Added underscore.string clearsContent.

Co-authored-by: Asgerf <asgerf@github.com>
2026-04-25 16:55:19 +02:00 · 2025-03-18 11:35:33 +01:00
parent 8b431dc0e7
commit 922a07d01e
3 changed files with 28 additions and 2 deletions
--- a/javascript/ql/lib/javascript.qll
+++ b/javascript/ql/lib/javascript.qll
@@ -143,3 +143,4 @@ import semmle.javascript.linters.ESLint
 import semmle.javascript.linters.JSLint
 import semmle.javascript.linters.Linting
 import semmle.javascript.security.dataflow.RemoteFlowSources
+import semmle.javascript.frameworks.UnderscoreDotString
--- a/javascript/ql/lib/semmle/javascript/frameworks/UnderscoreDotString.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/UnderscoreDotString.qll
@@ -0,0 +1,25 @@
+/**
+ * Provides classes for modeling data flow behavior of the Underscore.string library (https://www.npmjs.com/package/underscore.string).
+ */
+
+private import javascript
+private import semmle.javascript.dataflow.internal.AdditionalFlowInternal
+
+/**
+ * Models data flow for the Underscore.string library.
+ */
+private class UnderscoreDotString extends AdditionalFlowInternal {
+  /**
+   * Holds if a call to an Underscore.string method clears array element content of the receiver.
+   */
+  override predicate clearsContent(DataFlow::Node node, DataFlow::ContentSet contents) {
+    exists(DataFlow::CallNode call |
+      call =
+        ModelOutput::getATypeNode(["'underscore.string'.Wrapper", "'underscore.string'"])
+            .getAMember()
+            .getACall() and
+      node = call.getReceiver().getPostUpdateNode() and
+      contents = DataFlow::ContentSet::arrayElement()
+    )
+  }
+}
--- a/javascript/ql/test/library-tests/TripleDot/underscore.string.js
+++ b/javascript/ql/test/library-tests/TripleDot/underscore.string.js
@@ -11,7 +11,7 @@ function strToStr() {
  sink(s.unescapeHTML(source("s8"))); // $ hasTaintFlow=s8
  sink(s.wrap(source("s9"), {})); // $ hasTaintFlow=s9
  sink(s.dedent(source("s10"), "  ")); // $ hasTaintFlow=s10
-  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11 SPURIOUS: hasTaintFlow=s8
+  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11
  sink(s.pred(source("s12"))); // $ hasTaintFlow=s12
  sink(s.succ(source("s13"))); // $ hasTaintFlow=s13
  sink(s.titleize(source("s14"))); // $ hasTaintFlow=s14
@@ -60,7 +60,7 @@ function multiSource() {
  sink(s.join(",", source("s5"), "str")); // $ hasTaintFlow=s5
  sink(s.join(",", "str", source("s6"))); // $ hasTaintFlow=s6

-  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7 SPURIOUS: hasTaintFlow=s8
+  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7
  sink(s.splice("str", 1, 2, source("s8"))); // $ hasTaintFlow=s8

  sink(s.prune(source("s9"), 1, "additional")); // $ hasTaintFlow=s9