Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space CBJS and version Publish

Tracks user-controlled values into 'eval' calls (special case of js/code-injection).

Ql
import javascript::
import DataFlow

class EvalTaint extends TaintTracking::Configuration {
  EvalTaint() { this = "EvalTaint" }

  override predicate isSource(Node node) { node instanceof RemoteFlowSource }

  override predicate isSink(Node node) { node = globalVarRef("eval").getACall().getArgument(0) }
}

from EvalTaint cfg, Node source, Node sink
where cfg.hasFlow(source, sink)
select sink, "Eval with user-controlled input from $@.", source, "here"
Htmlcomment
hiddentrue
hashconfluence_uploader_hash:6ba0001bc7e576dd6cdbf68949168d24407b5054aa20f99787d890c5b54e869e3f557b312e8b5e55