Detect JavaScript object injection using taint analysis

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

We previously removed the detect-object-injection rule from SAST because it was extremely prone to false-positive results—it flagged essentially any non-constant object access like a[x] whenever x was not an identifiably-constant string or a number. (gitlab-org/security-products/sast-rules!150 (merged))

As suggested by @dbolkensteyn in this comment, perhaps we can create a better replacement now.

The replacement would only detect user input being used in this potentially dangerous way, rather than detecting such an overly-broad set of accesses.