hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Handle Array.prototype.toString calls

Browse Source
This commit is contained in:
Asger F
2025-02-17 11:25:03 +01:00
parent a74b203c86
commit 33ab7db98a
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/lib/semmle/javascript/internal/flow_summaries/AmbiguousCoreMethods.qll
View File

@@ -157,7 +157,11 @@ class Values extends SummarizedCallable {
class ToString extends SummarizedCallable {
ToString() { this = "Object#toString / Array#toString" }
override DataFlow::MethodCallNode getACallSimple() { result.getMethodName() = "toString" }
override InstanceCall getACallSimple() {
result.(DataFlow::MethodCallNode).getMethodName() = "toString"
or
result = arrayConstructorRef().getAPropertyRead("prototype").getAMemberCall("toString")
}
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = false and

2
javascript/ql/test/library-tests/TripleDot/arrays.js
View File

@@ -41,5 +41,5 @@ function implicitToString() {
sink(array.toString()); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(array.toString("utf8")); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(Array.prototype.toString.call(array)); // $ MISSING: hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(Array.prototype.toString.call(array)); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
}