move extend aliasing to getAnAliasedSourceNode

2026-05-05 21:55:19 +02:00 · 2021-11-10 18:08:50 +01:00
parent 2d907f825e
commit 5d901ef728
3 changed files with 13 additions and 15 deletions
--- a/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll
+++ b/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll
@@ -426,6 +426,17 @@ module AccessPath {
      result = AccessPath::getAReferenceTo(root, accessPath)
    )
    or
+    // step over extend calls. Handle aliasing both ways through the extend call.
+    exists(
+      DataFlow::SourceNode rootOne, DataFlow::SourceNode rootTwo, string accessPath,
+      ExtendCall extendCall
+    |
+      rootOne = [extendCall, extendCall.getAnOperand().getALocalSource()] and
+      rootTwo = [extendCall, extendCall.getAnOperand().getALocalSource()] and
+      node = pragma[only_bind_into](AccessPath::getAReferenceTo(rootOne, accessPath)) and
+      result = AccessPath::getAReferenceTo(rootTwo, accessPath)
+    )
+    or
    result = node.getALocalSource()
  }

--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -76,19 +76,8 @@ private predicate aliasPropertyPresenceStepHelper(
 ) {
  exists(PropertyPresenceSanitizer sanitizer |
    src = sanitizer.getPropRead() and
+    sink = AccessPath::getAnAliasedSourceNode(src) and
    srcBB = src.getBasicBlock() and
-    sinkBB = sink.getBasicBlock() and
-    (
-      sink = AccessPath::getAnAliasedSourceNode(src)
-      or
-      // step over extend calls
-      exists(ExtendCall extendCall, string prop |
-        src = extendCall.getASourceOperand().getALocalSource().getAPropertyReference(prop) and
-        sink =
-          [extendCall, extendCall.getDestinationOperand()]
-              .(DataFlow::SourceNode)
-              .getAPropertyReference(prop)
-      )
-    )
+    sinkBB = sink.getBasicBlock()
  )
 }
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected
@@ -1,5 +1,3 @@
-WARNING: Unused predicate sink (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:30,6-10)
-WARNING: Unused predicate source (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:28,10-16)
 nodes
 | unsafe-jquery-plugin.js:2:38:2:44 | options |
 | unsafe-jquery-plugin.js:2:38:2:44 | options |