Selecting properties following an Object merge #179
-
Javascript
Query
This is not listing Likewise,
should return I have seen examples where data flow continues for
from |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hi @jason-invision,
Taint-tracking will indeed flow through If that's the case I'd suggest adding a taint step that taints the entire object when its override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// If `obj.body` becomes tainted, consider the the whole `obj` to be tainted
exists(DataFlow::PropWrite write |
write.getPropertyName() = "body" and
pred = write.getRhs() and
succ = write.getBase().getALocalSource()
)
} |
Beta Was this translation helpful? Give feedback.
Hi @jason-invision,
getALocalSource
andgetAPropertyReference
only traverse local data flow, which excludes flow through function calls and merge calls likeObject.assign
.Taint-tracking will indeed flow through
Object.assign
and the function calls. Are you trackingbody
using taint-tracking? In that case the problem might be that it's notbody
flowing into therequest
call, but an object containingbody
in one of its properties. Therefore it will appear never to reach the sink.If that's the case I'd suggest adding a taint step that taints the entire object when its
body
property becomes tainted: