Skip to content

fix: Add intra-file taint propagation after seeding phase #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
martinnaj merged 1 commit into from
Feb 23, 2026
Merged

fix: Add intra-file taint propagation after seeding phase #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/pull-request-status-check-changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,18 @@ jobs:
- name: Install changelog validator
run: |
# Install Node.js tool for Keep a Changelog validation
npm install -g keep-a-changelog
npm install -g keep-a-changelog@2.8.0

- name: Validate changelog format
run: |
echo "Validating CHANGELOG.md format according to Keep a Changelog..."

# Use keep-a-changelog to validate the changelog format
if ! npx keep-a-changelog CHANGELOG.md > /dev/null 2>&1; then
if ! npx keep-a-changelog@2.8.0 CHANGELOG.md > /dev/null 2>&1; then
echo "❌ CHANGELOG.md is not valid according to Keep a Changelog format"
echo "Please ensure your changelog follows the format at https://keepachangelog.com"
echo "Validation output:"
npx keep-a-changelog CHANGELOG.md
npx keep-a-changelog@2.8.0 CHANGELOG.md
exit 1
fi

Expand Down
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.15.3] - 2026-02-23

### Fixed
- Add intra-file taint propagation after seeding phase in both `AnalyzeLibraryPackage` and `FindAffectedFiles`, so that symbols referencing other tainted symbols in the same file are also marked as tainted before BFS starts

## [0.15.2] - 2026-02-20

### Fixed
Expand Down Expand Up @@ -192,6 +197,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Multi-stage Docker build
- Automated vendor upgrade workflow

[0.15.3]: https://github.com/gooddata/gooddata-goodchanges/compare/v0.15.2...v0.15.3
[0.15.2]: https://github.com/gooddata/gooddata-goodchanges/compare/v0.15.1...v0.15.2
[0.15.1]: https://github.com/gooddata/gooddata-goodchanges/compare/v0.15.0...v0.15.1
[0.15.0]: https://github.com/gooddata/gooddata-goodchanges/compare/v0.14.2...v0.15.0
Expand Down
2 changes: 1 addition & 1 deletion VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.15.2
0.15.3
60 changes: 60 additions & 0 deletions internal/analyzer/analyzer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -714,6 +714,38 @@ func AnalyzeLibraryPackage(projectFolder string, entrypoints []Entrypoint, merge
return nil, nil
}

// Intra-file propagation for seeded taint.
// When upstream taint or AST diff marks symbol A as tainted, other symbols
// in the same file that reference A should also be tainted.
// Example: if KdaDialogController taints KeyDriverAnalysisComponent, then
// KeyDriverAnalysis = connect(...)(KeyDriverAnalysisComponent) should also be tainted.
for stem, names := range tainted {
analysis := fileAnalyses[stem]
if analysis == nil || analysis.SourceFile == nil {
continue
}
sourceText := analysis.SourceFile.Text()
lineMap := analysis.SourceFile.ECMALineMap()
changed := true
for changed {
changed = false
for _, sym := range analysis.Symbols {
if names[sym.Name] {
continue
}
bodyText := tsparse.ExtractTextForLines(sourceText, lineMap, sym.StartLine, sym.EndLine)
for tName := range names {
if strings.Contains(bodyText, tName) {
names[sym.Name] = true
changed = true
debugf(" %s: %s tainted via intra-file dep on %s (seed propagation)", stem, sym.Name, tName)
break
}
}
}
}
}

// Build reverse import graph
reverseImports := make(map[string][]string)
for stem, edges := range importGraph {
Expand Down Expand Up @@ -1500,6 +1532,34 @@ func FindAffectedFiles(globPattern string, filterPattern string, upstreamTaint m
return nil
}

// Intra-file propagation for seeded taint (same as in AnalyzeLibraryPackage).
for stem, names := range tainted {
analysis := fileAnalyses[stem]
if analysis == nil || analysis.SourceFile == nil {
continue
}
sourceText := analysis.SourceFile.Text()
lineMap := analysis.SourceFile.ECMALineMap()
changed := true
for changed {
changed = false
for _, sym := range analysis.Symbols {
if names[sym.Name] {
continue
}
bodyText := tsparse.ExtractTextForLines(sourceText, lineMap, sym.StartLine, sym.EndLine)
for tName := range names {
if strings.Contains(bodyText, tName) {
names[sym.Name] = true
changed = true
debugf(" %s: %s tainted via intra-file dep on %s (seed propagation)", stem, sym.Name, tName)
break
}
}
}
}
}

// Symbol-level BFS propagation (same engine as AnalyzeLibraryPackage)
debugf("=== Starting BFS taint propagation (FindAffectedFiles) ===")
queue := make([]string, 0, len(tainted))
Expand Down