make the .filter step more precise

2026-04-28 02:05:14 +02:00 · 2021-05-05 13:21:37 +02:00
parent ab53f3b380
commit 4ac21e9f3f
1 changed files with 5 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -36,10 +36,13 @@ module ArrayTaintTracking {
      succ = call
    )
    or
-    // `array.filter` keeps the taint
+    // `array.filter(x => x)` keeps the taint
    call.(DataFlow::MethodCallNode).getMethodName() = "filter" and
    pred = call.getReceiver() and
-    succ = call
+    succ = call and
+    exists(DataFlow::FunctionNode callback | callback = call.getArgument(0).getAFunctionValue() |
+      callback.getParameter(0).getALocalUse() = callback.getAReturn()
+    )
    or
    // `array.reduce` with tainted value in callback
    call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and