Skip to content

Commit e43e5ed

Browse files
asgerfasgerf
committed
JS: Include steps from summaries
1 parent c3c5b62 commit e43e5ed

File tree

3 files changed

+17
-3
lines changed

3 files changed

+17
-3
lines changed

javascript/ql/lib/semmle/javascript/ApiGraphs.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
import javascript
99
private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
1010
private import semmle.javascript.dataflow.internal.PreCallGraphStep
11+
private import semmle.javascript.dataflow.internal.sharedlib.SummaryTypeTracker as SummaryTypeTracker
1112
private import internal.CachedStages
1213

1314
/**
@@ -818,6 +819,11 @@ module API {
818819
not DataFlow::PseudoProperties::isPseudoProperty(prop)
819820
)
820821
or
822+
exists(DataFlow::ContentSet contents |
823+
SummaryTypeTracker::basicStoreStep(pred.getALocalUse(), rhs, contents) and
824+
lbl = Label::content(contents.getAStoreContent())
825+
)
826+
or
821827
exists(DataFlow::FunctionNode fn |
822828
fn = pred and
823829
lbl = Label::return()
@@ -1010,6 +1016,11 @@ module API {
10101016
// avoid generating member edges like "$arrayElement$"
10111017
not DataFlow::PseudoProperties::isPseudoProperty(prop)
10121018
)
1019+
or
1020+
exists(DataFlow::ContentSet contents |
1021+
SummaryTypeTracker::basicLoadStep(pred.getALocalUse(), ref, contents) and
1022+
lbl = Label::content(contents.getAStoreContent())
1023+
)
10131024
)
10141025
or
10151026
exists(DataFlow::Node def, DataFlow::FunctionNode fn |

javascript/ql/test/library-tests/frameworks/data/test.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,9 @@ taintFlow
8282
| test.js:274:6:274:39 | testlib ... eName() | test.js:274:6:274:39 | testlib ... eName() |
8383
| test.js:277:8:277:31 | "danger ... .danger | test.js:277:8:277:31 | "danger ... .danger |
8484
| test.js:284:8:284:16 | source[0] | test.js:284:8:284:16 | source[0] |
85+
| test.js:285:8:285:19 | source.pop() | test.js:285:8:285:19 | source.pop() |
86+
| test.js:286:18:286:18 | e | test.js:286:28:286:28 | e |
87+
| test.js:287:14:287:14 | e | test.js:287:24:287:24 | e |
8588
isSink
8689
| test.js:54:18:54:25 | source() | test-sink |
8790
| test.js:55:22:55:29 | source() | test-sink |

javascript/ql/test/library-tests/frameworks/data/test.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -282,7 +282,7 @@ function dangerConstant() {
282282
function arraySource() {
283283
const source = testlib.getSourceArray();
284284
sink(source[0]); // NOT OK
285-
sink(source.pop()); // NOT OK [INCONSISTENCY]
286-
source.forEach(e => sink(e)); // // NOT OK [INCONSISTENCY]
287-
source.map(e => sink(e)); // // NOT OK [INCONSISTENCY]
285+
sink(source.pop()); // NOT OK
286+
source.forEach(e => sink(e)); // NOT OK
287+
source.map(e => sink(e)); // NOT OK
288288
}

0 commit comments

Comments
 (0)