General issue: codeql cannot find the specified javascript data flow #12201
Description
I use codeql in vscode
Here is the javascript code
let s0 = document.createElement("script");
s0.textContent = window.name;
document.head.appendChild(s0);I define window.name as source, any appendChild operation as sink, execute this query without any results
I tried to increase isAdditionalTaintStep to let window.name propagate to s0, but I still couldn’t find it
/**
* @kind path-problem
*/
import javascript
import DataFlow::PathGraph
class Config extends TaintTracking::Configuration {
Config() { this = "Config" }
override predicate isSource(DataFlow::Node source) {
// window.name
DataFlow::globalVarRef("window").getAPropertyRead("name") = source
}
override predicate isSink(DataFlow::Node sink) {
// *.appendChild(sink)
exists(DataFlow::SourceNode s | s.getAMethodCall("appendChild").getArgument(0) = sink)
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::SourceNode s |
isDomNode(s) and
pred = s.getAPropertyWrite().getRhs() and
succ = s
)
}
}
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "XSS"
Using isSource, isSink and isAdditionalTaintStep in Quick Evaluation, it seems that there is no problem
isSource
isSink
isAdditionalTaintStep
