static analysis for synchronous calls on attacker-controlled objects?
Opened this issue · 0 comments
From recent discussion:
something as innocent as
amount.brandby the defender enables the attacker to reenter at that moment
this made me wonder about tools to help review for such things... which reminded me of refactoring tools that would let us query for obj.prop. I don't suppose these tools know much about whether obj is attacker-controlled. I suppose that needs more flow-control-analysis a la #35 .
tab dump:
fast codemod refactor - Google Search: https://www.google.com/search?q=fast+codemod+refactor&ei=AIBSYdnjI-2E9PwPoKKCyAM&oq=fast+codemod+refactor&gs_lcp=Cgdnd3Mtd2l6EAMyBQghEKABOgUIABCRAjoRCC4QgAQQsQMQgwEQxwEQ0QM6BQgAEIAEOggIABCABBCxAzoLCAAQgAQQsQMQgwE6DgguEIAEELEDEMcBEKMCOgsILhCABBDHARCjAjoECAAQQzoICAAQgAQQyQM6BQgAEJIDOgUILhCABDoICC4QgAQQsQM6CwgAEIAEELEDEMkDOgcIABCABBAKOgYIABAWEB46BQghEKsCOgcIIRAKEKABSgQIQRgAUNzWAlit7gJgsPACaABwAngAgAGPAYgBkhCSAQQxNS42mAEAoAEBwAEB&sclient=gws-wiz&ved=0ahUKEwjZ46PN0aDzAhVtAp0JHSCRADkQ4dUDCA8&uact=5
Refactoring With Codemods and jscodeshift | Toptal: https://www.toptal.com/javascript/write-code-to-rewrite-your-code
facebookincubator/fastmod: A fast partial replacement for the codemod tool: https://github.com/facebookincubator/fastmod
rajasegar/awesome-codemods: Awesome list of codemods for various languages, libraries and frameworks: https://github.com/rajasegar/awesome-codemods
James Doyle | Fastmod Codemod For Refactoring: https://ohdoylerules.com/tricks/fastmod-codemod-for-refactoring/
facebook/jscodeshift: A JavaScript codemod toolkit.: https://github.com/facebook/jscodeshift
benjamn/recast: JavaScript syntax tree transformer, nondestructive pretty-printer, and automatic source map generator: https://github.com/benjamn/recast