JS: Add type-tracking steps through callback args

2026-05-03 12:45:27 +02:00 · 2021-09-08 10:55:29 +02:00
parent 1f6df4e70d
commit 7c94dd94e9
2 changed files with 9 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -156,6 +156,14 @@ private module Cached {
        succ = fun.getAnInvocation()
      )
    )
+    or
+    // Add 'return' steps from callback arguments to callback parameters
+    exists(DataFlow::ParameterNode cbParam, DataFlow::FunctionNode cbFun, int i |
+      callStep(cbFun, cbParam) and
+      pred = cbParam.getAnInvocation().getArgument(i) and
+      succ = cbFun.getParameter(i) and
+      summary = ReturnStep()
+    )
  }
 }

--- a/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected
+++ b/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected
@@ -41,6 +41,7 @@ connection
 | type tracker without call steps | tst.js:114:1:114:28 | getX({  ... on() }) |
 | type tracker without call steps | tst.js:114:11:114:25 | getConnection() |
 | type tracker without call steps | tst.js:118:12:118:26 | getConnection() |
+| type tracker without call steps | tst.js:120:21:120:24 | conn |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property MyApplication.namespace.connection | file://:0:0:0:0 | global access path |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |