-
Notifications
You must be signed in to change notification settings - Fork 1.9k
-
📌 Initial Context
I have a Node.js project with the following structure:
categories/index.js
const Categories = {};
require('./search')(Categories);
module.exports = Categories;
search.js
module.exports = function (Categories) {
Categories.search = function (arg) {
// implementation here
};
};
main.js
const categories = require('../categories');
categories.search("payload");
📌 The Problem with CodeQL Analysis
I want to write a TaintTracking query in CodeQL to track data from
categories.search("payload") in main.js into the actual implementation of the function defined in search.js.
However, by default, CodeQL does not automatically connect through these steps:
require('../categories') → the Categories object from index.js.
require('./search')(Categories) → the parameter Categories inside search.js.
Categories.search = function(...) { ... } → linking the .search property to the function body.
As a result, when running taint tracking, the flow always stops at the callsite categories.search("payload") and never enters the function body.
📌 Question
👉 How can I write an AdditionalTaintStep (or the proper configuration) so that CodeQL can understand .
The taint flow can propagate from the callsite categories.search("...") in main.js all the way into the body of the function defined in search.js.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 1 reply
-
Can you show the code for the query that you're working on?
Beta Was this translation helpful? Give feedback.
All reactions
-
Hello , source code that i query for here , a open source : https://github.com/NodeBB/NodeBB/blob/f9edb13f6209b075d4a53c130d1bba166ae188fa/src/api/search.js#L64
Beta Was this translation helpful? Give feedback.