Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

js taint tracking libs - add unescape as taint propagator #19003

Closed
DSimsek000 opened this issue Mar 12, 2025 · 3 comments · Fixed by #19009
Closed

js taint tracking libs - add unescape as taint propagator #19003

DSimsek000 opened this issue Mar 12, 2025 · 3 comments · Fixed by #19009
Assignees
Labels
question Further information is requested

Comments

@DSimsek000
Copy link

As far as I can tell unescape is not modeled as a string propagator in

private class StringManipulationTaintStep extends SharedTaintStep {

I am curious if this is intended and if so, what is the reason for this given that decodeURIComponent is modeled as taint preserving.
Thanks!

@DSimsek000 DSimsek000 added the question Further information is requested label Mar 12, 2025
@hvitved
Copy link
Contributor

hvitved commented Mar 13, 2025

Seems reasonable to also include unescape; @github/codeql-javascript what do you think?

@Napalys
Copy link
Contributor

Napalys commented Mar 13, 2025

Thanks for the report. You’re right, the unescape was overlooked. I’ve addressed the issue in this PR: #19009.
The fix will be included in CodeQL 2.21.0, which is set to release in early April.

@DSimsek000
Copy link
Author

Hi @Napalys, thanks for the update. In this case one could also consider adding escape.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy