JS: make LocalObjects::isEscape aware of yield

2025-12-16 16:53:25 +01:00 · 2020-05-18 12:41:13 +02:00
parent 14664be467
commit a9ba6ac659
4 changed files with 14 additions and 0 deletions
--- a/change-notes/1.25/analysis-javascript.md
+++ b/change-notes/1.25/analysis-javascript.md
@@ -33,6 +33,7 @@
 | Unknown directive (`js/unknown-directive`) | Less results | This query no longer flags directives generated by the Babel compiler. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
 | Zip Slip (`js/zipslip`) | More results | This query now recognizes additional vulnerabilities. |
+| Unused property (`js/unused-property`) | Less results | This query no longer flags properties of objects that are operands of `yield` expressions. |

 ## Changes to libraries

--- a/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll
@@ -12,6 +12,8 @@ private predicate isEscape(DataFlow::Node escape, string cause) {
  or
  escape = any(DataFlow::FunctionNode fun).getAReturn() and cause = "return"
  or
+  escape = any(YieldExpr yield).getOperand().flow() and cause = "yield"
+  or
  escape = any(ThrowStmt t).getExpr().flow() and cause = "throw"
  or
  escape = any(GlobalVariable v).getAnAssignedExpr().flow() and cause = "global"
--- a/javascript/ql/test/library-tests/LocalObjects/tst.js
+++ b/javascript/ql/test/library-tests/LocalObjects/tst.js
@@ -89,3 +89,9 @@
 	let bound = {};
 	bound::unknown();
 });
+
+(async function* f() {
+  yield* {
+    get p() { }
+  };
+});
--- a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst-yield.js
+++ b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst-yield.js
@@ -0,0 +1,5 @@
+async function* f() {
+  yield* {
+    get p() { }
+  };
+}