Class DataFlow::TypeBackTracker
Summary of the steps needed to back-track a use of a value to a given dataflow node.
This can be used to track callbacks that are passed to a certain API call, and are therefore expected to be called with a certain type of value.
Note that type back-tracking does not provide a source/sink relation, that is, it may determine that a node will be used in an API call somewhere, but it won’t determine exactly where that use was, or the path that led to the use.
It is recommended that all uses of this type are written in the following form,
for back-tracking some callback type myCallback:
DataFlow::SourceNode myCallback(DataFlow::TypeBackTracker t) {
t.start() and
result = (< some API call >).getArgument(< n >).getALocalSource()
or
exists (DataFlow::TypeBackTracker t2 |
result = myCallback(t2).backtrack(t2, t)
)
}
DataFlow::SourceNode myCallback() { result = myCallback(DataFlow::TypeBackTracker::end()) }
Instead of result = myCallback(t2).backtrack(t2, t), you can also use the equivalent
t2 = t.step(result, myCallback(t2)). If you additionally want to track individual
intra-procedural steps, use t2 = t.smallstep(result, myCallback(t2)).
Import path
import javascriptDirect supertypes
Predicates
| continue | Gets a type tracker that starts where this one has left off to allow continued tracking. |
| end | Holds if this is the end point of type tracking. |
| hasReturn | INTERNAL. DO NOT USE. |
| isInProp | Holds if this is the starting point of type backtracking, and the value is in the property named |
| prepend | Gets the summary resulting from prepending |
| smallstep | Gets the summary that corresponds to having taken a backwards local, heap and/or inter-procedural step from |
| start | Holds if this is the starting point of type tracking. |
| step | Gets the summary that corresponds to having taken a backwards heap and/or inter-procedural step from |
| toString | Gets a textual representation of this summary. |