CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.6.1-dev (changelog, source)
Index
Search

Module LoopBoundInjection

Import path

import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations

Imports

CommonFlowState

Contains a class with flow states that are used by multiple queries.

TaintedObject

Provides methods for reasoning about the flow of deeply tainted objects, such as JSON objects parsed from user-controlled data.

Predicates

hasCrashingArrayAccess

Holds if there exists an array access indexed by the variable var where it is likely that the array access will cause a crash if var grows unbounded.

isCrashingWithNullValues

Holds if an exception will be thrown whenever e evaluates to undefined or null.

loopableLodashMethod

Holds if name is a method from lodash vulnerable to a DoS attack if called with a tainted object.

Classes

ArrayIterationLoop

A loop that iterates through some array using the length property. The loop is either of the style for(..; i < arr.length;...) or while(i < arr.length) {..;i++;..}.

BarrierGuard

A barrier guard for looping on tainted objects with unbounded length.

InstanceofArraySanitizerGuard

A sanitizer that blocks taint flow if the array is checked to be an array using an X instanceof Array check.

IsArraySanitizerGuard

A sanitizer that blocks taint flow if the array is checked to be an array using an isArray function.

LengthCheckSanitizerGuard

A sanitizer that blocks taint flow if the length of an array is limited.

Sink

A data flow sink for untrusted user input that is being looped through.

Source

A source of objects that can cause DoS if iterated using the .length property.

TaintedObjectSource

A source of remote user input objects.