mirror of
https://github.com/github/codeql.git
synced 2026-05-02 12:15:17 +02:00
Merge pull request #3679 from asger-semmle/js/dom-value-ref-restriction
Approved by erik-krogh, esbena
This commit is contained in:
semmle-qlci
@@ -291,11 +291,27 @@ module DOM {
|
||||
*/
|
||||
abstract class Range extends DataFlow::Node { }
|
||||
|
||||
private string getADomPropertyName() {
|
||||
exists(ExternalInstanceMemberDecl decl |
|
||||
result = decl.getName() and
|
||||
isDomRootType(decl.getDeclaringType().getASupertype*())
|
||||
)
|
||||
}
|
||||
|
||||
private class DefaultRange extends Range {
|
||||
DefaultRange() {
|
||||
this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
|
||||
or
|
||||
this = domValueRef().getAPropertyRead()
|
||||
exists(DataFlow::PropRead read |
|
||||
this = read and
|
||||
read = domValueRef().getAPropertyRead()
|
||||
|
|
||||
not read.mayHavePropertyName(_)
|
||||
or
|
||||
read.mayHavePropertyName(getADomPropertyName())
|
||||
or
|
||||
read.mayHavePropertyName(any(string s | exists(s.toInt())))
|
||||
)
|
||||
or
|
||||
this = domElementCreationOrQuery()
|
||||
or
|
||||
|
||||
@@ -4,3 +4,5 @@ test_locationRef
|
||||
| customization.js:3:3:3:14 | doc.location |
|
||||
test_domValueRef
|
||||
| customization.js:4:3:4:28 | doc.get ... 'test') |
|
||||
| tst.js:49:3:49:8 | window |
|
||||
| tst.js:50:3:50:8 | window |
|
||||
|
||||
10
javascript/ql/test/library-tests/DOM/externs/externs.js
Normal file
10
javascript/ql/test/library-tests/DOM/externs/externs.js
Normal file
@@ -0,0 +1,10 @@
|
||||
/** @externs */
|
||||
|
||||
/**
|
||||
* @constructor
|
||||
* @name EventTarget
|
||||
*/
|
||||
function EventTarget() {}
|
||||
|
||||
/** @type {EventTarget} */
|
||||
var window;
|
||||
@@ -39,3 +39,13 @@
|
||||
factory2();
|
||||
|
||||
})();
|
||||
|
||||
(function pollute() {
|
||||
class C {
|
||||
foo() {
|
||||
this.x; // Should not be a domValueRef
|
||||
}
|
||||
}
|
||||
window.myApp = new C();
|
||||
window.myApp.foo();
|
||||
})();
|
||||
|
||||
@@ -25,6 +25,24 @@
|
||||
function EventTarget() {}
|
||||
|
||||
/**
|
||||
* @type {!EventTarget}
|
||||
* Stub for the DOM hierarchy.
|
||||
*
|
||||
* @constructor
|
||||
* @extends {EventTarget}
|
||||
*/
|
||||
function DomObjectStub() {}
|
||||
|
||||
/**
|
||||
* @type {!DomObjectStub}
|
||||
*/
|
||||
DomObjectStub.prototype.body;
|
||||
|
||||
/**
|
||||
* @type {!DomObjectStub}
|
||||
*/
|
||||
DomObjectStub.prototype.value;
|
||||
|
||||
/**
|
||||
* @type {!DomObjectStub}
|
||||
*/
|
||||
var document;
|
||||
|
||||
Reference in New Issue
Block a user