JS: Make type tracking work through access paths

2026-04-30 11:15:13 +02:00 · 2019-07-06 00:24:54 +01:00
parent 2105e0bdee
commit 7315a2baee
3 changed files with 35 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -43,7 +43,8 @@ module DataFlow {
    } or
    THtmlAttributeNode(HTML::Attribute attr) or
    TExceptionalFunctionReturnNode(Function f) or
-    TExceptionalInvocationReturnNode(InvokeExpr e)
+    TExceptionalInvocationReturnNode(InvokeExpr e) or
+    TGlobalAccessPathRoot()

  /**
   * A node in the data flow graph.
@@ -912,6 +913,20 @@ module DataFlow {
    DataFlow::InvokeNode getInvocation() { result = invoke.flow() }
  }

+  /**
+   * A pseudo-node representing the root of a global access path.
+   */
+  private class GlobalAccessPathRoot extends TGlobalAccessPathRoot, DataFlow::Node {
+    override string toString() { result = "global access path" }
+  }
+
+  /**
+   * INTERNAL. DO NOT USE.
+   *
+   * Gets a pseudo-node representing the root of a global access path.
+   */
+  DataFlow::Node globalAccessPathRootPseudoNode() { result instanceof TGlobalAccessPathRoot }
+
  /**
   * Provides classes representing various kinds of calls.
   *
--- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
@@ -250,6 +250,8 @@ module SourceNode {
      DataFlow::thisNode(this, _)
      or
      this = DataFlow::destructuredModuleImportNode(_)
+      or
+      this = DataFlow::globalAccessPathRootPseudoNode()
    }
  }
 }
--- a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
@@ -10,7 +10,11 @@ private import javascript
 private import internal.FlowSteps

 private class PropertyName extends string {
-  PropertyName() { this = any(DataFlow::PropRef pr).getPropertyName() }
+  PropertyName() {
+    this = any(DataFlow::PropRef pr).getPropertyName()
+    or
+    GlobalAccessPath::isAssignedInUniqueFile(this)
+  }
 }

 private class OptionalPropertyName extends string {
@@ -89,6 +93,18 @@ module StepSummary {
    or
    any(AdditionalTypeTrackingStep st).step(pred, succ) and
    summary = LevelStep()
+    or
+    exists(string name |
+      name = GlobalAccessPath::fromRhs(pred) and
+      succ = DataFlow::globalAccessPathRootPseudoNode() and
+      summary = StoreStep(name)
+    )
+    or
+    exists(string name |
+      name = GlobalAccessPath::fromReference(succ) and
+      pred = DataFlow::globalAccessPathRootPseudoNode() and
+      summary = LoadStep(name)
+    )
  }
 }