JS: Make API graph more sparse for escaping class instance members

2025-12-16 16:53:25 +01:00 · 2022-08-30 20:24:14 +02:00
parent 5ad6c05a9c
commit 32c8688805
1 changed files with 14 additions and 13 deletions
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -663,7 +663,14 @@ module API {
        or
        any(Type t).hasUnderlyingType(m, _)
      } or
-      MkClassInstance(DataFlow::ClassNode cls) { cls = trackDefNode(_) and hasSemantics(cls) } or
+      MkClassInstance(DataFlow::ClassNode cls) {
+        hasSemantics(cls) and
+        (
+          cls = trackDefNode(_)
+          or
+          cls.getAnInstanceReference() = trackDefNode(_)
+        )
+      } or
      MkAsyncFuncResult(DataFlow::FunctionNode f) {
        f = trackDefNode(_) and f.getFunction().isAsync() and hasSemantics(f)
      } or
@@ -755,16 +762,6 @@ module API {
                  .getStaticMember(name, DataFlow::MemberKind::getter())
                  .getAReturn()
          )
-          or
-          // If `new C()` escapes, generate edges to its instance members
-          exists(DataFlow::ClassNode cls, string name |
-            pred = cls.getAClassReference().getAnInstantiation() and
-            lbl = Label::member(name)
-          |
-            rhs = cls.getInstanceMethod(name)
-            or
-            rhs = cls.getInstanceMember(name, DataFlow::MemberKind::getter()).getAReturn()
-          )
        )
        or
        exists(DataFlow::ClassNode cls, string name |
@@ -1253,9 +1250,13 @@ module API {
        succ = MkUse(ref)
      )
      or
-      exists(DataFlow::Node rhs |
-        rhs(pred, lbl, rhs) and
+      exists(DataFlow::Node rhs | rhs(pred, lbl, rhs) |
        succ = MkDef(rhs)
+        or
+        exists(DataFlow::ClassNode cls |
+          cls.getAnInstanceReference() = rhs and
+          succ = MkClassInstance(cls)
+        )
      )
      or
      exists(DataFlow::Node def |