Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

js taint tracking libs - add unescape as taint propagator #19003

Closed
DSimsek000 opened this issue Mar 12, 2025 · 3 comments · Fixed by #19009
Closed

js taint tracking libs - add unescape as taint propagator #19003

DSimsek000 opened this issue Mar 12, 2025 · 3 comments · Fixed by #19009
Assignees
@Napalys
Labels
question Further information is requested

Comments

@DSimsek000
Copy link

As far as I can tell unescape is not modeled as a string propagator in

codeql/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

Line 447 in 795a2e1

private class StringManipulationTaintStep extends SharedTaintStep {

I am curious if this is intended and if so, what is the reason for this given that decodeURIComponent is modeled as taint preserving.
Thanks!
@DSimsek000 DSimsek000 added the question Further information is requested label Mar 12, 2025
@hvitved
Copy link
Contributor

hvitved commented Mar 13, 2025

Seems reasonable to also include unescape; @github/codeql-javascript what do you think?

@Napalys Napalys self-assigned this Mar 13, 2025
@Napalys Napalys mentioned this issue Mar 13, 2025
Merged
@Napalys
Copy link
Contributor

Napalys commented Mar 13, 2025

Thanks for the report. You’re right, the unescape was overlooked. I’ve addressed the issue in this PR: #19009.
The fix will be included in CodeQL 2.21.0, which is set to release in early April.

@DSimsek000
Copy link
Author

Hi @Napalys, thanks for the update. In this case one could also consider adding escape.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Napalys Napalys

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JS: Add support for unescape Napalys/codeql
3 participants
@hvitved @Napalys @DSimsek000
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy