Skip to content

JS: Taint propagation from low-level ArrayBuffer to Strings #19231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Napalys merged 14 commits into from
Apr 11, 2025
Merged

JS: Taint propagation from low-level ArrayBuffer to Strings #19231

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
9388226
Added test case for `Uint8Array` and `TypedArray.prototype.buffer`
Napalys Apr 7, 2025
e23ff9c
Add TypedArrays flow summaries for `Uint8Array` and buffer property
Napalys Apr 7, 2025
d689a55
Added test cases for `TypedArray` methods
Napalys Apr 7, 2025
ff07ec8
Add flow summaries for TypedArray methods `set` and `subarray`
Napalys Apr 7, 2025
0e09947
Added test cases for `ArrayBuffer` and `SharedArrayBuffer`
Napalys Apr 7, 2025
f427720
Add flow summaries and entry points for `ArrayBuffer` and `SharedArra…
Napalys Apr 7, 2025
f28478e
Add test cases from `TypedArrays` to strings.
Napalys Apr 7, 2025
b97c618
Add flow summaries and entry points for `TextDecoder`
Napalys Apr 7, 2025
873db7c
Added change note
Napalys Apr 7, 2025
4bc3e9e
Addressed comments
Napalys Apr 9, 2025
a3e4e62
Removed taint from `ArrayBuffer` constructor as it accepts `length`
Napalys Apr 9, 2025
0c52b5a
Added summary flow for `StringFromCharCode`
Napalys Apr 9, 2025
e3f1720
Renamed`DecodeLike` to `Decode` and updated `propagatesFlow`
Napalys Apr 11, 2025
d0dcf89
Update javascript/ql/lib/semmle/javascript/internal/flow_summaries/St…
Napalys Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions javascript/ql/lib/semmle/javascript/internal/flow_summaries/AllFlowSummaries.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ private import Strings
private import DynamicImportStep
private import UrlSearchParams
private import TypedArrays
private import Decoders
29 changes: 29 additions & 0 deletions javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
private import javascript
private import semmle.javascript.dataflow.FlowSummary
private import semmle.javascript.dataflow.InferredTypes
private import semmle.javascript.dataflow.internal.DataFlowPrivate as Private
private import FlowSummaryUtil

private class TextDecoderEntryPoint extends API::EntryPoint {
TextDecoderEntryPoint() { this = "global.TextDecoder" }

override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("TextDecoder") }
}

pragma[nomagic]
API::Node textDecoderConstructorRef() { result = any(TextDecoderEntryPoint e).getANode() }

class DecodeLike extends SummarizedCallable {
DecodeLike() { this = "TextDecoder#decode" }

override InstanceCall getACall() {
result =
textDecoderConstructorRef().getAnInstantiation().getReturn().getMember("decode").getACall()
Comment thread
Napalys marked this conversation as resolved.
Outdated
}

override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = true and
Comment thread
Napalys marked this conversation as resolved.
Outdated
input = "Argument[0]" and
output = "ReturnValue"
}
}
3 changes: 2 additions & 1 deletion javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,13 @@ legacyDataFlowDifference
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 | only flow with NEW data flow library |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
consistencyIssue
| nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
| stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
| stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:40 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
| typed-arrays.js:50 | expected an alert, but found none | NOT OK | Consistency |
flow
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
Expand Down Expand Up @@ -347,6 +347,7 @@ flow
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
Expand Down