Replies: 2 comments
-
Hi @dvec01, Thanks for your question. It's not completely clear to me what you want your source to be. |
Beta Was this translation helpful? Give feedback.
-
Hi @jketema , const child_process = require('child_process');
class Test {
constructor(userInput) {
this.userInput = userInput;
}
source() {
this.sink();
}
sink() {
child_process.execSync(`${this.userInput}`, { stdio: 'inherit' });
}
}
new Test("/usr/bin/id").source(); In the above example the source is |
Beta Was this translation helpful? Give feedback.
-
I faced an issue when creating a path query for the following JavaScript code:
Here is the query I wrote to detect the
test -> execSync
path:This query doesn’t return any paths because the test method takes no input, hence the isSource predicate fails because it relies on method parameters, which are absent in this case. Omitting the
f.getAParameter() = source.asExpr()
and replacing it withsource.asExpr().getEnclosingFunction() = f
clause would help, as it causes all calls in the source method to be marked as sources, which is overly broad. For example if the test method was changed to:it would also highlight the second call, which uncontrollable/ untainted data.
My questions:
What is the recommended approach to model accesses to
arguments
,this
orsuper
as tainted (similar to https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/FlowSteps.qll/type.FlowSteps$TaintInheritingContent.html)?What’s the best way to write a source predicate for methods with no parameters?
Many thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions