JS: whitelist another emptiness check for the type-confusion query

2026-05-11 01:39:28 +02:00 · 2019-04-08 09:50:27 +02:00
parent 662ad4b2ca
commit 52d86471af
3 changed files with 14 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll
@@ -83,15 +83,25 @@ module TypeConfusionThroughParameterTampering {
    LengthAccess() {
      exists(DataFlow::PropRead read |
        read.accesses(this, "length") and
-        // exclude truthiness checks on the length: an array/string confusion cannot control an emptiness check
+        // an array/string confusion cannot control an emptiness check
        not (
+          // `if (x.length) {...}`
          exists(ConditionGuardNode cond | read.asExpr() = cond.getTest())
          or
+          // `x.length == 0`, `x.length > 0`
          exists(Comparison cmp, Expr zero |
            zero.getIntValue() = 0 and
            cmp.hasOperands(read.asExpr(), zero)
          )
          or
+          // `x.length < 1`
+          exists(RelationalComparison cmp |
+            cmp.getLesserOperand() = read.asExpr() and
+            cmp.getGreaterOperand().getIntValue() = 1 and
+            not cmp.isInclusive()
+          )
+          or
+          // `!x.length`
          exists(LogNotExpr neg | neg.getOperand() = read.asExpr())
        )
      )