Skip to content

JS: sharpen js/clear-text-logging (ODASA-7485) #520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from Nov 23, 2018
Merged

JS: sharpen js/clear-text-logging (ODASA-7485) #520

merged 1 commit into from Nov 23, 2018

Conversation

ghost
Copy link

@ghost ghost commented Nov 22, 2018

This PR sharpens js/clear-text-logging by not propagating through property reads, except if the read leads directly to a source.

As may be seen by the branch name, I first anticipated to implement this with flow labels. But in the end, it seemed simpler and safer to just add a single edge barrier.

The evaluation shows that performance is practically unchanged.

@ghost ghost added the JS label Nov 22, 2018
@ghost ghost self-requested a review as a code owner November 22, 2018 09:59
@ghost
Copy link
Author

ghost commented Nov 22, 2018

Ahem 😊

This is the one line that needs to be changed: b780f82#diff-05bc437cd4f51a47cff43223f844d989L55.

The character of TaintTracking::StringConcatenationTaintStep was way more permissive than expected, and included all AdditionalTaintSteps into a non-taint configuration...

asger-semmle
asger-semmle approved these changes Nov 22, 2018
View reviewed changes
Copy link
Contributor

@asger-semmle asger-semmle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@semmle-qlci semmle-qlci merged commit 04c2b23 into github:master Nov 23, 2018
cklin pushed a commit that referenced this pull request May 23, 2022
@smowton
Merge pull request #520 from sauyon/add-diagnosticfile
dbcf1e1 
Add a new diagnostics file class and use it for errors
@aliscco aliscco mentioned this pull request Aug 30, 2022
Open
@aliscco aliscco mentioned this pull request Sep 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asger-semmle @semmle-qlci