JS: Prevent bad join ordering

2026-05-02 04:05:14 +02:00 · 2020-06-26 20:21:56 +01:00
parent 06dd3ab2ca
commit 6707e3424d
1 changed files with 8 additions and 3 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -737,12 +737,17 @@ module TaintTracking {
      read = getAStaticCaptureRef()
      or
      exists(ControlFlowNode mid |
-        mid = getANodeReachingCaptureRef(read) and
-        not mid = getACaptureSetter(_) and
-        result = mid.getAPredecessor()
+        result = getANodeReachingCaptureRefAux(read, mid) and
+        not mid = getACaptureSetter(_)
      )
    }

+    pragma[nomagic]
+    private ControlFlowNode getANodeReachingCaptureRefAux(DataFlow::PropRead read, ControlFlowNode mid) {
+      mid = getANodeReachingCaptureRef(read) and
+      result = mid.getAPredecessor()
+    }
+
    /**
     * Holds if there is a step `pred -> succ` from the input of a RegExp match to
     * a static property of `RegExp` defined.