reuse existing predicate from UnsafeJqueryPlugin

2026-04-25 16:55:19 +02:00 · 2020-04-23 14:25:34 +02:00
parent 09b6727e6d
commit 1954a60b6e
2 changed files with 24 additions and 37 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -497,24 +497,11 @@ module JQuery {
      }
    }

-    /**
-     * Gets a node that is written to `$.fn[something]`.
-     * JQuery plugins are registered this way.
-     */
-    private DataFlow::Node getAFnWrite() {
-      exists(DataFlow::PropWrite write, DataFlow::PropRead jQueryFN |
-        write.getBase() = jQueryFN and
-        jQueryFN.getBase().getALocalSource() = JQuery::dollar() and
-        jQueryFN.getPropertyName() = "fn" and
-        result = write.getRhs()
-      )
-    }
-
    /**
     * Gets a node that is backtracked from a node written to `$.fn[something]`.
     */
    private DataFlow::SourceNode writtenToJqueryFN(DataFlow::TypeBackTracker t) {
-      t.start() and result = getAFnWrite().getALocalSource()
+      t.start() and result = any(DataFlow::Node plugin | jQueryPluginDefinition(_, plugin)).getALocalSource()
      or
      exists(DataFlow::TypeBackTracker t2 | result = writtenToJqueryFN(t2).backtrack(t2, t))
    }
@@ -624,4 +611,27 @@ module JQuery {
      node = getArgument(0)
    }
  }
+
+  /**
+   * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>`.
+   */
+  predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
+    exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
+      fn = jquery().getAPropertyRead("fn") and
+      (
+        write = fn.getAPropertyWrite()
+        or
+        exists(ExtendCall extend, DataFlow::SourceNode source |
+          fn.flowsTo(extend.getDestinationOperand()) and
+          source = extend.getASourceOperand() and
+          write = source.getAPropertyWrite()
+        )
+      ) and
+      plugin = write.getRhs() and
+      (
+        pluginName = write.getPropertyName() or
+        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
+      )
+    )
+  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -49,29 +49,6 @@ module UnsafeJQueryPlugin {
    }
  }

-  /**
-   * Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>`.
-   */
-  private predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
-    exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
-      fn = jquery().getAPropertyRead("fn") and
-      (
-        write = fn.getAPropertyWrite()
-        or
-        exists(ExtendCall extend, DataFlow::SourceNode source |
-          fn.flowsTo(extend.getDestinationOperand()) and
-          source = extend.getASourceOperand() and
-          write = source.getAPropertyWrite()
-        )
-      ) and
-      plugin = write.getRhs() and
-      (
-        pluginName = write.getPropertyName() or
-        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
-      )
-    )
-  }
-
  /**
   * Gets a node that is registered as a jQuery plugin method at `def`.
   */