From 81b3f7bc4b65d2aab1d5348c88e74101d0eb16f9 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 20 Nov 2024 13:58:43 +0100 Subject: [PATCH 1/2] JS: Implement 'speculativeTaintStep' It is a mandatory part of the interface now; just providing a bare-bones implementation for rather than 'none()' --- .../dataflow/internal/TaintTrackingPrivate.qll | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll index 0f9780ab69b3..b182e9458405 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll @@ -104,3 +104,12 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, ContentSet c) { // Optional steps are added through isAdditionalFlowStep but we don't want the implicit reads not optionalStep(node, _, _) } + +predicate speculativeTaintStep(DataFlow::Node node1, DataFlow::Node node2) { + exists(DataFlow::CallNode call, DataFlowCall c | + not exists(viableCallable(c)) and + c.asOrdinaryCall() = call and + node1 = call.getAnArgument() and + node2 = call + ) +} From 01943539039829d040293046d06050cfb717e97d Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 21 Nov 2024 11:29:21 +0100 Subject: [PATCH 2/2] JS: Remove reference to argsParseStep This was removed as part of the PR that introduced threat models. --- .../security/dataflow/IndirectCommandInjectionQuery.qll | 4 ---- 1 file changed, 4 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index 75324e94b131..a0bb45e78ec0 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -26,10 +26,6 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - - predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { - argsParseStep(pred, succ) - } } /**