add test for data-flow on arrays

erik-krogh · erik-krogh · commit 8e3cf5c9c815 · 2020-03-09T09:25:17.000+01:00
diff --git a/javascript/ql/test/library-tests/Arrays/DataFlow.ql b/javascript/ql/test/library-tests/Arrays/DataFlow.ql
@@ -0,0 +1,17 @@
+import javascript
+
+class ArrayFlowConfig extends DataFlow::Configuration {
+  ArrayFlowConfig() { this = "ArrayFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().getStringValue() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
+  }
+}
+
+from ArrayFlowConfig config, DataFlow::Node src, DataFlow::Node snk
+where config.hasFlow(src, snk)
+select src, snk
diff --git a/javascript/ql/test/library-tests/Arrays/arrays.js b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -0,0 +1,42 @@
+(function () {
+  let source = "source";
+
+  var obj = { foo: source };
+  sink(obj.foo); // NOT OK
+
+  var arr = [];
+  arr.push(source);
+
+  for (var i = 0; i < arr.length; i++) {
+    sink(arr[i]); // NOT OK
+  }
+
+
+  arr.forEach((e) => sink(e)); // NOT OK
+  arr.map((e) => sink(e)); // NOT OK
+
+  [1, 2, 3].map(i => "source").forEach(e => sink(e)); // NOT OK.
+
+  sink(arr.pop()); // NOT OK
+
+  var arr2 = Array.from("source");
+  sink(arr2.pop()); // NOT OK
+
+  var arr3 = ["source"];
+  sink(arr3.pop()); // NOT OK
+
+  var arr4 = [];
+  arr4.splice(0, 0, "source");
+  sink(arr4.pop()); // NOT OK
+
+  var arr5 = [].concat(arr4);
+  sink(arr5.pop()); // NOT OK
+
+  sink(arr5.slice(2).pop()); // NOT OK
+
+  var arr6 = [];
+  for (var i = 0; i < arr5.length; i++) {
+    arr6[i] = arr5[i];
+  }
+  sink(arr6.pop()); // NOT OK
+});
