New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JS] Taint does not propagate through .push(...)
for arrays
#4509
Comments
At present taint-mode only propagates taint through explicit assignments. In your example taint needs to be propagated through a side-effectful method call. We could perhaps asume that a (pressumably void-returning) method call like The current workaround would be: pattern-sources:
- patterns:
- pattern-inside: |
$ARRAY.push(<... req.query ...>)
...
- pattern: $ARRAY |
Ooops, the workaround doesn't work in your example due to the limitations of |
Is it a good idea to allow someone to specify side-effectful regions which still propagate taint? That might be an easy way to permit this behavior on a case-by-case basis. Another random idea I just had is to "chain" taint rules together, like source -> array.push(...), then array becomes a source for a new taint rule. |
"We could perhaps asume that a (pressumably void-returning) method call like data.push(input) does taint data if input is tainted." |
Describe the bug
It appears that taint mode stops propagating data at
.push(...)
in array objects.To Reproduce
This link has 3 examples. The third does not work, but should.
https://semgrep.dev/s/bXKp
What is the priority of the bug to you?
The text was updated successfully, but these errors were encountered: