apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/fixtures/async_promise_chain_js
History
Eli Peter 55247b7fcd
Critical bug fixes and recall improvements (#68)
2026-05-11 12:42:39 -04:00
..
chain.js Release/0.5.0 (#35) 2026-04-25 17:59:11 -04:00
expectations.json Critical bug fixes and recall improvements (#68) 2026-05-11 12:42:39 -04:00
README.md Critical bug fixes and recall improvements (#68) 2026-05-11 12:42:39 -04:00

README.md

async_promise_chain_js — chained-receiver promise taint

Intended flow

A promise chain reads process.env.PREFIX inside the second .then callback, concatenates it with fetched text, and sinks the result via child_process.exec from the third callback. The intended finding is taint-unsanitised-flow from the env source to the exec sink.

Engine behaviour

The engine now closes this gap. The chained-receiver promise shape (fetch(...).then(..).then(..).then(..)) keeps each .then call's identity at the CFG level so try_apply_promise_callback and the synthetic source_to_callback emission see the chain head's Source label and seed the callback's first parameter, propagating taint through the chain to the exec sink.

Expectation

required_findings pins the taint flow finding so a future regression that re-collapses the chain (e.g. an inner-call rewrite that erases the outer .then identity) will fail this test.