JS: Use ArrayElementKnown when reading a constant array index

2026-04-26 09:15:12 +02:00 · 2024-09-06 13:43:18 +02:00
parent 094112c905
commit 55d4e7e742
2 changed files with 10 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -1103,7 +1103,12 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
    node1 = read.getBase() and
    node2 = read
  |
-    c.asPropertyName() = read.getPropertyName()
+    exists(PropertyName name | read.getPropertyName() = name |
+      not exists(name.asArrayIndex()) and
+      c = ContentSet::property(name)
+      or
+      c = ContentSet::arrayElementKnown(name.asArrayIndex())
+    )
    or
    not exists(read.getPropertyName()) and
    c = ContentSet::arrayElement()
--- a/javascript/ql/test/library-tests/TripleDot/tst.js
+++ b/javascript/ql/test/library-tests/TripleDot/tst.js
@@ -134,7 +134,7 @@ function t13() {
        sink(x); // $ SPURIOUS: hasTaintFlow=t13.1
        sink(y); // $ hasTaintFlow=t13.1
        sink(rest); // $ hasTaintFlow=t13.1
-        sink(rest[0]); // $ MISSING: hasTaintFlow=t13.1
+        sink(rest[0]); // $ hasTaintFlow=t13.1
    }
    target("safe", ...source('t13.1'));
 }
@@ -167,8 +167,8 @@ function t15() {
 function t16() {
    let array = new Array(Math.floor(Math.random() * 10))
    array.push(source("t16.1"));
-    sink(array[0]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
-    sink(array[1]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
-    sink(array[2]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
+    sink(array[0]); // $ hasValueFlow=t16.1
+    sink(array[1]); // $ hasValueFlow=t16.1
+    sink(array[2]); // $ hasValueFlow=t16.1
    sink(array); // $ hasTaintFlow=t16.1
 }