filter out writes to number indexes

2026-05-05 13:45:19 +02:00 · 2021-10-28 14:27:07 +02:00
parent 96b6f670d9
commit 4f6e5c903b
3 changed files with 16 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -79,7 +79,15 @@ class Configuration extends TaintTracking::Configuration {
      source.getNode() = src and sink.getNode() = snk
    |
      snk = write.getBase() and
-      exists(write.getPropertyName())
+      (
+        // fixed property name
+        exists(write.getPropertyName())
+        or
+        // non-string property name (likely number)
+        exists(Expr prop | prop = write.getPropertyNameExpr() |
+          not prop.analyze().getAType() = TTString()
+        )
+      )
    )
  }