Skip to content

Commit 097b8e7

Browse files
NapalysNapalys
committed
Add TypedArrays flow summaries for Uint8Array and buffer property
1 parent 9388226 commit 097b8e7

File tree

3 files changed

+45
-3
lines changed

3 files changed

+45
-3
lines changed

javascript/ql/lib/semmle/javascript/internal/flow_summaries/AllFlowSummaries.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,4 @@ private import Sets
1212
private import Strings
1313
private import DynamicImportStep
1414
private import UrlSearchParams
15+
private import TypedArrays

javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
private import javascript
2+
private import semmle.javascript.dataflow.FlowSummary
3+
private import semmle.javascript.dataflow.InferredTypes
4+
private import semmle.javascript.dataflow.internal.DataFlowPrivate as Private
5+
private import FlowSummaryUtil
6+
7+
private class TypedArrayEntryPoint extends API::EntryPoint {
8+
TypedArrayEntryPoint() { this = "global.Uint8Array" }
9+
10+
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("Uint8Array") }
11+
}
12+
13+
pragma[nomagic]
14+
API::Node typedArrayConstructorRef() { result = any(TypedArrayEntryPoint e).getANode() }
15+
16+
class TypedArrayConstructorSummary extends SummarizedCallable {
17+
TypedArrayConstructorSummary() { this = "TypedArray constructor" }
18+
19+
override DataFlow::InvokeNode getACall() {
20+
result = typedArrayConstructorRef().getAnInstantiation()
21+
}
22+
23+
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
24+
preservesValue = true and
25+
input = "Argument[0].ArrayElement" and
26+
output = "ReturnValue.ArrayElement"
27+
}
28+
}
29+
30+
class BufferTypedArray extends DataFlow::AdditionalFlowStep {
31+
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
32+
exists(DataFlow::PropRead p |
33+
p = typedArrayConstructorRef().getInstance().getMember("buffer").asSource() and
34+
pred = p.getBase() and
35+
succ = p
36+
)
37+
}
38+
}

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,14 +35,14 @@ legacyDataFlowDifference
3535
| spread.js:4:15:4:22 | source() | spread.js:18:8:18:8 | y | only flow with NEW data flow library |
3636
| spread.js:4:15:4:22 | source() | spread.js:24:8:24:8 | y | only flow with NEW data flow library |
3737
| tst.js:2:13:2:20 | source() | tst.js:17:10:17:10 | a | only flow with OLD data flow library |
38+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y | only flow with NEW data flow library |
39+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer | only flow with NEW data flow library |
40+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
3841
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
3942
consistencyIssue
4043
| nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
4144
| stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
4245
| stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
43-
| typed-arrays.js:5 | expected an alert, but found none | NOT OK | Consistency |
44-
| typed-arrays.js:7 | expected an alert, but found none | NOT OK | Consistency |
45-
| typed-arrays.js:11 | expected an alert, but found none | NOT OK | Consistency |
4646
flow
4747
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
4848
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -328,6 +328,9 @@ flow
328328
| tst.js:87:22:87:29 | source() | tst.js:90:14:90:25 | taintedValue |
329329
| tst.js:93:22:93:29 | source() | tst.js:96:14:96:25 | taintedValue |
330330
| tst.js:93:22:93:29 | source() | tst.js:97:14:97:26 | map.get(true) |
331+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y |
332+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer |
333+
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
331334
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
332335
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
333336
| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

0 commit comments

Comments
 (0)