JS: Fix bad join order from use of getAType() = TTRegExp

2026-04-27 17:55:19 +02:00 · 2020-05-08 09:19:38 +01:00
parent b049136008
commit 255424cdc2
1 changed files with 14 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -569,6 +569,12 @@ module TaintTracking {
    }
  }

+  pragma[nomagic]
+  private DataFlow::MethodCallNode execMethodCall() {
+    result.getMethodName() = "exec" and
+    result.getReceiver().analyze().getAType() = TTRegExp()
+  }
+
  /**
   * A taint-propagating data flow edge from the first (and only) argument in a call to
   * `RegExp.prototype.exec` to its result.
@@ -576,8 +582,7 @@ module TaintTracking {
  private class RegExpExecTaintStep extends SharedTaintStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      exists(DataFlow::MethodCallNode call |
-        call.getReceiver().analyze().getAType() = TTRegExp() and
-        call.getMethodName() = "exec" and
+        call = execMethodCall() and
        call.getNumArgument() = 1 and
        pred = call.getArgument(0) and
        succ = call
@@ -585,15 +590,20 @@ module TaintTracking {
    }
  }

+  pragma[nomagic]
+  private DataFlow::MethodCallNode matchMethodCall() {
+    result.getMethodName() = "match" and
+    result.getArgument(0).analyze().getAType() = TTRegExp()
+  }
+
  /**
   * A taint propagating data flow edge arising from calling `String.prototype.match()`.
   */
  private class StringMatchTaintStep extends SharedTaintStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      exists(DataFlow::MethodCallNode call |
-        call.getMethodName() = "match" and
+        call = matchMethodCall() and
        call.getNumArgument() = 1 and
-        call.getArgument(0).analyze().getAType() = TTRegExp() and
        pred = call.getReceiver() and
        succ = call
      )