Merge pull request #89 from esben-semmle/js/sharpen-type-confusion

JS: remove emptiness checks from the type confusion `x.length` sinks
2026-05-01 03:35:13 +02:00 · 2018-08-23 08:04:09 +01:00
parent 1aa7a2cfc2 b4c77b8344
commit 2187b0c245
3 changed files with 36 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll
@@ -101,7 +101,22 @@ module TypeConfusionThroughParameterTampering {

    LengthAccess() {
      exists (DataFlow::PropRead read |
-        read.accesses(this, "length")
+        read.accesses(this, "length") and
+        // exclude truthiness checks on the length: an array/string confusion cannot control an emptiness check
+        not (
+          exists (ConditionGuardNode cond |
+            read.asExpr() = cond.getTest()
+          )
+          or
+          exists (Comparison cmp, Expr zero |
+            zero.getIntValue() = 0 and
+            cmp.hasOperands(read.asExpr(), zero)
+          )
+          or
+          exists (LogNotExpr neg |
+            neg.getOperand() = read.asExpr()
+          )
+        )
      )
    }

--- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js
@@ -50,3 +50,22 @@ express().get('/some/path/:foo', function(req, res) {
    var foo = req.params.foo;
    foo.indexOf(); // OK
 });
+
+express().get('/some/path/:foo', function(req, res) {
+    if (req.query.path.length) {} // OK
+    req.query.path.length == 0; // OK
+    !req.query.path.length; // OK
+    req.query.path.length > 0; // OK
+});
+
+express().get('/some/path/:foo', function(req, res) {
+    let p = req.query.path;
+
+    if (typeof p !== 'string') {
+      return;
+    }
+
+    while (p.length) { // OK
+      p = p.substr(1);
+    }
+});