JS: Add: taint step test cases for findLastIndex, findLast, find

github · Nov 19, 2024 · f1e95a8 · f1e95a8
1 parent c03d69a
commit f1e95a8
Show file tree

Hide file tree

Showing 5 changed files with 396 additions and 137 deletions.
diff --git a/javascript/ql/test/library-tests/Arrays/DataFlow.ql b/javascript/ql/test/library-tests/Arrays/DataFlow.ql
@@ -3,7 +3,10 @@ import javascript
 class ArrayFlowConfig extends DataFlow::Configuration {
   ArrayFlowConfig() { this = "ArrayFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source.asExpr().getStringValue() = "source" }
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().getStringValue() = "source" or
+    source.(DataFlow::CallNode).getCalleeName() = "source"
+  }
 
   override predicate isSink(DataFlow::Node sink) {
     sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()

diff --git a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -35,3 +35,5 @@
 | arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
 | arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
 | arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
+| arrays.js:131:17:131:24 | source() | arrays.js:133:10:133:17 | element1 |
+| arrays.js:137:17:137:24 | source() | arrays.js:139:10:139:17 | element1 |
diff --git a/javascript/ql/test/library-tests/Arrays/TaintFlow.ql b/javascript/ql/test/library-tests/Arrays/TaintFlow.ql
@@ -3,7 +3,10 @@ import javascript
 class ArrayTaintFlowConfig extends TaintTracking::Configuration {
   ArrayTaintFlowConfig() { this = "ArrayTaintFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source.asExpr().getStringValue() = "source" }
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().getStringValue() = "source" or
+    source.(DataFlow::CallNode).getCalleeName() = "source"
+  }
 
   override predicate isSink(DataFlow::Node sink) {
     sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()

diff --git a/javascript/ql/test/library-tests/Arrays/arrays.js b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -127,4 +127,21 @@
     const element = list.findLastIndex((item) => sink(item)); // NOT OK
     sink(element); // OK
   }
+  {
+    const arr = source();
+    const element1 = arr.find((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    sink(element1); // NOT OK
+  }
+
+  {
+    const arr = source();
+    const element1 = arr.findLast((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    sink(element1); // NOT OK
+  }
+
+  {
+    const arr = source();
+    const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    sink(element1); // OK
+  }
 });