add support for Object.hasOwn(obj, key)

2026-05-04 21:25:44 +02:00 · 2022-05-24 13:47:41 +02:00
parent 1717d17fb3
commit 2a97dd9f6f
11 changed files with 171 additions and 10 deletions
--- a/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
+++ b/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
@@ -234,6 +234,14 @@ module MembershipCandidate {
        test = hasOwn and
        hasOwn.calls(membersNode, "hasOwnProperty")
      )
+      or
+      exists(DataFlow::CallNode hasOwn |
+        hasOwn = DataFlow::globalVarRef("Object").getAMemberCall("hasOwn")
+      |
+        hasOwn.getArgument(0).asExpr() = membersNode and
+        this = hasOwn.getArgument(1) and
+        test = hasOwn.asExpr()
+      )
    }

    override DataFlow::Node getTest() { result = test.flow() }
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -1027,18 +1027,16 @@ module TaintTracking {
  class WhitelistContainmentCallSanitizer extends AdditionalSanitizerGuardNode,
    DataFlow::MethodCallNode {
    WhitelistContainmentCallSanitizer() {
-      exists(string name |
-        name = "contains" or
-        name = "has" or
-        name = "hasOwnProperty"
-      |
-        this.getMethodName() = name
-      )
+      this.getMethodName() = ["contains", "has", "hasOwnProperty", "hasOwn"]
    }

    override predicate sanitizes(boolean outcome, Expr e) {
-      outcome = true and
-      e = this.getArgument(0).asExpr()
+      exists(int propertyIndex |
+        if this.getMethodName() = "hasOwn" then propertyIndex = 1 else propertyIndex = 0
+      |
+        outcome = true and
+        e = this.getArgument(propertyIndex).asExpr()
+      )
    }

    override predicate appliesTo(Configuration cfg) { any() }