JS: Fix one case of missing handling of unknown array index

2026-04-25 16:55:19 +02:00 · 2024-09-05 12:01:25 +02:00
parent 379c7ef20a
commit a9a8351cce
2 changed files with 9 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -1173,7 +1173,11 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
    then
      c = ContentSet::arrayElement() and // unknown start index when not the first spread operator
      storeContent.isUnknownArrayElement()
-    else storeContent.asArrayIndex() = n + c.asArrayIndex()
+    else (
+      storeContent.asArrayIndex() = n + c.asArrayIndex()
+      or
+      storeContent.isUnknownArrayElement() and c.asSingleton() = storeContent
+    )
  )
  or
  exists(FlowSummaryNode parameter, ParameterPosition pos |
--- a/javascript/ql/test/library-tests/TripleDot/tst.js
+++ b/javascript/ql/test/library-tests/TripleDot/tst.js
@@ -153,10 +153,10 @@ function t14() {

 function t15() {
    function target(safe, x, y, ...rest) {
-        sink(safe); // $ SPURIOUS: hasTaintFlow=t15.1
-        sink(x); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
-        sink(y); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
-        sink(rest.pop()); // $ MISSING: hasValueFlow=t15.1 SPURIOUS: hasTaintFlow=t15.1
+        sink(safe); // $ SPURIOUS: hasValueFlow=t15.1
+        sink(x); // $ hasValueFlow=t15.1
+        sink(y); // $ hasValueFlow=t15.1
+        sink(rest.pop()); // $ hasValueFlow=t15.1
        sink(rest); // $ hasTaintFlow=t15.1
    }
    const args = new Array(Math.floor(Math.random() * 10));