JS: downgrade other alerts to js/useless-defensive-code

2026-05-02 20:25:13 +02:00 · 2018-10-10 12:52:52 +02:00
parent e29c57a58e
commit 358e6188d9
6 changed files with 8 additions and 1 deletions
--- a/javascript/ql/src/Expressions/HeterogeneousComparison.ql
+++ b/javascript/ql/src/Expressions/HeterogeneousComparison.ql
@@ -15,6 +15,7 @@

 import javascript
 private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.DefensiveProgramming

 /**
 * Holds if `left` and `right` are the left and right operands, respectively, of `nd`, which is
@@ -198,6 +199,7 @@ from ASTNode cmp,
     int leftTypeCount, int rightTypeCount ,
     string leftTypeDescription, string rightTypeDescription
 where isHeterogeneousComparison(cmp, left, right, leftTypes, rightTypes) and
+      not exists (cmp.(Expr).flow().(DefensiveExpression).getTheTestResult()) and
      not whitelist(left.asExpr()) and
      not whitelist(right.asExpr()) and
      leftExprDescription = capitalize(getDescription(left.asExpr(), "this expression")) and
--- a/javascript/ql/src/Statements/UselessConditional.ql
+++ b/javascript/ql/src/Statements/UselessConditional.ql
@@ -87,7 +87,7 @@ predicate isConstantBooleanReturnValue(Expr e) {
 predicate whitelist(Expr e) {
  isConstant(e) or
  isConstant(e.(LogNotExpr).getOperand()) or
-  e.flow() instanceof Internal::DefensiveInit or
+  exists (e.flow().(DefensiveExpression).getTheTestResult()) or
  isInitialParameterUse(e) or
  isConstantBooleanReturnValue(e)
 }
--- a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.expected
+++ b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.expected
@@ -0,0 +1,3 @@
+| tst.js:162:9:162:16 | typeof x | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:162:22:162:30 | undefined | 'undefined' |
+| tst.js:163:9:163:21 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:163:27:163:35 | undefined | 'undefined' |
+| tst.js:165:9:165:16 | typeof x | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:165:22:165:22 | u | variable 'u' |
--- a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.qlref
+++ b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.qlref
@@ -0,0 +1 @@
+Expressions/HeterogeneousComparison.ql
--- a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.expected
+++ b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.expected
--- a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.qlref
+++ b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.qlref
@@ -0,0 +1 @@
+Statements/UselessConditional.ql