add lValueFlowStep for rest-pattern nested inside a property-pattern (and removed old incorrect approach)

erik-krogh · erik-krogh · commit b8a9ac39f4e5 · 2020-06-09T18:16:00.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/DefUse.qll b/javascript/ql/src/semmle/javascript/DefUse.qll
@@ -85,12 +85,6 @@ private predicate defn(ControlFlowNode def, Expr lhs) {
   exists(EnumMember member | def = member.getIdentifier() |
     lhs = def and not exists(member.getInitializer())
   )
-  or
-  exists(PropertyPattern prop, ObjectPattern obj, Expr rest |
-    prop.getValuePattern() = obj and obj.getRest() = rest
-  |
-    lhs = rest and def = prop
-  )
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1347,6 +1347,11 @@ module DataFlow {
       succ = lvalueNode(pattern.getValuePattern())
     )
     or
+    exists(PropertyPattern pattern | 
+      pred = TPropNode(pattern) and
+      succ = lvalueNode(pattern.getValuePattern().(ObjectPattern).getRest())
+    )
+    or
     exists(Expr element |
       pred = TElementPatternNode(_, element) and
       succ = lvalueNode(element)
@@ -1386,11 +1391,6 @@ module DataFlow {
       succ = valueNode(v.getAUse())
     )
     or
-    exists(SsaExplicitDefinition def |
-      pred.getAstNode() = def.getDef() and
-      succ = TSsaDefNode(def)
-    )
-    or
     exists(Expr predExpr, Expr succExpr |
       pred = valueNode(predExpr) and succ = valueNode(succExpr)
     |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected
@@ -79,7 +79,7 @@ nodes
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() |
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo |
-| command-line-parameter-command-injection.js:48:3:50:3 | args |
+| command-line-parameter-command-injection.js:47:8:53:12 | args |
 | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} |
 | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} |
 | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
@@ -155,9 +155,9 @@ edges
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo |
-| command-line-parameter-command-injection.js:48:3:50:3 | args | command-line-parameter-command-injection.js:55:22:55:25 | args |
-| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:48:3:50:3 | args |
-| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:48:3:50:3 | args |
+| command-line-parameter-command-injection.js:47:8:53:12 | args | command-line-parameter-command-injection.js:55:22:55:25 | args |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:47:8:53:12 | args |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:47:8:53:12 | args |
 | command-line-parameter-command-injection.js:55:22:55:25 | args | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
 | command-line-parameter-command-injection.js:55:22:55:25 | args | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
 #select

Original file line number	Diff line number	Diff line change
`@@ -85,12 +85,6 @@ private predicate defn(ControlFlowNode def, Expr lhs) {`
`85`	`85`	`exists(EnumMember member \| def = member.getIdentifier() \|`
`86`	`86`	`lhs = def and not exists(member.getInitializer())`
`87`	`87`	`)`
`88`		`- or`
`89`		`- exists(PropertyPattern prop, ObjectPattern obj, Expr rest \|`
`90`		`- prop.getValuePattern() = obj and obj.getRest() = rest`
`91`		`- \|`
`92`		`- lhs = rest and def = prop`
`93`		`- )`
`94`	`88`	`}`
`95`	`89`
`96`	`90`	`/**`