@@ -580,16 +580,15 @@ module TaintTracking {
580
580
*/
581
581
private class ComputedPropWriteTaintStep extends SharedTaintStep {
582
582
override predicate heapStep ( DataFlow:: Node pred , DataFlow:: Node succ ) {
583
- exists ( AssignExpr assgn , IndexExpr idx , DataFlow:: SourceNode obj |
584
- assgn .getTarget ( ) = idx and
585
- obj .flowsToExpr ( idx .getBase ( ) ) and
586
- not exists ( idx .getPropertyName ( ) ) and
587
- pred = DataFlow:: valueNode ( assgn .getRhs ( ) ) and
583
+ exists ( DataFlow:: PropWrite assgn , DataFlow:: SourceNode obj |
584
+ not exists ( assgn .getPropertyName ( ) ) and
585
+ pred = assgn .getRhs ( ) and
586
+ assgn = obj .getAPropertyWrite ( ) and
588
587
succ = obj
589
588
|
590
589
obj instanceof DataFlow:: ObjectLiteralNode
591
590
or
592
- obj .getAPropertyRead ( "length" ) .flowsToExpr ( idx .getPropertyNameExpr ( ) )
591
+ obj .getAPropertyRead ( "length" ) .flowsToExpr ( assgn .getPropertyNameExpr ( ) )
593
592
)
594
593
}
595
594
}
@@ -614,8 +613,8 @@ module TaintTracking {
614
613
override predicate stringManipulationStep ( DataFlow:: Node pred , DataFlow:: Node target ) {
615
614
exists ( DataFlow:: ValueNode succ | target = succ |
616
615
// string operations that propagate taint
617
- exists ( string name | name = succ .getAstNode ( ) . ( MethodCallExpr ) .getMethodName ( ) |
618
- pred . asExpr ( ) = succ .getAstNode ( ) . ( MethodCallExpr ) .getReceiver ( ) and
616
+ exists ( string name | name = succ .( DataFlow :: MethodCallNode ) .getMethodName ( ) |
617
+ pred = succ .( DataFlow :: MethodCallNode ) .getReceiver ( ) and
619
618
(
620
619
// sorted, interesting, properties of String.prototype
621
620
name =
@@ -634,7 +633,7 @@ module TaintTracking {
634
633
name = "join"
635
634
)
636
635
or
637
- exists ( int i | pred . asExpr ( ) = succ .getAstNode ( ) . ( MethodCallExpr ) .getArgument ( i ) |
636
+ exists ( int i | pred = succ .( DataFlow :: MethodCallNode ) .getArgument ( i ) |
638
637
name = "concat"
639
638
or
640
639
name = [ "replace" , "replaceAll" ] and i = 1
@@ -649,10 +648,10 @@ module TaintTracking {
649
648
)
650
649
or
651
650
// String.fromCharCode and String.fromCodePoint
652
- exists ( int i , MethodCallExpr mce |
653
- mce = succ . getAstNode ( ) and
654
- pred . asExpr ( ) = mce .getArgument ( i ) and
655
- ( mce .getMethodName ( ) = "fromCharCode" or mce . getMethodName ( ) = "fromCodePoint" )
651
+ exists ( int i , DataFlow :: MethodCallNode mcn |
652
+ mcn = succ and
653
+ pred = mcn .getArgument ( i ) and
654
+ mcn .getMethodName ( ) = [ "fromCharCode" , "fromCodePoint" ]
656
655
)
657
656
or
658
657
// `(encode|decode)URI(Component)?` propagate taint
@@ -778,11 +777,11 @@ module TaintTracking {
778
777
* the parameters in `input`.
779
778
*/
780
779
predicate isUrlSearchParams ( DataFlow:: SourceNode params , DataFlow:: Node input ) {
781
- exists ( DataFlow:: GlobalVarRefNode urlSearchParams , NewExpr newUrlSearchParams |
780
+ exists ( DataFlow:: GlobalVarRefNode urlSearchParams , DataFlow :: NewNode newUrlSearchParams |
782
781
urlSearchParams .getName ( ) = "URLSearchParams" and
783
- newUrlSearchParams = urlSearchParams .getAnInstantiation ( ) . asExpr ( ) and
784
- params . asExpr ( ) = newUrlSearchParams and
785
- input . asExpr ( ) = newUrlSearchParams .getArgument ( 0 )
782
+ newUrlSearchParams = urlSearchParams .getAnInstantiation ( ) and
783
+ params = newUrlSearchParams and
784
+ input = newUrlSearchParams .getArgument ( 0 )
786
785
)
787
786
}
788
787
0 commit comments