add ParameterAccessPathSimpleFromArgumentTraversal

2026-05-20 22:27:18 +02:00 · 2022-03-30 08:25:10 +02:00
parent 886662de8d
commit 103295688e
1 changed files with 33 additions and 3 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
@@ -213,7 +213,8 @@ private newtype TEndPointFeature =
  TCalleeAccessPath() or
  TCalleeAccessPathWithStructuralInfo() or
  TEnclosingFunctionBody() or
-  TCalleeAccessPathSimpleFromArgumentTraversal()
+  TCalleeAccessPathSimpleFromArgumentTraversal() or
+  TParameterAccessPathSimpleFromArgumentTraversal()

 abstract class EndPointFeature extends TEndPointFeature {
  abstract string getEncoding();
@@ -375,6 +376,19 @@ private module SyntacticUtilities {
    )
  }

+  string getSimpleParameterAccessPath(DataFlow::Node node) {
+    if exists(DataFlow::CallNode call | node = call.getArgument(_))
+    then exists(DataFlow::CallNode call, int i | node = call.getArgument(i) | result = i + "")
+    else
+      if exists(ObjectExpr o | o.getAProperty().getInit().getUnderlyingValue() = node.asExpr())
+      then
+        exists(DataFlow::PropWrite w |
+          w.getRhs() = node and
+          result = getSimpleParameterAccessPath(w.getBase()) + "." + getPropertyNameOrUnknown(w)
+        )
+      else result = "?"
+  }
+
  string getSimpleAccessPath(DataFlow::Node node) {
    if node.asExpr() instanceof SuperAccess
    then result = "super"
@@ -397,8 +411,8 @@ private module SyntacticUtilities {
  }
 }

-string getPropertyNameOrUnknown(DataFlow::PropRead read) {
-  if exists(read.getPropertyName()) then result = read.getPropertyName() else result = "?"
+string getPropertyNameOrUnknown(DataFlow::PropRef ref) {
+  if exists(ref.getPropertyName()) then result = ref.getPropertyName() else result = "?"
 }

 class CalleeAccessPathSimpleFromArgumentTraversal extends EndPointFeature,
@@ -416,3 +430,19 @@ class CalleeAccessPathSimpleFromArgumentTraversal extends EndPointFeature,
    )
  }
 }
+
+class ParameterAccessPathSimpleFromArgumentTraversal extends EndPointFeature,
+  TParameterAccessPathSimpleFromArgumentTraversal {
+  override string getEncoding() { result = "ParameterAccessPathSimpleFromArgumentTraversal" }
+
+  override string getValue(DataFlow::Node endpoint) {
+    exists(DataFlow::InvokeNode invk |
+      result = SyntacticUtilities::getSimpleParameterAccessPath(endpoint) and
+      (
+        invk.getAnArgument() = endpoint or
+        SyntacticUtilities::getANestedProperty(invk.getAnArgument().asExpr().getUnderlyingValue())
+            .flow() = endpoint
+      )
+    )
+  }
+}