JS: Propagate locally returned functions out of calls

2025-12-17 01:03:14 +01:00 · 2020-06-12 10:07:37 +01:00
parent 6531db3cca
commit 4c536dde20
2 changed files with 11 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -61,6 +61,17 @@ module CallGraph {
      function = cls.getConstructor() and
      cls.getAClassReference(t.continue()).flowsTo(result)
    )
+    or
+    imprecision = 0 and
+    exists(DataFlow::FunctionNode outer |
+      result = getAFunctionReference(outer, 0, t.continue()).getAnInvocation() and
+      locallyReturnedFunction(outer, function)
+    )
+  }
+
+  cached
+  private predicate locallyReturnedFunction(DataFlow::FunctionNode outer, DataFlow::FunctionNode inner) {
+    inner.flowsTo(outer.getAReturn())
  }

  /**
--- a/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/Test.expected
+++ b/javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/Test.expected
@@ -2,5 +2,4 @@ spuriousCallee
 missingCallee
 | constructor-field.ts:40:5:40:14 | f3.build() | constructor-field.ts:13:3:13:12 | build() {} | -1 |
 | constructor-field.ts:71:1:71:11 | bf3.build() | constructor-field.ts:13:3:13:12 | build() {} | -1 |
-| returned-function.js:23:1:23:4 | r2() | returned-function.js:8:9:10:9 | functio ...       } | -1 |
 badAnnotation