JS: Use getABoundFunctionValue in PostMessageEventHandler

2026-05-01 03:35:13 +02:00 · 2019-08-18 18:32:47 +01:00
parent d6d89a0703
commit 34497f6d19
2 changed files with 8 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -127,6 +127,8 @@ module DataFlow {
     * possibly derived from a partial function invocation.
     */
    final FunctionNode getABoundFunctionValue(int boundArgs) {
+      result = getAFunctionValue() and boundArgs = 0
+      or
      CallGraph::getABoundFunctionReference(result, boundArgs).flowsTo(this)
    }

--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -174,18 +174,20 @@ private module PersistentWebStorage {
 * An event handler that handles `postMessage` events.
 */
 class PostMessageEventHandler extends Function {
+  int paramIndex;
+
  PostMessageEventHandler() {
-    exists(CallExpr addEventListener |
-      addEventListener.getCallee().accessesGlobal("addEventListener") and
+    exists(DataFlow::CallNode addEventListener |
+      addEventListener = DataFlow::globalVarRef("addEventListener").getACall() and
      addEventListener.getArgument(0).mayHaveStringValue("message") and
-      addEventListener.getArgument(1).analyze().getAValue().(AbstractFunction).getFunction() = this
+      addEventListener.getArgument(1).getABoundFunctionValue(paramIndex).getFunction() = this
    )
  }

  /**
   * Gets the parameter that contains the event.
   */
-  SimpleParameter getEventParameter() { result = getParameter(0) }
+  Parameter getEventParameter() { result = getParameter(paramIndex) }
 }

 /**