CodeQL library for JavaScript
Search

Module TrackedNodes

DEPRECATED: Use TypeTracking.qll instead.

The following TrackedNode usage is usually equivalent to the type tracking usage below.

class MyTrackedNode extends TrackedNode {
   MyTrackedNode() { isInteresting(this) }
}

DataFlow::Node getMyTrackedNodeLocation(MyTrackedNode n) {
  n.flowsTo(result)
}
DataFlow::SourceNode getMyTrackedNodeLocation(DataFlow::SourceNode start, DataFlow::TypeTracker t) {
  t.start() and
  isInteresting(result) and
  result = start
  or
  exists (DataFlow::TypeTracker t2 |
    result = getMyTrackedNodeLocation(start, t2).track(t2, t)
  )
}

DataFlow::SourceNode getMyTrackedNodeLocation(DataFlow::SourceNode n) {
  result = getMyTrackedNodeLocation(n, DataFlow::TypeTracker::end())
}

In rare cases, additional tracking is required, for instance when tracking string constants, and the following type tracking formulation is required instead.

DataFlow::Node getMyTrackedNodeLocation(DataFlow::Node start, DataFlow::TypeTracker t) {
  t.start() and
  isInteresting(result) and
  result = start
  or
  exists(DataFlow::TypeTracker t2 |
    t = t2.smallstep(getMyTrackedNodeLocation(start, t2), result)
  )
}

DataFlow::Node getMyTrackedNodeLocation(DataFlow::Node n) {
  result = getMyTrackedNodeLocation(n, DataFlow::TypeTracker::end())
}

Provides support for inter-procedural tracking of a customizable set of data flow nodes.

Import path

import semmle.javascript.dataflow.TrackedNodes

Classes

TrackedExpr

An expression whose value should be tracked inter-procedurally.

TrackedNode

A data flow node that should be tracked inter-procedurally.