Module TaintTracking

Public taint step relations.

Holds if guard is a test that checks if operand is a number.

A test for the value of typeof x, restricting the potential types of x.

Holds if test is a guard that checks if operand is typeof tag.

Holds if params is a construction of a URLSearchParams that parses the parameters in input.

Holds if pred -> succ is an edge used by all taint-tracking configurations.

A check of the form if(<isWhitelisted>(x)), which sanitizes x in its “then” branch.

A SanitizerGuardNode that controls which taint tracking configurations it is used in.

A data flow tracking configuration that considers taint propagation through objects, arrays, promises and strings in addition to standard data flow.

A taint step through an exception constructor, such as x to new Error(x).

A check of the form if(x in o), which sanitizes x in its “then” branch.

A test of form x.length === "0", preventing x from being tainted.

A sanitizer guard node that only blocks specific flow labels.

A check of the form whitelist.includes(x) or equivalent, which sanitizes x in its “then” branch.

A check of form x.indexOf(y) > 0 or similar, which sanitizes y in the “then” branch.

A node that can act as a sanitizer when appearing in a condition.

A conditional checking a tainted string against a regular expression, which is considered to be a sanitizer for all configurations.

A taint-propagating data flow edge that should be added to all taint tracking configurations in addition to standard data flow edges.

A taint propagating data flow edge arising from string concatenations.

A check of the form type x === "undefined", which sanitized x in its “then” branch.

A check of the form if(o[x] != undefined), which sanitizes x in its “then” branch.

A taint step through the Node.JS function util.inspect(..).

A check of the form if(o.<contains>(x)), which sanitizes x in its “then” branch.