JS: Fix flow for nested destructurings

2026-04-30 11:15:13 +02:00 · 2019-05-16 12:10:13 +01:00
parent 6468721f76
commit 87e0831872
3 changed files with 39 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1143,6 +1143,23 @@ module DataFlow {
      succ = TDestructuringPatternNode(def.getTarget())
    )
    or
+    // flow from the value read from a property pattern to the value being
+    // destructured in the child pattern. For example, for
+    //
+    //   let { p: { q: x } } = obj
+    //
+    // add edge from the 'p:' pattern to '{ q:x }'.
+    exists(PropertyPattern pattern |
+      pred = TPropNode(pattern) and
+      succ = TDestructuringPatternNode(pattern.getValuePattern())
+    )
+    or
+    // Like the step above, but for array destructuring patterns.
+    exists(Expr elm |
+      pred = TElementPatternNode(_, elm) and
+      succ = TDestructuringPatternNode(elm)
+    )
+    or
    // flow from 'this' parameter into 'this' expressions
    exists(ThisExpr thiz |
      pred = TThisNode(thiz.getBindingContainer()) and
@@ -1154,7 +1171,7 @@ module DataFlow {
   * Holds if there is a step from `pred` to `succ` through a field accessed through `this` in a class.
   */
  predicate localFieldStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists (ClassNode cls, string prop |
+    exists(ClassNode cls, string prop |
      pred = cls.getAReceiverNode().getAPropertyWrite(prop).getRhs() and
      succ = cls.getAReceiverNode().getAPropertyRead(prop)
    )
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -22,6 +22,9 @@
 | constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
+| destruct.js:15:7:15:14 | source() | destruct.js:5:10:5:10 | z |
+| destruct.js:15:7:15:14 | source() | destruct.js:8:10:8:10 | w |
+| destruct.js:15:7:15:14 | source() | destruct.js:11:10:11:10 | q |
 | exceptions.js:3:15:3:22 | source() | exceptions.js:5:10:5:10 | e |
 | exceptions.js:21:17:21:24 | source() | exceptions.js:23:10:23:10 | e |
 | exceptions.js:21:17:21:24 | source() | exceptions.js:24:10:24:21 | e.toString() |
--- a/javascript/ql/test/library-tests/TaintTracking/destruct.js
+++ b/javascript/ql/test/library-tests/TaintTracking/destruct.js
@@ -0,0 +1,18 @@
+function test() {
+  
+  function f(obj) {
+    let { x: { y: { z } } } = obj;
+    sink(z); // NOT OK
+    
+    let [[[w]]] = obj;
+    sink(w); // NOT OK
+    
+    let { x: [ { y: q } ] } = obj;
+    sink(q); // NOT OK
+  }
+  
+  function g() {
+    f(source());
+  }
+
+}