RecursionError in _get_varname_value_from_context

Question

RecursionError in _get_varname_value_from_context

Opened this issue a year ago · 0 comments

When parsing JS code that has some kind of recursion and includes a sink, the data flow analysis infinitely recurses until we receive RecursionError: maximum recursion depth exceeded.

example for request highjacking:

<html>

<body>
    <script>
        let source = location.hash;

        function foo(param, depth) {
            if (depth > 10) {
                fetch(param);
            } else {
                bar(param, depth + 1);
            }
        }

        function bar(param, depth) {
            foo(param, depth + 1);
        }

        foo(source, 0);
    </script>
</body>

</html>

The recursion in the data flow analysis goes:

_get_varname_value_from_context
get_function_def_of_block_stmt
check_if_function_has_param
get_function_call_values_of_function_definitions
_get_varname_value_from_context ...

This bug was triggered by some third-party library scripts