javascript

package
v0.1.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Filename: javascript/definitions.go

Filename: javascript/fingerprinter.go This module implements a flow-sensitive static taint analysis engine featuring object sensitivity (Level 2) and inter-procedural analysis (Level 3).

Filename: javascript/helpers.go

Filename: javascript/state.go Defines the abstract state model for tracking taint, including object sensitivity (Level 2) and function summaries for inter-procedural analysis (Level 3).

Filename: javascript/walker.go Core logic for traversing the AST and tracking taint flow with object sensitivity and inter-procedural analysis support.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NodeContent 

func NodeContent(node *sitter.Node, source []byte) string

NodeContent extracts the string content of a node from the source byte slice.

func SourceLocationHash 

func SourceLocationHash(loc *SourceLocation) string

SourceLocationHash computes a hash of a source location.

func SourceLocationSearch 

func SourceLocationSearch(locs []*SourceLocation, loc *SourceLocation) bool

SourceLocationSearch searches for a source location in a slice of source locations.

Types

type AnalyzerContext 

type AnalyzerContext struct {
	// Maps function identifiers to their computed summaries.
	Summaries map[RefID]*FunctionSummary
	// contains filtered or unexported fields
}

AnalyzerContext holds the state required across different passes of the analysis (IPA).

func NewAnalyzerContext 

func NewAnalyzerContext() *AnalyzerContext

NewAnalyzerContext creates a new context for multi-pass analysis.

func (*AnalyzerContext) AddIntraProceduralFinding 

func (ac *AnalyzerContext) AddIntraProceduralFinding(finding StaticFinding)

AddIntraProceduralFinding safely adds a finding discovered during the summarization phase.

func (*AnalyzerContext) GetIntraProceduralFindings 

func (ac *AnalyzerContext) GetIntraProceduralFindings() []StaticFinding

GetIntraProceduralFindings returns the findings collected during summarization.

type Fingerprinter 

type Fingerprinter struct {
	// contains filtered or unexported fields
}

Fingerprinter analyzes JavaScript source code to find potential taint flows.

func NewFingerprinter 

func NewFingerprinter(logger *zap.Logger) *Fingerprinter

NewFingerprinter creates a new static analyzer.

func (*Fingerprinter) Analyze 

func (f *Fingerprinter) Analyze(filename, content string) ([]StaticFinding, error)

Analyze parses and analyzes the AST of a JavaScript file using a multi-pass approach.

type FunctionSummary 

type FunctionSummary struct {
	// RefID is the unique identifier for the function declaration.
	RefID RefID

	// TaintsReturn indicates if the function returns tainted data derived from a global source.
	TaintsReturn bool

	// TaintedParams maps the index of a parameter to whether it flows to a sink within the function.
	TaintedParams map[int]bool

	// ParamToReturn maps the index of a parameter to whether it flows to the return value.
	ParamToReturn map[int]bool
}

FunctionSummary describes the taint behavior of a function.

func NewFunctionSummary 

func NewFunctionSummary(id RefID) *FunctionSummary

NewFunctionSummary initializes a summary for a given function reference.

type LocationInfo 

type LocationInfo struct {
	File    string
	Line    int
	Column  int
	Snippet string
}

LocationInfo holds the detailed location and snippet of a finding.

func FormatLocation 

func FormatLocation(filename string, node *sitter.Node, source []byte) LocationInfo

FormatLocation converts a Tree-sitter Node location to detailed LocationInfo.

func (LocationInfo) String 

func (l LocationInfo) String() string

type ObjectTaint 

type ObjectTaint struct {
	// Maps property names (strings) to their taint state.
	Properties map[string]TaintState
	// If true, indicates that we lost precision (e.g., computed property assignment),
	// so the entire object should be considered tainted.
	StructureTainted bool
}

ObjectTaint represents an object or array where specific properties/indices might be tainted.

func NewObjectTaint 

func NewObjectTaint() *ObjectTaint

NewObjectTaint initializes an empty ObjectTaint structure.

func (*ObjectTaint) GetPropertyTaint 

func (t *ObjectTaint) GetPropertyTaint(propName string) TaintState

GetPropertyTaint retrieves the taint state of a specific property.

func (*ObjectTaint) GetSource 

func (t *ObjectTaint) GetSource() core.TaintSource

GetSource returns a generic source marker as an object doesn't have a single origin.

func (*ObjectTaint) GetSources 

func (t *ObjectTaint) GetSources() map[core.TaintSource]bool

GetSources returns the union of sources from all properties.

func (*ObjectTaint) IsTainted 

func (t *ObjectTaint) IsTainted() bool

IsTainted returns true if any property or the structure itself is tainted.

func (*ObjectTaint) Merge 

func (t *ObjectTaint) Merge(other TaintState) TaintState

Merge combines two ObjectTaint states or merges a SimpleTaint into an ObjectTaint.

func (*ObjectTaint) SetPropertyTaint 

func (t *ObjectTaint) SetPropertyTaint(propName string, state TaintState)

SetPropertyTaint sets the taint state of a specific property.

type RefID 

type RefID string

RefID is a unique identifier for function tracking.

type SimpleTaint 

type SimpleTaint struct {
	// Sources is a set of origins for the taint.
	Sources map[core.TaintSource]bool
	// Line tracking represents the location of the earliest introduced source.
	Line int
}

SimpleTaint represents a tainted primitive value or a value where structure is unknown. It is the Least Upper Bound (LUB) of SimpleTaint and ObjectTaint.

func NewSimpleTaint 

func NewSimpleTaint(source core.TaintSource, line int) SimpleTaint

NewSimpleTaint creates a new SimpleTaint record.

func (SimpleTaint) GetSource 

func (t SimpleTaint) GetSource() core.TaintSource

GetSource returns a representative source string for reporting.

func (SimpleTaint) GetSources 

func (t SimpleTaint) GetSources() map[core.TaintSource]bool

func (SimpleTaint) IsTainted 

func (t SimpleTaint) IsTainted() bool

func (SimpleTaint) Merge 

func (t SimpleTaint) Merge(other TaintState) TaintState

Merge combines this state with another TaintState. (Lattice Join Operation)

type SourceLocation 

type SourceLocation struct {
	File   string `json:"file"`
	Line   int    `json:"line"`
	Column int    `json:"column"`
}

SourceLocation represents a location in a source file.

func (*SourceLocation) String 

func (s *SourceLocation) String() string

String returns a string representation of the source location.

type StaticFinding 

type StaticFinding struct {
	Source     core.TaintSource
	Sink       core.TaintSink // The specific sink name identified statically
	SinkType   core.SinkType  // The impact category
	Location   LocationInfo
	Confidence string // High, Medium, Low

	// CanonicalType is crucial for correlation with dynamic findings (Step 5).
	CanonicalType schemas.TaintSink
}

StaticFinding represents a potential vulnerability found via static analysis.

type StaticSinkDefinition 

type StaticSinkDefinition struct {
	Name          core.TaintSink
	Type          core.SinkType
	CanonicalType schemas.TaintSink
	TaintedArgs   []int
}

StaticSinkDefinition maps the core definition to the walker's needs. We keep this struct here to maintain the walker's independence and support specific logic like TaintedArgs.

func CheckIfSinkFunction 

func CheckIfSinkFunction(path []string) (StaticSinkDefinition, bool)

CheckIfSinkFunction checks if a function call path matches a known sink.

func CheckIfSinkProperty 

func CheckIfSinkProperty(path []string) (StaticSinkDefinition, bool)

CheckIfSinkProperty checks if a property access path leads to a sink.

type TaintState 

type TaintState interface {
	IsTainted() bool
	// GetSource returns a representative origin of the taint (for reporting).
	GetSource() core.TaintSource
	// GetSources returns the set of all taint origins.
	GetSources() map[core.TaintSource]bool
	// Merge combines this state with another TaintState (the lattice join operation).
	Merge(other TaintState) TaintState
}

TaintState represents the abstract taint status of a variable or property.

type WalkerMode 

type WalkerMode int

WalkerMode defines the operation mode of the AST walker. 

const (
	// ModeAnalyze performs the main taint analysis, utilizing summaries.
	ModeAnalyze WalkerMode = iota
	// ModeSummarize analyzes functions to determine their taint behavior.
	ModeSummarize
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.