JS: introduce RelationalComparison.isInclucive

2026-04-30 11:15:13 +02:00 · 2018-08-23 14:51:39 +02:00
parent 20b48a2d24
commit 2b41f62eb0
2 changed files with 11 additions and 13 deletions
--- a/javascript/ql/src/semmle/javascript/Expr.qll
+++ b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -1545,6 +1545,14 @@ class RelationalComparison extends Comparison {
  Expr getGreaterOperand() {
    result = getAnOperand() and result != getLesserOperand()
  }
+
+  /**
+   * Holds if this is a comparison with `<=` or `>=`.
+   */
+  predicate isInclusive() {
+    this instanceof LEExpr or
+    this instanceof GEExpr
+  }
 }

 /** A (pre or post) increment expression. */
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -643,16 +643,6 @@ module TaintTracking {

  }

-  /**
-   * A less-than or greater-than expression
-   */
-  private class ExclusiveRelationalComparison extends RelationalComparison {
-    ExclusiveRelationalComparison() {
-      this instanceof LTExpr or
-      this instanceof GTExpr
-    }
-  }
-
  /** 
   * A check of the form `if(whitelist.indexOf(x) >= 0)`, which sanitizes `x` in its "then" branch. 
   *
@@ -671,9 +661,9 @@ module TaintTracking {
        polarity = true and
        greater = indexOf and
        (
-          lesser.getIntValue() = 0 
+          lesser.getIntValue() >= 0
          or
-          lesser.getIntValue() = -1 and astNode instanceof ExclusiveRelationalComparison
+          lesser.getIntValue() = -1 and not astNode.isInclusive()
        )
        or 
        polarity = false and
@@ -681,7 +671,7 @@ module TaintTracking {
        (
          greater.getIntValue() = -1
          or
-          greater.getIntValue() = 0 and astNode instanceof ExclusiveRelationalComparison
+          greater.getIntValue() = 0 and not astNode.isInclusive()
        )
      )
    }