You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+7-5Lines changed: 7 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -650,10 +650,11 @@ module TaintTracking {
650
650
/**
651
651
* Holds if `pred` should be stored in the object `succ` under the property `prop`.
652
652
*
653
-
* This step is used to model 2 facts:
654
-
* 1) A `URL` constructed using `url = new URL(input)` transfers taint from `input` to `url.searchParams`.
655
-
* 2) A `URLSearchParams` (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value,
656
-
* which is stored in a pseudo-property, that can later be access using a `get` or `getAll` call.
653
+
* This step is used to model 3 facts:
654
+
* 1) A `URL` constructed using `url = new URL(input)` transfers taint from `input` to `url.searchParams`. (See prop = "searchParams")
655
+
* 2) Accessing the `searchParams` on a `URL` results in a `URLSearchParams` object (See the loadStoreStep method on this class and hiddenUrlPseudoProperty())
656
+
* 3) A `URLSearchParams` object (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value,
657
+
* which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
* Holds if the property `loadStep` should be copied from the object `pred` to the property `storeStep` of object `succ`.
671
672
*
672
673
* This step is used to copy the value of our pseudo-property that can later be accessed using a `get` or `getAll` call.
674
+
* For an expression `url.searchParams`, the property `hiddenUrlPseudoProperty()` from the `url` object is stored in the property `getableUrlPseudoProperty()` on `url.searchParams`.
0 commit comments