JS: Use sanitizerOut in PrototypePollutingAssignment

2026-04-29 10:45:15 +02:00 · 2023-07-11 15:12:33 +02:00
parent 03bdebe3b3
commit 1a395c5b34
1 changed files with 3 additions and 12 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -55,20 +55,11 @@ class Configuration extends TaintTracking::Configuration {
    )
  }

-  override predicate isSanitizerEdge(
-    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl
-  ) {
+  override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowLabel lbl) {
    // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
    // step because it preserves all properties, but the destination is not actually Object.prototype.
-    exists(ExtendCall call |
-      pred = call.getASourceOperand() and
-      (
-        succ = call.getDestinationOperand().getALocalSource()
-        or
-        succ = call
-      ) and
-      lbl instanceof ObjectPrototype
-    )
+    node = any(ExtendCall call).getASourceOperand() and
+    lbl instanceof ObjectPrototype
  }

  override predicate isAdditionalFlowStep(