JS: Restrict domValueRef to known DOM property names

asgerf · asgerf · commit f23c6030aab5 · 2020-06-10T15:14:23.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -291,11 +291,25 @@ module DOM {
      */
     abstract class Range extends DataFlow::Node { }
 
+    private string getADomPropertyName() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomRootType(decl.getDeclaringType().getASupertype*())
+      )
+    }
+
     private class DefaultRange extends Range {
       DefaultRange() {
         this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
         or
-        this = domValueRef().getAPropertyRead()
+        exists(DataFlow::PropRead read |
+          this = read and
+          read = domValueRef().getAPropertyRead()
+        |
+          not read.mayHavePropertyName(_)
+          or
+          read.mayHavePropertyName(getADomPropertyName())
+        )
         or
         this = domElementCreationOrQuery()
         or
diff --git a/javascript/ql/test/library-tests/DOM/Customizations.expected b/javascript/ql/test/library-tests/DOM/Customizations.expected
@@ -4,9 +4,5 @@ test_locationRef
 | customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |
-| tst.js:45:8:45:7 | this |
-| tst.js:46:7:46:12 | this.x |
 | tst.js:49:3:49:8 | window |
 | tst.js:50:3:50:8 | window |
-| tst.js:50:3:50:14 | window.myApp |
-| tst.js:50:3:50:18 | window.myApp.foo |
