JS: Note issue with .apply() calls

asgerf · asgerf · commit 34e6864fa3bc · 2024-08-27T11:35:27.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -25,6 +25,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)
     node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and
     node2 = TDynamicArgumentStoreNode(invoke, c) and
     c.isUnknownArrayElement()
+    // TODO: we need a similar case for .apply() calls
   )
 }
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/array-mutation.js b/javascript/ql/test/library-tests/TaintTracking/array-mutation.js
@@ -29,11 +29,11 @@ function test(x, y) {
 
   let h = [];
   Array.prototype.push.apply(h, source());
-  sink(h); // NOT OK
+  sink(h); // NOT OK [INCONSISTENCY]
 
   let i = [];
   Array.prototype.unshift.apply(i, source());
-  sink(i); // NOT OK
+  sink(i); // NOT OK [INCONSISTENCY]
 
   let j = [];
   j[j.length] = source();

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)`
`25`	`25`	`node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and`
`26`	`26`	`node2 = TDynamicArgumentStoreNode(invoke, c) and`
`27`	`27`	`c.isUnknownArrayElement()`
	`28`	`+ // TODO: we need a similar case for .apply() calls`
`28`	`29`	`)`
`29`	`30`	`}`
`30`	`31`