Merge pull request #11565 from asgerf/js/rephined-variable-in-access-path

JS: handle rephined variable in access path
2026-04-30 19:26:02 +02:00 · 2022-12-07 09:26:38 +01:00
parent c1c0432c00 80777b8c50
commit afe7872838
2 changed files with 36 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/AccessPaths.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/AccessPaths.qll
@@ -45,6 +45,8 @@ private PropAccess namedPropAccess(AccessPath base, PropertyName name, BasicBloc

 private SsaVariable getRefinedVariable(SsaVariable variable) {
  result = variable.getDefinition().(SsaRefinementNode).getAnInput()
+  or
+  result = variable.getDefinition().(SsaPhiNode).getRephinedVariable()
 }

 private SsaVariable getARefinementOf(SsaVariable variable) { variable = getRefinedVariable(result) }
--- a/javascript/ql/test/library-tests/TaintTracking/refinement-sanitizer.js
+++ b/javascript/ql/test/library-tests/TaintTracking/refinement-sanitizer.js
@@ -0,0 +1,34 @@
+import * as dummy from 'dummy';
+
+function oneUse() {
+    let taint = source();
+
+    if (!isSafe(taint)) {
+        return;
+    }
+
+    let array = [];
+    if (taint) {
+        array.push(taint);
+    }
+
+    sink(array.join()); // OK
+}
+
+function secondUse() {
+    let taint = source();
+
+    if (!isSafe(taint)) {
+        return;
+    }
+
+    let array = [];
+    if (taint) {
+        array.push(taint);
+    }
+    if (taint) {
+        array.push(taint);
+    }
+
+    sink(array.join()); // OK
+}