simplify getALibraryInputParameter by adding more general dataflow for the arguments object

2026-04-29 02:35:15 +02:00 · 2022-08-21 22:36:06 +02:00
parent 11b039c1f1
commit 2f11f3760e
7 changed files with 47 additions and 43 deletions
--- a/javascript/ql/lib/semmle/javascript/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -344,6 +344,14 @@ private module ArrayLibraries {
    result = DataFlow::globalVarRef("Array").getAMemberCall("from")
    or
    result = DataFlow::moduleImport("array-from").getACall()
+    or
+    // Array.prototype.slice.call acts the same as Array.from, and is sometimes used with e.g. the arguments object.
+    result =
+      DataFlow::globalVarRef("Array")
+          .getAPropertyRead("prototype")
+          .getAPropertyRead("slice")
+          .getAMethodCall("call") and
+    result.getNumArgument() = 1
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -18,34 +18,10 @@ DataFlow::Node getALibraryInputParameter() {
  |
    result = func.getParameter(any(int arg | arg >= bound))
    or
-    result = getAnArgumentsRead(func.getFunction())
-    or
    result = func.getFunction().getArgumentsVariable().getAnAccess().flow()
  )
 }

-private DataFlow::SourceNode getAnArgumentsRead(Function func) {
-  exists(DataFlow::PropRead read |
-    not read.getPropertyName() = "length" and
-    result = read
-  |
-    read.getBase() = func.getArgumentsVariable().getAnAccess().flow()
-    or
-    exists(DataFlow::MethodCallNode call |
-      call =
-        DataFlow::globalVarRef("Array")
-            .getAPropertyRead("prototype")
-            .getAPropertyRead("slice")
-            .getAMethodCall("call")
-      or
-      call = DataFlow::globalVarRef("Array").getAMethodCall("from")
-    |
-      call.getArgument(0) = func.getArgumentsVariable().getAnAccess().flow() and
-      call.flowsTo(read.getBase())
-    )
-  )
-}
-
 private import NodeModuleResolutionImpl as NodeModule

 /**
--- a/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
@@ -1661,9 +1661,7 @@ module DataFlow {
    )
  }

-  /**
-   * A step from a reflective parameter node to each parameter.
-   */
+  /** A load step from a reflective parameter node to each parameter. */
  private class ReflectiveParamsStep extends PreCallGraphStep {
    override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
      exists(DataFlow::ReflectiveParametersNode params, DataFlow::FunctionNode f, int i |
@@ -1675,6 +1673,17 @@ module DataFlow {
    }
  }

+  /** A taint step from the reflective parameters node to any parameter. */
+  private class ReflectiveParamsTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node obj, DataFlow::Node element) {
+      exists(DataFlow::ReflectiveParametersNode params, DataFlow::FunctionNode f |
+        f.getFunction() = params.getFunction() and
+        obj = params and
+        element = f.getAParameter()
+      )
+    }
+  }
+
  /**
   * Holds if there is a step from `pred` to `succ` through a field accessed through `this` in a class.
   */