Skip to content

Commit 34a6e15

Browse files
committed
make TypeOfSanitizer slightly more robost
1 parent 18d26ca commit 34a6e15

1 file changed

Lines changed: 5 additions & 2 deletions

File tree

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
import javascript
88
private import semmle.javascript.security.dataflow.RemoteFlowSources
99
private import semmle.javascript.PackageExports as Exports
10+
private import semmle.javascript.dataflow.InferredTypes
1011

1112
/**
1213
* Module containing sources, sinks, and sanitizers for shell command constructed from library input.
@@ -199,8 +200,10 @@ module UnsafeShellCommandConstruction {
199200
override EqualityTest astNode;
200201

201202
TypeOfSanitizer() {
202-
exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
203-
str.getValue() = ["number", "boolean"] and // "undefined" is already handled in TaintTracking.qll
203+
exists(Expr str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
204+
str.mayHaveStringValue(any(InferredType t |
205+
t = TTUndefined() or t = TTNumber() or t = TTBoolean()
206+
).getTypeofTag()) and
204207
typeof.getOperand() = x
205208
)
206209
}

0 commit comments

Comments
 (0)