Skip to content

Selecting properties following an Object merge #179

Answered by asgerf
jason-invision asked this question in General
Discussion options

You must be logged in to vote

Hi @jason-invision,

getALocalSource and getAPropertyReference only traverse local data flow, which excludes flow through function calls and merge calls like Object.assign.

Taint-tracking will indeed flow through Object.assign and the function calls. Are you tracking body using taint-tracking? In that case the problem might be that it's not body flowing into the request call, but an object containing body in one of its properties. Therefore it will appear never to reach the sink.

If that's the case I'd suggest adding a taint step that taints the entire object when its body property becomes tainted:

  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    /…

Replies: 1 comment 2 replies

Comment options

You must be logged in to vote
2 replies
@jason-invision
Comment options

@asgerf
Comment options

asgerf Sep 22, 2020
Collaborator

Answer selected by jason-invision
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants