JS: Use getAParameter and not getReceiver instead of getASuccessor

2026-04-29 10:45:15 +02:00 · 2020-11-20 10:34:30 +00:00
parent 405f07720a
commit 7536c49c6f
1 changed files with 3 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -162,10 +162,9 @@ module ExternalAPIUsedWithUntrustedData {
   * Gets a parameter of `base` with name `name`, or a property named `name` of a destructuring parameter.
   */
  private API::Node getNamedParameter(API::Node base, string name) {
-    exists(API::Node param, string lbl |
-      // getParameter(i) requires a bindingset for i, so use the raw label
-      param = base.getASuccessor("parameter " + lbl) and
-      lbl != "-1" // ignore receiver
+    exists(API::Node param |
+      param = base.getAParameter() and
+      not param = base.getReceiver()
    |
      result = param and
      name = param.getAnImmediateUse().asExpr().(Parameter).getName()