hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Handle a few other stringification contexts

Browse Source
This commit is contained in:
Asger F
2025-02-17 11:36:28 +01:00
parent 33ab7db98a
commit 352924fb8c
2 changed files with 27 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1432,6 +1432,23 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
c = ContentSet::arrayElementLowerBound(pos.asPositionalLowerBound())
)
)
or
// Implicitly read array elements before stringification
stringifiedNode(node1) and
node2 = node1 and
c = ContentSet::arrayElement()
}
private predicate stringifiedNode(Node node) {
exists(Expr e | node = TValueNode(e) |
e = any(AddExpr add).getAnOperand() and
not e instanceof StringLiteral
or
e = any(TemplateLiteral t).getAnElement() and
not e instanceof TemplateElement
)
or
node = DataFlow::globalVarRef("String").getAnInvocation().getArgument(0)
}
/** Gets the post-update node for which `node` is the corresponding pre-update node. */