move Array.from to ArrayCreationNode

2026-04-29 02:35:15 +02:00 · 2020-03-09 10:26:21 +01:00
parent dc4e361d75
commit 0f0187d585
2 changed files with 15 additions and 11 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -219,7 +219,6 @@ private module ArrayDataFlow {
   */
  private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {
    ArrayCreationStep() {
-      this = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() or
      this instanceof DataFlow::ArrayCreationNode
    }

@@ -228,11 +227,8 @@ private module ArrayDataFlow {
     */
    override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      prop = arrayElement() and
-      succ = this and
-      (
-        pred = this.(DataFlow::CallNode).getAnArgument() or
-        pred = this.(DataFlow::ArrayCreationNode).getAnElement()
-      )
+      pred = this.(DataFlow::ArrayCreationNode).getAnElement() and
+      succ = this
    }
  }

--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -587,8 +587,8 @@ class ArrayConstructorInvokeNode extends DataFlow::InvokeNode {
 }

 /**
- * A data flow node corresponding to the creation or a new array, either through an array literal
- * or an invocation of the `Array` constructor.
+ * A data flow node corresponding to the creation or a new array, either through an array literal, 
+ * an invocation of the `Array` constructor, or the `Array.from` method.
 *
 *
 * Examples:
@@ -598,18 +598,23 @@ class ArrayConstructorInvokeNode extends DataFlow::InvokeNode {
 * new Array('apple', 'orange')
 * Array(16)
 * new Array(16)
+ * Array.from(1,2,3);
 * ```
 */
 class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
  ArrayCreationNode() {
    this instanceof ArrayLiteralNode or
-    this instanceof ArrayConstructorInvokeNode
+    this instanceof ArrayConstructorInvokeNode or
+    this = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall()
  }

  /** Gets the `i`th initial element of this array, if one is provided. */
  DataFlow::ValueNode getElement(int i) {
    result = this.(ArrayLiteralNode).getElement(i) or
-    result = this.(ArrayConstructorInvokeNode).getElement(i)
+    result = this.(ArrayConstructorInvokeNode).getElement(i) or
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+      result = call.getArgument(i)
+    )
  }

  /** Gets an initial element of this array, if one if provided. */
@@ -618,7 +623,10 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
  /** Gets the initial size of the created array, if it can be determined. */
  int getSize() {
    result = this.(ArrayLiteralNode).getSize() or
-    result = this.(ArrayConstructorInvokeNode).getSize()
+    result = this.(ArrayConstructorInvokeNode).getSize() or
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+      result = call.getNumArgument()
+    )
  }
 }