add local flow when recognizing Object.assign calls for library-inputs

2026-04-30 11:15:13 +02:00 · 2023-01-09 17:44:11 +01:00
parent 5157d4df7b
commit 9f100ef2c6
4 changed files with 23 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -200,7 +200,9 @@ private DataFlow::Node getAValueExportedByPackage() {
  or
  // Object.assign and friends
  exists(ExtendCall assign |
-    getAValueExportedByPackage() = [assign, assign.getDestinationOperand()] and
+    getAValueExportedByPackage() =
+      [assign, assign.getDestinationOperand(), assign.getDestinationOperand().getALocalSource()]
+  |
    result = assign.getASourceOperand()
  )
  or