add support for delegating yield

2025-12-17 01:03:14 +01:00 · 2020-08-25 20:00:41 +02:00
parent 6a07e1e82b
commit 90422fe705
2 changed files with 33 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/Generators.qll
+++ b/javascript/ql/src/semmle/javascript/Generators.qll
@@ -11,7 +11,19 @@ private module GeneratorDataFlow {
    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      exists(DataFlow::FunctionNode f | f.getFunction().isGenerator() |
        prop = iteratorElement() and
-        exists(YieldExpr yield | yield.getContainer() = f.getFunction() |
+        exists(YieldExpr yield |
+          yield.getContainer() = f.getFunction() and not yield.isDelegating()
+        |
+          pred.asExpr() = yield.getOperand()
+        ) and
+        succ = f.getReturnNode()
+      )
+    }
+
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+      exists(DataFlow::FunctionNode f | f.getFunction().isGenerator() |
+        prop = iteratorElement() and
+        exists(YieldExpr yield | yield.getContainer() = f.getFunction() and yield.isDelegating() |
          pred.asExpr() = yield.getOperand()
        ) and
        succ = f.getReturnNode()
--- a/javascript/ql/test/library-tests/Generators/generators.js
+++ b/javascript/ql/test/library-tests/Generators/generators.js
@@ -30,4 +30,24 @@
  } catch (e) {
    sink(e); // NOT OK
  }
+
+  function *delegating() {
+    yield* delegate();
+  }
+
+  function *delegate() {
+    yield source;
+  }
+
+  Array.from(delegating()).forEach(x => sink(x)); // NOT OK
+
+  function *delegating2() {
+    yield* returnsTaint();
+  }
+
+  function returnsTaint() {
+    return source;
+  }
+
+  Array.from(delegating2()).forEach(x => sink(x)); // OK
 });