hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Remove jump steps from IIFE steps

Browse Source
This commit is contained in:
Asger F
2024-11-01 09:17:35 +01:00
parent 7f2eae0966
commit 37676f41aa
2 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1217,6 +1217,20 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
predicate localMustFlowStep(Node node1, Node node2) { node1 = node2.getImmediatePredecessor() }
/**
* Holds if `node1 -> node2` should be removed as a jump step.
*
* Currently this is done as a workaround for the local steps generated from IIFEs.
*/
private predicate excludedJumpStep(Node node1, Node node2) {
exists(ImmediatelyInvokedFunctionExpr iife |
iife.argumentPassing(node2.asExpr(), node1.asExpr())
or
node1 = iife.getAReturnedExpr().flow() and
node2 = iife.getInvocation().flow()
)
}
/**
* Holds if data can flow from `node1` to `node2` through a non-local step
* that does not follow a call edge. For example, a step through a global
@@ -1224,7 +1238,8 @@ predicate localMustFlowStep(Node node1, Node node2) { node1 = node2.getImmediate
*/
predicate jumpStep(Node node1, Node node2) {
valuePreservingStep(node1, node2) and
node1.getContainer() != node2.getContainer()
node1.getContainer() != node2.getContainer() and
not excludedJumpStep(node1, node2)
or
FlowSummaryPrivate::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
node2.(FlowSummaryNode).getSummaryNode())

12
javascript/ql/test/library-tests/TripleDot/iife.js
View File

@@ -4,8 +4,8 @@ function f1() {
return p; // argument to return
})(x);
}
sink(inner(source("f1.1"))); // $ hasValueFlow=f1.1 SPURIOUS: hasValueFlow=f1.2
sink(inner(source("f1.2"))); // $ hasValueFlow=f1.2 SPURIOUS: hasValueFlow=f1.1
sink(inner(source("f1.1"))); // $ hasValueFlow=f1.1
sink(inner(source("f1.2"))); // $ hasValueFlow=f1.2
}
function f2() {
@@ -16,8 +16,8 @@ function f2() {
})(x);
return y;
}
sink(inner(source("f2.1"))); // $ hasValueFlow=f2.1 SPURIOUS: hasValueFlow=f2.2
sink(inner(source("f2.2"))); // $ hasValueFlow=f2.2 SPURIOUS: hasValueFlow=f2.1
sink(inner(source("f2.1"))); // $ MISSING: hasValueFlow=f2.1
sink(inner(source("f2.2"))); // $ MISSING: hasValueFlow=f2.2
}
function f3() {
@@ -26,8 +26,8 @@ function f3() {
return x; // captured variable to return
})();
}
sink(inner(source("f3.1"))); // $ hasValueFlow=f3.1 SPURIOUS: hasValueFlow=f3.2
sink(inner(source("f3.2"))); // $ hasValueFlow=f3.2 SPURIOUS: hasValueFlow=f3.1
sink(inner(source("f3.1"))); // $ hasValueFlow=f3.1
sink(inner(source("f3.2"))); // $ hasValueFlow=f3.2
}
function f4() {