Merge pull request #20397 from asgerf/js/build-artifact-leak-fp

JS: Fix FP in js/build-artifact-leak when keys come from an array of constants
2026-04-19 05:54:00 +02:00 · 2025-10-28 06:40:13 +01:00
parent 227e1fcbde 2a4d6830ec
commit 8d49f26f3d
4 changed files with 30 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -247,10 +247,24 @@ module CleartextLogging {
      reduceCall.getABoundCallbackParameter(0, 1) = name
    |
      reduceCall.getReceiver+().(DataFlow::MethodCallNode).getMethodName() = "filter"
+      or
+      isArrayOfConstants(reduceCall.getReceiver+())
    )
    or
    exists(StringOps::RegExpTest test | test.getStringOperand().getALocalSource() = name)
    or
    exists(MembershipCandidate test | test.getAMemberNode().getALocalSource() = name)
  }
+
+  private predicate isArrayOfConstants(DataFlow::ArrayCreationNode array) {
+    forex(DataFlow::Node node |
+      node =
+        [
+          array.getAnElement(), array.getAPropertyWrite().getRhs(),
+          array.getAMethodCall("push").getArgument(0)
+        ]
+    |
+      exists(node.getStringValue())
+    )
+  }
 }