeledSanitizerGuardNode

A sanitizer guard node that only blocks specific flow labels.

MembershipTestSanitizer

A check of the form whitelist.includes(x) or equivalent, which sanitizes x in its “then” branch.

PersistentStorageTaintStep

DEPRECATED. Use the predicate TaintTracking::persistentStorageStep instead.

PositiveIndexOfSanitizer

A check of form x.indexOf(y) > 0 or similar, which sanitizes y in the “then” branch.

SanitizerGuardNode

A node that can act as a sanitizer when appearing in a condition.

SanitizingRegExpTest

A conditional checking a tainted string against a regular expression, which is considered to be a sanitizer for all configurations.

SharedTaintStep

A taint-propagating data flow edge that should be added to all taint tracking configurations in addition to standard data flow edges.

StringConcatenationTaintStep

A taint propagating data flow edge arising from string concatenations.

TypeOfUndefinedSanitizer

A check of the form type x === "undefined", which sanitized x in its “then” branch.

UndefinedCheckSanitizer

A check of the form if(o[x] != undefined), which sanitizes x in its “then” branch.

UtilInspectTaintStep

A taint step through the Node.JS function util.inspect(..).

WhitelistContainmentCallSanitizer

A check of the form if(o.<contains>(x)), which sanitizes x in its “then” branch.

Aliases

AdditionalTaintStep

DEPRECATED. Subclasses should extend SharedTaintStep instead, unless the subclass is part of a query, in which case it should be moved into the isAdditionalTaintStep predicate of the relevant taint-tracking configuration. Other uses of the step relation in this class should instead use the TaintTracking::sharedTaintStep predicate.

InclusionSanitizer

DEPRECATED. This class has been renamed to MembershipTestSanitizer.

StringInclusionSanitizer

DEPRECATED. This class has been renamed to MembershipTestSanitizer.

arrayFunctionTaintStep

A taint propagating data flow edge from pred to succ caused by a call call to a builtin array functions.