JS: Taint propagation from low-level ArrayBuffer to Strings#19231
Merged
Napalys merged 14 commits intogithub:mainfrom Apr 11, 2025
Merged
JS: Taint propagation from low-level ArrayBuffer to Strings#19231Napalys merged 14 commits intogithub:mainfrom
ArrayBuffer to Strings#19231Napalys merged 14 commits intogithub:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces taint propagation for low-level byte-related objects in JavaScript, ensuring that taints are maintained from ArrayBuffer through various TypedArray operations into string conversions.
- Introduces taint propagation for Uint8Array, ArrayBuffer, and SharedArrayBuffer operations.
- Adds taint tracking for TextDecoder.decode() and byte-to-string operations.
Reviewed Changes
Copilot reviewed 2 out of 7 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| javascript/ql/test/library-tests/TaintTracking/typed-arrays.js | Adds tests for taint propagation across different TypedArray and ArrayBuffer operations |
| javascript/ql/lib/change-notes/2025-04-07-typed-arrays.md | Documents the minor analysis update related to taint propagation changes |
Files not reviewed (5)
- javascript/ql/lib/semmle/javascript/internal/flow_summaries/AllFlowSummaries.qll: Language not supported
- javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll: Language not supported
- javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll: Language not supported
- javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected: Language not supported
- javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/DecompressionBombs.expected: Language not supported
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
asgerf
reviewed
Apr 9, 2025
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll
Outdated
Show resolved
Hide resolved
javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll
Outdated
Show resolved
Hide resolved
Co-authored-by: Asgerf <asgerf@github.com>
asgerf
reviewed
Apr 11, 2025
Contributor
asgerf
left a comment
asgerf
left a comment
There was a problem hiding this comment.
One last comment otherwise LGTM
javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
Outdated
Show resolved
Hide resolved
…rings.qll Co-authored-by: Asger F <asgerf@github.com>
asgerf
approved these changes
Apr 11, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces taint modeling for the most commonly used
TypedArray, specifically the Uint8Array, which is primarily utilized in byte-to-string operations. It excludes otherTypedArraytypes, such as Int32Array, as they are generally not associated with taint propagation.Additionally, this update adds support for
ArrayBufferandSharedArrayBuffer, which are frequently used in low-level operations and are often passed toTypedArrayconstructors.Finally, the pull request includes taint propagation for
TextDecoder, as it plays a key role in convertingArrayBufferorTypedArraydata intoStrings.