JS: restrict when a variable reference is considered a source

2026-04-28 18:25:24 +02:00 · 2018-12-12 11:53:49 +00:00
parent 14621760bb
commit a96c53f9b8
4 changed files with 27 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -207,7 +207,13 @@ private class PostMessageEventParameter extends RemoteFlowSource {
 */
 private class WindowNameAccess extends RemoteFlowSource {
  WindowNameAccess() {
-    this = DataFlow::globalVarRef("name")
+    this = DataFlow::globalObjectRef().getAPropertyRead("name")
+    or
+    // Reference to `name` on a container that does not assign to it.
+    this.accessesGlobal("name") and
+    not exists(VarDef def |
+      def.getAVariable().(GlobalVariable).getName() = "name" and
+      def.getContainer() = this.asExpr().getContainer())
  }

  override string getSourceType() {