codeql/javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js at 575da5c31c8909a99a64dc20571bb7c23aa22635 · trailofbits/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
let async_ = require('async');

function source() {
    return 'TAINT'
}
function sink(x) {
    console.log(x)
}

function call_sink(x) {
    sink(x)
}

async_.map([source()],
    (item, cb) => {
        sink(item), // NOT OK
        cb(null, 'safe');
    },
    (err, result) => sink(result) // OK
);

async_.map(['safe'],
    (item, cb) => {
        let src = source();
        cb(null, src);
    },
    (err, result) => sink(result) // NOT OK
);

async_.map([source()],
    (item, cb) => cb(null, item.substring(1)),
    (err, result) => sink(result) // NOT OK
);

async_.map(['safe'],
    (item, cb) => cb(null, item),
    (err, result) => sink(result) // OK
);

async_.map([source()], call_sink) // NOT OK

async_.map(source().prop, call_sink) // NOT OK

async_.map({a: source()}, call_sink) // NOT OK

async_.mapLimit([source()], 1, call_sink) // NOT OK