Merge master into next.

2025-12-20 10:46:30 +01:00 · 2018-12-14 10:16:47 +00:00
parent 18eb60b98e 936094d0b6
commit 7bc729a7dc
16 changed files with 175 additions and 41 deletions
--- a/javascript/ql/src/Statements/UselessConditional.ql
+++ b/javascript/ql/src/Statements/UselessConditional.ql
@@ -109,15 +109,26 @@ predicate whitelist(Expr e) {

 /**
 * Holds if `e` is part of a conditional node `cond` that evaluates
- * `e` and checks its value for truthiness.
+ * `e` and checks its value for truthiness, and the return value of `e`
+ * is not used for anything other than this truthiness check.
 */
-predicate isConditional(ASTNode cond, Expr e) {
+predicate isExplicitConditional(ASTNode cond, Expr e) {
  e = cond.(IfStmt).getCondition() or
  e = cond.(LoopStmt).getTest() or
  e = cond.(ConditionalExpr).getCondition() or
-  e = cond.(LogicalBinaryExpr).getLeftOperand() or
-  // Include `z` in `if (x && z)`.
-  isConditional(_, cond) and e = cond.(Expr).getUnderlyingValue().(LogicalBinaryExpr).getRightOperand()
+  isExplicitConditional(_, cond) and e = cond.(Expr).getUnderlyingValue().(LogicalBinaryExpr).getAnOperand()
+}
+
+/**
+ * Holds if `e` is part of a conditional node `cond` that evaluates
+ * `e` and checks its value for truthiness.
+ *
+ * The return value of `e` may have other uses besides the truthiness check,
+ * but if the truthiness check always goes one way, it still indicates an error.
+ */
+predicate isConditional(ASTNode cond, Expr e) {
+  isExplicitConditional(cond, e) or
+  e = cond.(LogicalBinaryExpr).getLeftOperand()
 }

 from ASTNode cond, DataFlow::AnalyzedNode op, boolean cv, ASTNode sel, string msg
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -687,6 +687,7 @@ private predicate flowsTo(PathNode flowsource, DataFlow::Node source,
 * Holds if `nd` is reachable from a source under `cfg` along a path summarized by
 * `summary`.
 */
+pragma[nomagic]
 private predicate reachableFromSource(DataFlow::Node nd, DataFlow::Configuration cfg,
                                      PathSummary summary) {
  exists (FlowLabel lbl |
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -311,6 +311,25 @@ class FunctionNode extends DataFlow::ValueNode, DataFlow::DefaultSourceNode {
  Function getFunction() {
    result = astNode
  }
+
+  /**
+   * Gets the function whose `this` binding a `this` expression in this function refers to,
+   * which is the nearest enclosing non-arrow function.
+   */
+  FunctionNode getThisBinder() {
+    result.getFunction() = getFunction().getThisBinder()
+  }
+
+  /**
+   * Gets the dataflow node holding the value of the receiver passed to the given function.
+   *
+   * Has no result for arrow functions, as they ignore the receiver argument.
+   *
+   * To get the data flow node for `this` in an arrow function, consider using `getThisBinder().getReceiver()`.
+   */
+  ThisNode getReceiver() {
+    result.getBinder() = this
+  }
 }

 /** A data flow node corresponding to an object literal expression. */