Skip to content

JS: Taint propagation from low-level ArrayBuffer to Strings #19231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Napalys merged 14 commits into from
Apr 11, 2025
Merged

JS: Taint propagation from low-level ArrayBuffer to Strings #19231

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
9388226
Added test case for `Uint8Array` and `TypedArray.prototype.buffer`
Napalys Apr 7, 2025
e23ff9c
Add TypedArrays flow summaries for `Uint8Array` and buffer property
Napalys Apr 7, 2025
d689a55
Added test cases for `TypedArray` methods
Napalys Apr 7, 2025
ff07ec8
Add flow summaries for TypedArray methods `set` and `subarray`
Napalys Apr 7, 2025
0e09947
Added test cases for `ArrayBuffer` and `SharedArrayBuffer`
Napalys Apr 7, 2025
f427720
Add flow summaries and entry points for `ArrayBuffer` and `SharedArra…
Napalys Apr 7, 2025
f28478e
Add test cases from `TypedArrays` to strings.
Napalys Apr 7, 2025
b97c618
Add flow summaries and entry points for `TextDecoder`
Napalys Apr 7, 2025
873db7c
Added change note
Napalys Apr 7, 2025
4bc3e9e
Addressed comments
Napalys Apr 9, 2025
a3e4e62
Removed taint from `ArrayBuffer` constructor as it accepts `length`
Napalys Apr 9, 2025
0c52b5a
Added summary flow for `StringFromCharCode`
Napalys Apr 9, 2025
e3f1720
Renamed`DecodeLike` to `Decode` and updated `propagatesFlow`
Napalys Apr 11, 2025
d0dcf89
Update javascript/ql/lib/semmle/javascript/internal/flow_summaries/St…
Napalys Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,47 @@ class SubArrayLike extends SummarizedCallable {
output = "ReturnValue.ArrayElement"
}
}

private class ArrayBufferEntryPoint extends API::EntryPoint {
ArrayBufferEntryPoint() { this = ["global.ArrayBuffer", "global.SharedArrayBuffer"] }

override DataFlow::SourceNode getASource() {
result = DataFlow::globalVarRef(["ArrayBuffer", "SharedArrayBuffer"])
}
}

pragma[nomagic]
API::Node arrayBufferConstructorRef() { result = any(ArrayBufferEntryPoint a).getANode() }

class ArrayBufferConstructorSummary extends SummarizedCallable {
ArrayBufferConstructorSummary() { this = "ArrayBuffer constructor" }

override DataFlow::InvokeNode getACall() {
result = arrayBufferConstructorRef().getAnInstantiation()
}

override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = true and
input = "Argument[0].ArrayElement" and
output = "ReturnValue.ArrayElement"
Comment thread
Napalys marked this conversation as resolved.
Outdated
}
}

class TransferLike extends SummarizedCallable {
TransferLike() { this = "ArrayBuffer#transfer" }

override InstanceCall getACall() {
result =
arrayBufferConstructorRef()
.getAnInstantiation()
.getReturn()
.getMember(["transfer", "transferToFixedLength"])
.getACall()
Comment thread
Napalys marked this conversation as resolved.
Outdated
}

override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = true and
input = "Argument[this].ArrayElement" and
output = "ReturnValue.ArrayElement"
}
}
12 changes: 8 additions & 4 deletions javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@ legacyDataFlowDifference
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 | only flow with NEW data flow library |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
consistencyIssue
| nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
| stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
| stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:22 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:26 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:30 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:34 | expected an alert, but found none | NOT OK | Consistency |
flow
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
Expand Down Expand Up @@ -339,6 +339,10 @@ flow
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
Expand Down