Merge pull request #8165 from erik-krogh/protoWrite

JS: support more property writes in js/prototype-pollution-utility

javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql

@@ -165,23 +165,24 @@ predicate isPotentiallyObjectPrototype(SourceNode node) {
  * would typically not happen in a merge function.
  */
 predicate dynamicPropWrite(DataFlow::Node base, DataFlow::Node prop, DataFlow::Node rhs) {
-  exists(AssignExpr write, IndexExpr index |
-    index = write.getLhs() and
-    base = index.getBase().flow() and
-    prop = index.getPropertyNameExpr().flow() and
-    rhs = write.getRhs().flow() and
-    not exists(prop.getStringValue()) and
-    not arePropertiesEnumerated(base.getALocalSource()) and
-    // Prune writes that are unlikely to modify Object.prototype.
-    // This is mainly for performance, but may block certain results due to
-    // not tracking out of function returns and into callbacks.
-    isPotentiallyObjectPrototype(base.getALocalSource()) and
-    // Ignore writes with an obviously safe RHS.
-    not exists(Expr e | e = rhs.asExpr() |
-      e instanceof Literal or
-      e instanceof ObjectExpr or
-      e instanceof ArrayExpr
-    )
+  exists(
+    DataFlow::PropWrite write // includes e.g. Object.defineProperty
+  |
+    write.getBase() = base and
+    write.getPropertyNameExpr().flow() = prop and
+    rhs = write.getRhs()
+  ) and
+  not exists(prop.getStringValue()) and
+  not arePropertiesEnumerated(base.getALocalSource()) and
+  // Prune writes that are unlikely to modify Object.prototype.
+  // This is mainly for performance, but may block certain results due to
+  // not tracking out of function returns and into callbacks.
+  isPotentiallyObjectPrototype(base.getALocalSource()) and
+  // Ignore writes with an obviously safe RHS.
+  not exists(Expr e | e = rhs.asExpr() |
+    e instanceof Literal or
+    e instanceof ObjectExpr or
+    e instanceof ArrayExpr
   )
 }