Done
Pinned fields
Click on the next to a field label to start pinning.
Details
Assignee
Victor DiezVictor DiezReporter
Quentin JaquierQuentin JaquierFix versions
Priority
Normal
Details
Details
Assignee
Victor Diez
Victor DiezReporter
Quentin Jaquier
Quentin JaquierFix versions
Priority
Normal
Sentry
Sentry
Sentry
Created August 16, 2024 at 12:23 PM
Updated October 16, 2024 at 12:53 PM
Resolved August 30, 2024 at 7:59 AM
Even though ESTree contains only JS nodes, the temporary idea to support TS code is to simply “ignore” TS-specific nodes (the AST will contain “holes”).
We made sure it is possible to parse TS code, serialize in Protobuf, and deserialize the message, but we lack the last step: it should be possible to map the Protobuf message to a Java ESTree.
The logic is currently crashing for such code:
const __sonar__ = require("__sonar__"); const sink = __sonar__.SQL_INJECTION_SINK; const source = __sonar__.SQL_INJECTION_SOURCE; const tainted = source(); // The following is TS code, but has no impact on the analysis. if ("ts" as Object) { console.log(""); } sink(tainted);with the error:
java.lang.IllegalStateException: Expected interface org.sonar.plugins.javascript.api.estree.ESTree$Expression but got class org.sonar.plugins.javascript.api.estree.ESTree$Program at org.sonar.plugins.javascript.bridge.ESTreeFactory.from(ESTreeFactory.java:186) at org.sonar.plugins.javascript.bridge.ESTreeFactory.fromIfStatementType(ESTreeFactory.java:633) at org.sonar.plugins.javascript.bridge.ESTreeFactory.from(ESTreeFactory.java:164) at org.sonar.plugins.javascript.bridge.ESTreeFactory.lambda$from$0(ESTreeFactory.java:192) ...