JS: Note issue with .apply() calls

2026-04-28 10:15:14 +02:00 · 2024-08-14 14:34:55 +02:00
parent ac1dd1850e
commit 34e6864fa3
2 changed files with 3 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -25,6 +25,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)
    node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and
    node2 = TDynamicArgumentStoreNode(invoke, c) and
    c.isUnknownArrayElement()
+    // TODO: we need a similar case for .apply() calls
  )
 }

--- a/javascript/ql/test/library-tests/TaintTracking/array-mutation.js
+++ b/javascript/ql/test/library-tests/TaintTracking/array-mutation.js
@@ -29,11 +29,11 @@ function test(x, y) {

  let h = [];
  Array.prototype.push.apply(h, source());
-  sink(h); // NOT OK
+  sink(h); // NOT OK [INCONSISTENCY]

  let i = [];
  Array.prototype.unshift.apply(i, source());
-  sink(i); // NOT OK
+  sink(i); // NOT OK [INCONSISTENCY]

  let j = [];
  j[j.length] = source();