hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Support Argument[this] token

Browse Source
This commit is contained in:
Asger Feldthaus
2022-03-22 12:36:19 +01:00
parent d476f976fe
commit 95122b2b6c
4 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
View File

@@ -133,6 +133,10 @@ bindingset[token]
API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken token) {
token.getName() = "Instance" and
result = node.getInstance()
or
token.getName() = "Argument" and
token.getAnArgument() = "this" and
result.getARhs() = node.(DataFlow::CallNode).getReceiver()
}
/**

2
javascript/ql/test/library-tests/frameworks/data/test.expected
View File

@@ -33,6 +33,8 @@ taintFlow
| test.js:95:17:95:24 | source() | test.js:95:17:95:24 | source() |
| test.js:96:17:96:24 | source() | test.js:96:17:96:24 | source() |
| test.js:97:17:97:24 | source() | test.js:97:17:97:24 | source() |
| test.js:102:16:102:34 | testlib.getSource() | test.js:103:8:103:13 | source |
| test.js:102:16:102:34 | testlib.getSource() | test.js:104:8:104:24 | source.continue() |
isSink
| test.js:54:18:54:25 | source() | test-sink |
| test.js:55:22:55:29 | source() | test-sink |

7
javascript/ql/test/library-tests/frameworks/data/test.js
View File

@@ -97,3 +97,10 @@ function testSinks() {
testlib.sink3(source()); // NOT OK
testlib.sink4(source()); // OK
}
function testFlowThroughReceiver() {
let source = testlib.getSource();
sink(source); // NOT OK
sink(source.continue()); // NOT OK
sink(source.blah()); // OK
}

11
javascript/ql/test/library-tests/frameworks/data/test.ql
View File

@@ -12,7 +12,8 @@ class Steps extends ModelInput::SummaryModelCsv {
"testlib;;Member[taintIntoCallbackThis];Argument[0];Argument[1..2].Parameter[this];taint",
"testlib;;Member[preserveArgZeroAndTwo];Argument[0,2];ReturnValue;taint",
"testlib;;Member[preserveAllButFirstArgument];Argument[1..];ReturnValue;taint",
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint"
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint",
"testlib;;Member[getSource].ReturnValue.Member[continue];Argument[this];ReturnValue;taint",
]
}
}
@@ -36,11 +37,19 @@ class Sinks extends ModelInput::SinkModelCsv {
}
}
class Sources extends ModelInput::SourceModelCsv {
override predicate row(string row) {
row = "testlib;;Member[getSource].ReturnValue;test-source"
}
}
class BasicTaintTracking extends TaintTracking::Configuration {
BasicTaintTracking() { this = "BasicTaintTracking" }
override predicate isSource(DataFlow::Node source) {
source.(DataFlow::CallNode).getCalleeName() = "source"
or
source = ModelOutput::getASourceNode("test-source").getAnImmediateUse()
}
override predicate isSink(DataFlow::Node sink) {