JavaScript: ensure prefix sanitizers work for array.join()

2026-05-03 04:39:29 +02:00 · 2018-09-17 14:31:26 +01:00
parent e2cdf5d7ed
commit 9384b85bcc
4 changed files with 28 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/StringConcatenation.qll
+++ b/javascript/ql/src/semmle/javascript/StringConcatenation.qll
@@ -28,10 +28,19 @@ module StringConcatenation {
      or
      n = 1 and result = assign.getRhs().flow())
    or
-    exists (DataFlow::ArrayCreationNode array |
-      node = array.getAMethodCall("join") and
-      node.(DataFlow::MethodCallNode).getArgument(0).mayHaveStringValue("") and
-      result = array.getElement(n))
+    exists (DataFlow::ArrayCreationNode array, DataFlow::MethodCallNode call |
+      call = array.getAMethodCall("join") and
+      call.getArgument(0).mayHaveStringValue("") and
+      (
+        // step from array element to array
+        result = array.getElement(n) and
+        node = array
+        or
+        // step from array to join call
+        node = call and
+        result = array and
+        n = 0
+      ))
  }

  /** Gets an operand to the string concatenation defining `node`. */