Merge pull request #15760 from asgerf/js/summarised-tt-store-steps

JS: Summarise store steps for type tracking
2026-04-29 02:35:15 +02:00 · 2024-03-08 13:16:25 +01:00
parent a9bab18804 fc5b9e2796
commit 245cd5c0b5
2 changed files with 71 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -45,6 +45,8 @@ private module Cached {
      CopyStep(PropertyName prop) or
      LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
        SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
+        or
+        summarizedLoadStoreStep(_, _, fromProp, toProp)
      } or
      WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
  }
@@ -69,6 +71,26 @@ private module Cached {
    AccessPath::isAssignedInUniqueFile(global)
  }

+  bindingset[fun]
+  pragma[inline_late]
+  private DataFlow::PropRead getStoredPropRead(DataFlow::FunctionNode fun, string storeProp) {
+    result = fun.getAReturn().getALocalSource().getAPropertySource(storeProp)
+  }
+
+  /**
+   * Holds if `loadProp` of `param` is stored in the `storeProp` property of the return value of `fun`.
+   */
+  pragma[nomagic]
+  private predicate summarizedLoadStoreStep(
+    DataFlow::ParameterNode param, DataFlow::FunctionNode fun, string loadProp, string storeProp
+  ) {
+    exists(DataFlow::PropRead read |
+      read = getStoredPropRead(fun, storeProp) and
+      read.getBase().getALocalSource() = param and
+      read.getPropertyName() = loadProp
+    )
+  }
+
  /**
   * INTERNAL: Use `TypeBackTracker.smallstep()` instead.
   */
@@ -156,6 +178,14 @@ private module Cached {
        exists(string prop |
          param.getAPropertyRead(prop).flowsTo(fun.getAReturn()) and
          summary = LoadStep(prop)
+          or
+          fun.getAReturn().getALocalSource().getAPropertySource(prop) = param and
+          summary = StoreStep(prop)
+        )
+        or
+        exists(string loadProp, string storeProp |
+          summarizedLoadStoreStep(param, fun, loadProp, storeProp) and
+          summary = LoadStoreStep(loadProp, storeProp)
        )
      ) and
      if param = fun.getAParameter()