JS: Add variant of test that passes

asgerf · asgerf · commit 028022158d6f · 2020-03-18T11:55:13.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected
@@ -861,6 +861,28 @@ nodes
 | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] |
 | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] |
 | PrototypePollutionUtility/tests.js:357:38:357:40 | key |
+| PrototypePollutionUtility/tests.js:364:49:364:54 | source |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key |
+| PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:371:31:371:95 | mergePl ... ptions) |
+| PrototypePollutionUtility/tests.js:371:31:371:95 | mergePl ... ptions) |
+| PrototypePollutionUtility/tests.js:371:62:371:72 | target[key] |
+| PrototypePollutionUtility/tests.js:371:69:371:71 | key |
+| PrototypePollutionUtility/tests.js:371:75:371:80 | source |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] |
+| PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:373:31:373:36 | source |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:38:373:40 | key |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key |
@@ -2346,6 +2368,32 @@ edges
 | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] |
 | PrototypePollutionUtility/tests.js:357:38:357:40 | key | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] |
 | PrototypePollutionUtility/tests.js:357:38:357:40 | key | PrototypePollutionUtility/tests.js:357:31:357:41 | source[key] |
+| PrototypePollutionUtility/tests.js:364:49:364:54 | source | PrototypePollutionUtility/tests.js:371:75:371:80 | source |
+| PrototypePollutionUtility/tests.js:364:49:364:54 | source | PrototypePollutionUtility/tests.js:373:31:373:36 | source |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:24:371:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:69:371:71 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:371:69:371:71 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:24:373:26 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:38:373:40 | key |
+| PrototypePollutionUtility/tests.js:366:18:366:20 | key | PrototypePollutionUtility/tests.js:373:38:373:40 | key |
+| PrototypePollutionUtility/tests.js:371:62:371:72 | target[key] | PrototypePollutionUtility/tests.js:371:31:371:95 | mergePl ... ptions) |
+| PrototypePollutionUtility/tests.js:371:62:371:72 | target[key] | PrototypePollutionUtility/tests.js:371:31:371:95 | mergePl ... ptions) |
+| PrototypePollutionUtility/tests.js:371:69:371:71 | key | PrototypePollutionUtility/tests.js:371:62:371:72 | target[key] |
+| PrototypePollutionUtility/tests.js:371:75:371:80 | source | PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] | PrototypePollutionUtility/tests.js:364:49:364:54 | source |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] | PrototypePollutionUtility/tests.js:364:49:364:54 | source |
+| PrototypePollutionUtility/tests.js:371:75:371:85 | source[key] | PrototypePollutionUtility/tests.js:364:49:364:54 | source |
+| PrototypePollutionUtility/tests.js:373:31:373:36 | source | PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:36 | source | PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] | PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:38:373:40 | key | PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
+| PrototypePollutionUtility/tests.js:373:38:373:40 | key | PrototypePollutionUtility/tests.js:373:31:373:41 | source[key] |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key | PrototypePollutionUtility/tests.js:383:22:383:24 | key |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key | PrototypePollutionUtility/tests.js:383:22:383:24 | key |
 | PrototypePollutionUtility/tests.js:381:14:381:16 | key | PrototypePollutionUtility/tests.js:383:22:383:24 | key |
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
@@ -361,21 +361,21 @@ function mergePlainObjectsOnly(target, source) {
     return target;
 }
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+function mergePlainObjectsOnlyNoClosure(target, source) {
+    if (isNonArrayObject(target) && isNonArrayObject(source)) {
+        for (let key of Object.keys(source)) {
+            if (key === '__proto__') {
+                return;
+            }
+            if (isNonArrayObject(source[key]) && key in target) {
+                target[key] = mergePlainObjectsOnlyNoClosure(target[key], source[key], options);
+            } else {
+                target[key] = source[key]; // OK
+            }
+        }
+    }
+    return target;
+}
 
 function forEachProp(obj, callback) {
     for (let key in obj) {
