代码示例1

    1. import javascript
    3. from DataFlow::MethodCallNode readFile, DataFlow::Node source
    4. where
    5.   readFile.getMethodName() = "readFile" and
    6.   source.getASuccessor*() = readFile.getArgument(0)
    7. select source

    捕获示例1
    image.png
    捕获示例2
    image.png

    1. import javascript
    3. from DataFlow::CallNode method, DataFlow::Node source
    4. where
    5.     method = DataFlow::globalVarRef("document").getAMethodCall("write")
    6.     and source.getASuccessor*() = method.getArgument(0)
    8. select source

    捕获示例
    image.png
    Taint tracking

    1. import javascript
    3. class WriteLocationConfiguration extends TaintTracking::Configuration {
    4.     WriteLocationConfiguration() { this = "WriteLocationConfiguration" }
    6.   override predicate isSource(DataFlow::Node source) {
    7.     DataFlow::globalVarRef("document").getAPropertyRead("location").getAPropertyRead() = source
    8.   }
    10.   override predicate isSink(DataFlow::Node sink) {
    11.     DataFlow::globalVarRef("document").getAMethodCall("write").getArgument(0) = sink
    12.   }
    13. }
    15. from WriteLocationConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
    16. where cfg.hasFlow(source, sink)
    17. select source, sink

    捕获示例
    image.png