JS: Restrict this-argument passing in API graphs

2025-12-16 16:53:25 +01:00 · 2025-10-06 11:22:39 +02:00
parent 84c788a027
commit 4d33190241
2 changed files with 7 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -1324,7 +1324,9 @@ module API {
      exists(DataFlow::TypeTracker t, StepSummary summary, DataFlow::SourceNode prev |
        prev = trackUseNode(nd, promisified, boundArgs, prop, t) and
        StepSummary::step(prev, res, summary) and
-        result = t.append(summary)
+        result = t.append(summary) and
+        // Block argument-passing into 'this'
+        not (summary = CallStep() and res instanceof DataFlow::ThisNode)
      )
    }

@@ -1381,7 +1383,9 @@ module API {
      exists(DataFlow::TypeBackTracker t, StepSummary summary, DataFlow::Node next |
        next = trackDefNode(nd, t) and
        StepSummary::step(prev, next, summary) and
-        result = t.prepend(summary)
+        result = t.prepend(summary) and
+        // Block argument-passing steps from 'this' back to a receiver
+        not (summary = CallStep() and prev instanceof DataFlow::ThisNode)
      )
    }

--- a/javascript/ql/test/ApiGraphs/explicit-this/VerifyAssertions.expected
+++ b/javascript/ql/test/ApiGraphs/explicit-this/VerifyAssertions.expected
@@ -0,0 +1 @@
+| tst.js:4:17:4:119 | /** use ... rn() */ | use moduleImport("something").getMember("exports").getMember("one") has no outgoing edge labelled getMember("two"); it has no outgoing edges at all. |
				`@@ -0,0 +1 @@`
				`\| tst.js:4:17:4:119 \| /** use ... rn() */ \| use moduleImport("something").getMember("exports").getMember("one") has no outgoing edge labelled getMember("two"); it has no outgoing edges at all. \|`