Replies: 3 comments
-
| Hi @dvec01, Thanks for your question. It's not completely clear to me what you want your source to be.  | 
Beta Was this translation helpful? Give feedback.
-
| Hi @jketema , const child_process = require('child_process');
class Test {
    constructor(userInput) {
        this.userInput = userInput;
    }
    source() {
        this.sink();
    }
    sink() {
        child_process.execSync(`${this.userInput}`, { stdio: 'inherit' });
    }
}
new Test("/usr/bin/id").source();In the above example the source is  | 
Beta Was this translation helpful? Give feedback.
-
| 
 DataFlow::FunctionNode testFunc() {
  result.getName() = "test"
}
predicate isSource(DataFlow::Node node) {
  // using 'arguments' as source
  node = testFunc().getFunction().getArgumentsVariable().getAnAccess().flow()
  or
  // using 'this' as source
  node = testFunc().getReceiver()
}
 Using  Note that there is currently no way to specify a source that is inside of a content, but if you treat  | 
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I faced an issue when creating a path query for the following JavaScript code:
Here is the query I wrote to detect the
test -> execSyncpath:This query doesn’t return any paths because the test method takes no input, hence the isSource predicate fails because it relies on method parameters, which are absent in this case. Omitting the
f.getAParameter() = source.asExpr()and replacing it withsource.asExpr().getEnclosingFunction() = fclause would help, as it causes all calls in the source method to be marked as sources, which is overly broad. For example if the test method was changed to:it would also highlight the second call, which uncontrollable/ untainted data.
My questions:
What is the recommended approach to model accesses to
arguments,thisorsuperas tainted (similar to https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/FlowSteps.qll/type.FlowSteps$TaintInheritingContent.html)?What’s the best way to write a source predicate for methods with no parameters?
Many thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions