For other CodeQL resources, including tutorials and examples, see the CodeQL documentation

TaintTracking

Module TaintTracking

Imports

javascript

Modules

TaintTracking

Module TaintTracking

Provides classes for modeling taint propagation.

Import path


                                import javascript

Predicates

arrayStep	Holds if `pred -> succ` is a taint propagating data flow edge through an array.
deserializeStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through data deserialization, such as `JSON.parse`.
heapStep	Holds if `pred -> succ` is a taint propagating data flow edge through the heap.
isNumberGuard	Holds if `guard` is a test that checks if `operand` is a number.
isStringTypeGuard	A test for the value of `typeof x`, restricting the potential types of `x`.
isTypeofGuard	Holds if `test` is a guard that checks if `operand` is typeof `tag`.
isUrlSearchParams	Holds if `params` is a construction of a `URLSearchParams` that parses the parameters in `input`.
persistentStorageStep	Holds if `pred -> succ` is a taint propagating data flow edge through persistent storage.
promiseStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through a promise.
serializeStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through data serialization, such as `JSON.stringify`.
sharedTaintStep	Holds if `pred -> succ` is an edge used by all taint-tracking configurations.
stringConcatenationStep	Holds if `pred -> succ` is a taint propagating data flow edge through string concatenation.
stringManipulationStep	Holds if `pred -> succ` is a taint propagating data flow edge through string manipulation (other than concatenation).
uriStep	Holds if `pred` → `succ` should be considered a taint-propagating data flow edge through a URI library function.
viewComponentStep	Holds if `pred -> succ` is a taint propagating data flow edge through the properties of a view compenent, such as the `state` or `props` of a React component.

Classes

AdHocWhitelistCheckSanitizer	A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its “then” branch.
AdditionalSanitizerGuardNode	A `SanitizerGuardNode` that controls which taint tracking configurations it is used in.
Configuration	A data flow tracking configuration that considers taint propagation through objects, arrays, promises and strings in addition to standard data flow.
ErrorConstructorTaintStep	A taint step through an exception constructor, such as `x` to `new Error(x)`.
InSanitizer	A check of the form `if(x in o)`, which sanitizes `x` in its “then” branch.
IsEmptyGuard	A test of form `x.length === "0"`, preventing `x` from being tainted.
LabeledSanitizerGuardNode	A sanitizer guard node that only blocks specific flow labels.
MembershipTestSanitizer	A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its “then” branch.
PositiveIndexOfSanitizer	A check of form `x.indexOf(y) > 0` or similar, which sanitizes `y` in the “then” branch.
SanitizerGuardNode	A node that can act as a sanitizer when appearing in a condition.
SanitizingRegExpTest	A conditional checking a tainted string against a regular expression, which is considered to be a sanitizer for all configurations.
SharedTaintStep	A taint-propagating data flow edge that should be added to all taint tracking configurations in addition to standard data flow edges.
StringConcatenationTaintStep	A taint propagating data flow edge arising from string concatenations.
TypeOfUndefinedSanitizer	A check of the form `type x === "undefined"`, which sanitized `x` in its “then” branch.
UndefinedCheckSanitizer	A check of the form `if(o[x] != undefined)`, which sanitizes `x` in its “then” branch.
UtilInspectTaintStep	A taint step through the Node.JS function `util.inspect(..)`.
WhitelistContainmentCallSanitizer	A check of the form `if(o.<contains>(x))`, which sanitizes `x` in its “then” branch.