JS: Fix the ExtendCall restriction

2026-04-30 03:05:15 +02:00 · 2023-04-17 12:30:08 +02:00
parent eafef91dbc
commit 13b1e97caa
3 changed files with 5 additions and 22 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -62,7 +62,11 @@ class Configuration extends TaintTracking::Configuration {
    // step because it preserves all properties, but the destination is not actually Object.prototype.
    exists(ExtendCall call |
      pred = call.getASourceOperand() and
-      succ = call.getDestinationOperand().getALocalSource() and
+      (
+        succ = call.getDestinationOperand().getALocalSource()
+        or
+        succ = call
+      ) and
      lbl instanceof ObjectPrototype
    )
  }
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected
@@ -1 +0,0 @@
-| query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js:120 | did not expect an alert, but found an alert for PrototypePollutingAssignment | OK - 'object' is not Object.prototype itself (but possibly a copy) | PrototypePollutingAssignment |
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -190,16 +190,6 @@ nodes
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint |
-| tst.js:116:9:116:38 | taint |
-| tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:116:24:116:37 | req.query.data |
-| tst.js:116:24:116:37 | req.query.data |
-| tst.js:119:9:119:51 | object |
-| tst.js:119:18:119:51 | Object. ... taint]) |
-| tst.js:119:36:119:50 | plainObj[taint] |
-| tst.js:119:45:119:49 | taint |
-| tst.js:120:5:120:10 | object |
-| tst.js:120:5:120:10 | object |
 edges
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
@@ -376,15 +366,6 @@ edges
 | tst.js:102:24:102:37 | req.query.data | tst.js:102:17:102:38 | String( ... y.data) |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
-| tst.js:116:9:116:38 | taint | tst.js:119:45:119:49 | taint |
-| tst.js:116:17:116:38 | String( ... y.data) | tst.js:116:9:116:38 | taint |
-| tst.js:116:24:116:37 | req.query.data | tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:116:24:116:37 | req.query.data | tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:119:9:119:51 | object | tst.js:120:5:120:10 | object |
-| tst.js:119:9:119:51 | object | tst.js:120:5:120:10 | object |
-| tst.js:119:18:119:51 | Object. ... taint]) | tst.js:119:9:119:51 | object |
-| tst.js:119:36:119:50 | plainObj[taint] | tst.js:119:18:119:51 | Object. ... taint]) |
-| tst.js:119:45:119:49 | taint | tst.js:119:36:119:50 | plainObj[taint] |
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
@@ -413,4 +394,3 @@ edges
 | tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input |
 | tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
 | tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
-| tst.js:120:5:120:10 | object | tst.js:116:24:116:37 | req.query.data | tst.js:120:5:120:10 | object | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:116:24:116:37 | req.query.data | user controlled input |
				`@@ -1 +0,0 @@`
				`\| query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js:120 \| did not expect an alert, but found an alert for PrototypePollutingAssignment \| OK - 'object' is not Object.prototype itself (but possibly a copy) \| PrototypePollutingAssignment \|`