Move rest-pattern inside property-pattern step to a taint-step

2026-05-02 04:05:14 +02:00 · 2020-06-09 23:21:04 +02:00
parent b8a9ac39f4
commit 733e04c1eb
2 changed files with 7 additions and 6 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -318,7 +318,7 @@ module DataFlow {
  /**
   * A node in the data flow graph which corresponds to a `@property`.
   */
-  private class PropNode extends Node, TPropNode {
+  class PropNode extends Node, TPropNode {
    @property prop;

    PropNode() { this = TPropNode(prop) }
@@ -1347,11 +1347,6 @@ module DataFlow {
      succ = lvalueNode(pattern.getValuePattern())
    )
    or
-    exists(PropertyPattern pattern | 
-      pred = TPropNode(pattern) and
-      succ = lvalueNode(pattern.getValuePattern().(ObjectPattern).getRest())
-    )
-    or
    exists(Expr element |
      pred = TElementPatternNode(_, element) and
      succ = lvalueNode(element)
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -267,6 +267,12 @@ module TaintTracking {
      pred = DataFlow::valueNode(fos.getIterationDomain()) and
      succ = DataFlow::lvalueNode(fos.getLValue())
    )
+    or
+    // rest-pattern inside a propety pattern. E.g. from `foo:..` to `args` in `const {foo: {...args}} = something()`.
+    exists(PropertyPattern pattern |
+      pred.(DataFlow::PropNode).getAstNode() = pattern and
+      succ = DataFlow::lvalueNode(pattern.getValuePattern().(ObjectPattern).getRest())
+    )
  }

  /**