JS: suppress similar alerts from RemotePropertyInjection

2026-04-30 11:15:13 +02:00 · 2018-11-20 15:49:24 +00:00
parent a2e5003c09
commit 8aff66616b
2 changed files with 15 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
@@ -70,15 +70,25 @@ module RemotePropertyInjection {
      result = " a property name to write to."
    }     
  }
+
+  /**
+   * Holds if the method name injection on the given base object is handled by another query.
+   */
+  private predicate isCoveredByMethodNameInjection(DataFlow::SourceNode node) {
+    node = DataFlow::globalObjectRef()
+    or
+    node.analyze().getAValue() instanceof AbstractCallable
+  }
  
  /**
   * A sink for method calls using dynamically computed method names.   
   */
  class MethodCallSink extends Sink, DataFlow::ValueNode  {
    MethodCallSink() {
-      exists (DataFlow::PropRead pr | astNode = pr.getPropertyNameExpr() |           
-        exists (pr.getAnInvocation())
-      )          
+      exists (DataFlow::PropRead pr | astNode = pr.getPropertyNameExpr() |
+        exists (pr.getAnInvocation()) and
+        not isCoveredByMethodNameInjection(pr.getBase().getALocalSource())
+      )
    }

    override string getMessage() {
--- a/javascript/ql/test/query-tests/Security/CWE-400/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/tst.js
@@ -14,7 +14,8 @@ app.get('/user/:id', function(req, res) {
 	Object.defineProperty(myObj, prop, {value: 24}); // NOT OK
 	var headers = {};	
 	headers[prop] = 42; // NOT OK
-	res.set(headers);	
+	res.set(headers);
+	myCoolLocalFct[req.query.x](); // OK - flagged by method name injection
 });

 function myCoolLocalFct(x) {