[JavaScript] False Negative - Taint tracking through closure

[yonajix]

I've been trying to track this simple Code Injection Vulnerability with CodeQL and I've noticed its having problems tracking the taint through a closure boundary:

function process(input) {
    const tokens = [{ text: input }];
    
    return {
        execute() {
            for (const token of tokens) {
                eval(token.text);  
            }
        }
    };
}

let userInput = location.hash.substring(1);
const result = process(userInput);
result.execute();

I ran the CodeInjection query for JS against this and got nothing.

I made a simple flow tracking query where I set the CodeInjection sink to any() and I noticed taint tracking stops at const tokens = [{ text: input }];

I made a simpler example without the closure:

function process(input) {
    const tokens = [{ text: input }];

    for (const token of tokens) {
        eval(token.text); 
    }
}


let userInput = location.hash.substring(1);
process(userInput);

the CodeInjection query catches this so it can't be the for loop causing this miss on its own.

[d10c]

Hi @yonajix 👋🏻

Thanks for the report. This may be due to a limitation of the dataflow library for JS in the case of too many levels of nesting (closure -> array -> object -> tainted value) but I've notified the relevant team to verify, so stay tuned.

[redsun82]

👋 @yonajix If you're running the query from a local checkout of github/codeql, you can try implementing accessPathLimit() in CodeInjectionConfig and increase it from its default value of 2.

A more general fix might come in the future, but it's not yet something we're currently working on.