JS: Add internal extension points sources of class objects/instances

2026-04-24 00:05:14 +02:00 · 2025-01-29 11:38:54 +01:00
parent b07c5c6ee0
commit 89ad737b2a
2 changed files with 33 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -8,6 +8,7 @@ private import javascript
 private import semmle.javascript.dependencies.Dependencies
 private import internal.CallGraphs
 private import semmle.javascript.internal.CachedStages
+private import semmle.javascript.dataflow.internal.PreCallGraphStep

 /**
 * A data flow node corresponding to an expression.
@@ -995,6 +996,9 @@ class ClassNode extends DataFlow::SourceNode instanceof ClassNode::Range {
      result.getAstNode().getFile() = this.getAstNode().getFile()
    )
    or
+    t.start() and
+    PreCallGraphStep::classObjectSource(this, result)
+    or
    result = this.getAClassReferenceRec(t)
  }

@@ -1044,6 +1048,9 @@ class ClassNode extends DataFlow::SourceNode instanceof ClassNode::Range {
    // Note that this also blocks flows into a property of the receiver,
    // but the `localFieldStep` rule will often compensate for this.
    not result = any(DataFlow::ClassNode cls).getAReceiverNode()
+    or
+    t.start() and
+    PreCallGraphStep::classInstanceSource(this, result)
  }

  pragma[noinline]
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/PreCallGraphStep.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/PreCallGraphStep.qll
@@ -44,6 +44,16 @@ class PreCallGraphStep extends Unit {
  ) {
    none()
  }
+
+  /**
+   * Holds if `node` can hold an instance of `cls`.
+   */
+  predicate classInstanceSource(DataFlow::ClassNode cls, DataFlow::Node node) { none() }
+
+  /**
+   * Holds if `node` can hold an reference to the `cls` class itself.
+   */
+  predicate classObjectSource(DataFlow::ClassNode cls, DataFlow::Node node) { none() }
 }

 cached
@@ -90,6 +100,22 @@ module PreCallGraphStep {
  ) {
    any(PreCallGraphStep s).loadStoreStep(pred, succ, loadProp, storeProp)
  }
+
+  /**
+   * Holds if `node` can hold an instance of `cls`.
+   */
+  cached
+  predicate classInstanceSource(DataFlow::ClassNode cls, DataFlow::Node node) {
+    any(PreCallGraphStep s).classInstanceSource(cls, node)
+  }
+
+  /**
+   * Holds if `node` can hold an reference to the `cls` class itself.
+   */
+  cached
+  predicate classObjectSource(DataFlow::ClassNode cls, DataFlow::Node node) {
+    any(PreCallGraphStep s).classObjectSource(cls, node)
+  }
 }

 /**