changes based on review feedback

2026-04-24 16:25:15 +02:00 · 2019-11-26 13:40:48 +01:00
parent 97718bf1d4
commit 4a94c49d37
4 changed files with 15 additions and 93 deletions
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -75,7 +75,6 @@ import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
-import semmle.javascript.frameworks.typeahead
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
@@ -92,6 +91,7 @@ import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.SocketIO
 import semmle.javascript.frameworks.StringFormatters
 import semmle.javascript.frameworks.TorrentLibraries
+import semmle.javascript.frameworks.Typeahead
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.XmlParsers
--- a/javascript/ql/src/semmle/javascript/frameworks/Typeahead.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Typeahead.qll
@@ -7,12 +7,13 @@ import javascript
 module Typeahead {
  /**
   * A reference to the Bloodhound class, which is a utility-class for generating auto-complete suggestions.
-   * Sometimes these suggestions can originate from remote sources.
   */
  class Bloodhound extends DataFlow::SourceNode {
    Bloodhound() {
      this = DataFlow::moduleImport("typeahead.js/dist/bloodhound.js")
      or
+      this = DataFlow::moduleImport("bloodhound-js")
+      or
      this.accessesGlobal("Bloodhound")
    }
  }
@@ -42,9 +43,9 @@ module Typeahead {
     * or an object containing an "url" property.
     */
    override DataFlow::Node getUrl() {
-      if exists(option.getALocalSource().getAPropertyWrite("url"))
-      then result = option.getALocalSource().getAPropertyWrite("url").getRhs()
-      else result = option
+      result = option.getALocalSource().getAPropertyWrite("url").getRhs()
+      or
+      result = option
    }

    override DataFlow::Node getHost() { none() }
@@ -74,7 +75,8 @@ module Typeahead {
  }

  /**
-   * A function that generates suggestions to typeahead.
+   * A function that generates suggestions to typeahead. 
+   * Matches `$(...).typeahead(..., { templates: { suggestion: <this> } })`. 
   */
  class TypeaheadSuggestionFunction extends DataFlow::FunctionNode {
    DataFlow::CallNode typeaheadCall;
@@ -84,7 +86,7 @@ module Typeahead {
      this = typeaheadCall
            .getOptionArgument(1, "templates")
            .getALocalSource()
-            .getAPropertySource("suggestion")
+            .getAPropertyWrite("suggestion").getRhs()
            .getAFunctionValue()
    }

@@ -99,11 +101,12 @@ module Typeahead {
   */
  class TypeAheadSuggestionTaintStep extends TaintTracking::AdditionalTaintStep {
    DataFlow::Node successor;
-    TypeaheadSuggestionFunction suggestionFunction;

    TypeAheadSuggestionTaintStep() {
-      this = suggestionFunction.getTypeaheadCall().getOptionArgument(1, "source") and
-      successor = suggestionFunction.getParameter(0)
+      exists(TypeaheadSuggestionFunction suggestionFunction | 
+        this = suggestionFunction.getTypeaheadCall().getOptionArgument(1, "source") and
+        successor = suggestionFunction.getParameter(0)
+      )
    }

    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
@@ -120,9 +123,8 @@ module Typeahead {
   * A taint step that models a call to `.ttAdapter()` on an instance of Bloodhound.
   */
  class BloodHoundAdapterStep extends TaintTracking::AdditionalTaintStep, BloodhoundInstance {
-    DataFlow::Node successor;

-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+	override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      this.flowsTo(pred) and
      exists(DataFlow::MethodCallNode call |
        succ = call and