move Array.from to ArrayCreationNode

erik-krogh · erik-krogh · commit 0f0187d58565 · 2020-03-09T10:26:21.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -219,7 +219,6 @@ private module ArrayDataFlow {
    */
   private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {
     ArrayCreationStep() {
-      this = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() or
       this instanceof DataFlow::ArrayCreationNode
     }
 
@@ -228,11 +227,8 @@ private module ArrayDataFlow {
      */
     override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
       prop = arrayElement() and
-      succ = this and
-      (
-        pred = this.(DataFlow::CallNode).getAnArgument() or
-        pred = this.(DataFlow::ArrayCreationNode).getAnElement()
-      )
+      pred = this.(DataFlow::ArrayCreationNode).getAnElement() and
+      succ = this
     }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -587,8 +587,8 @@ class ArrayConstructorInvokeNode extends DataFlow::InvokeNode {
 }
 
 /**
- * A data flow node corresponding to the creation or a new array, either through an array literal
- * or an invocation of the `Array` constructor.
+ * A data flow node corresponding to the creation or a new array, either through an array literal, 
+ * an invocation of the `Array` constructor, or the `Array.from` method.
  *
  *
  * Examples:
@@ -598,18 +598,23 @@ class ArrayConstructorInvokeNode extends DataFlow::InvokeNode {
  * new Array('apple', 'orange')
  * Array(16)
  * new Array(16)
+ * Array.from(1,2,3);
  * ```
  */
 class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   ArrayCreationNode() {
     this instanceof ArrayLiteralNode or
-    this instanceof ArrayConstructorInvokeNode
+    this instanceof ArrayConstructorInvokeNode or
+    this = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall()
   }
 
   /** Gets the `i`th initial element of this array, if one is provided. */
   DataFlow::ValueNode getElement(int i) {
     result = this.(ArrayLiteralNode).getElement(i) or
-    result = this.(ArrayConstructorInvokeNode).getElement(i)
+    result = this.(ArrayConstructorInvokeNode).getElement(i) or
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+      result = call.getArgument(i)
+    )
   }
 
   /** Gets an initial element of this array, if one if provided. */
@@ -618,7 +623,10 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   /** Gets the initial size of the created array, if it can be determined. */
   int getSize() {
     result = this.(ArrayLiteralNode).getSize() or
-    result = this.(ArrayConstructorInvokeNode).getSize()
+    result = this.(ArrayConstructorInvokeNode).getSize() or
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+      result = call.getNumArgument()
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,6 @@ private module ArrayDataFlow {`
`219`	`219`	`*/`
`220`	`220`	`private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {`
`221`	`221`	`ArrayCreationStep() {`
`222`		`- this = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() or`
`223`	`222`	`this instanceof DataFlow::ArrayCreationNode`
`224`	`223`	`}`
`225`	`224`
`@@ -228,11 +227,8 @@ private module ArrayDataFlow {`
`228`	`227`	`*/`
`229`	`228`	`override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {`
`230`	`229`	`prop = arrayElement() and`
`231`		`- succ = this and`
`232`		`- (`
`233`		`- pred = this.(DataFlow::CallNode).getAnArgument() or`
`234`		`- pred = this.(DataFlow::ArrayCreationNode).getAnElement()`
`235`		`- )`
	`230`	`+ pred = this.(DataFlow::ArrayCreationNode).getAnElement() and`
	`231`	`+ succ = this`
`236`	`232`	`}`
`237`	`233`	`}`
`238`	`234`