Graphorin API reference v0.7.0
Graphorin API reference / @graphorin/security / / TaintFlowKind
Type Alias: TaintFlowKind
ts
type TaintFlowKind = "untrusted-to-sink" | "lethal-trifecta" | "derived-untrusted-to-sink";Defined in: packages/security/src/dataflow/types.ts:60
The kind of tainted data flow the policy detected at a sink.
'untrusted-to-sink'- untrusted content (or a verbatim chunk of it) is being passed into the sink's arguments. The precise, low false-positive signal: direct exfiltration of untrusted content.'lethal-trifecta'- the conservative signal: a sink fires while both untrusted content and secret-tier data have entered the run, even when no verbatim carry is provable. Catches the paraphrased "untrusted instruction drives a secret exfiltration" case at the cost of more false positives (hence shadow-mode-first + declassification).'derived-untrusted-to-sink'(C6,derivedTaint: 'strict') - the CaMeL-style control-flow-integrity signal: once untrusted content has entered the run, EVERY subsequent model-driven sink call is treated as derived from it - paraphrase-robust by construction, deliberately coarse. Fires only when the verbatim probe did not already match (verbatim keeps the precise label).