CodeQL library for JavaScript/TypeScript

codeql/javascript-all 0.8.15-dev (changelog, source)

Module TaintTracking

Provides classes for modeling taint propagation.

Import path

import javascript

Predicates

arrayStep	Holds if `pred -> succ` is a taint propagating data flow edge through an array.
deserializeStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through data deserialization, such as `JSON.parse`.
heapStep	Holds if `pred -> succ` is a taint propagating data flow edge through the heap.
isNumberGuard	Holds if `guard` is a test that checks if `operand` is a number.
isStringTypeGuard	A test for the value of `typeof x`, restricting the potential types of `x`.
isTypeofGuard	Holds if `test` is a guard that checks if `operand` is typeof `tag`.
isUrlSearchParams	Holds if `params` is a construction of a `URLSearchParams` that parses the parameters in `input`.
persistentStorageStep	Holds if `pred -> succ` is a taint propagating data flow edge through persistent storage.
promiseStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through a promise.
serializeStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through data serialization, such as `JSON.stringify`.
sharedTaintStep	Holds if `pred -> succ` is an edge used by all taint-tracking configurations.
stringConcatenationStep	Holds if `pred -> succ` is a taint propagating data flow edge through string concatenation.
stringManipulationStep	Holds if `pred -> succ` is a taint propagating data flow edge through string manipulation (other than concatenation).
uriStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through a URI library function.
viewComponentStep	Holds if `pred -> succ` is a taint propagating data flow edge through the properties of a view compenent, such as the `state` or `props` of a React component.

Classes

AdHocWhitelistCheckSanitizer	A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its “then” branch.
AdditionalSanitizerGuardNode	A `SanitizerGuardNode` that controls which taint tracking configurations it is used in.
Configuration	A data flow tracking configuration that considers taint propagation through objects, arrays, promises and strings in addition to standard data flow.
ErrorConstructorTaintStep	A taint step through an exception constructor, such as `x` to `new Error(x)`.
InSanitizer	A check of the form `if(x in o)`, which sanitizes `x` in its “then” branch.
IsEmptyGuard	A test of form `x.length === "0"`, preventing `x` from being tainted.
LabeledSanitizerGuardNode	A sanitizer guard node that only blocks specific flow labels.
MembershipTestSanitizer	A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its “then” branch.
PositiveIndexOfSanitizer	A check of form `x.indexOf(y) > 0` or similar, which sanitizes `y` in the “then” branch.
SanitizerGuardNode	A node that can act as a sanitizer when appearing in a condition.
SanitizingRegExpTest	A conditional checking a tainted string against a regular expression, which is considered to be a sanitizer for all configurations.
SharedTaintStep	A taint-propagating data flow edge that should be added to all taint tracking configurations in addition to standard data flow edges.
StringConcatenationTaintStep	A taint propagating data flow edge arising from string concatenations.
TypeOfUndefinedSanitizer	A check of the form `type x === "undefined"`, which sanitized `x` in its “then” branch.
UndefinedCheckSanitizer	A check of the form `if(o[x] != undefined)`, which sanitizes `x` in its “then” branch.
UtilInspectTaintStep	A taint step through the Node.JS function `util.inspect(..)`.
WhitelistContainmentCallSanitizer	A check of the form `if(o.<contains>(x))`, which sanitizes `x` in its “then” branch.