JS: Restrict ExtendCall flow in proto pollution query

2026-04-28 10:15:14 +02:00 · 2023-04-13 15:35:05 +02:00
parent efb582b661
commit b321151a28
1 changed files with 12 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -57,6 +57,18 @@ class Configuration extends TaintTracking::Configuration {
    node = NodeJSLib::Path::moduleMember(["join", "normalize", "relative", "resolve"]).getACall()
  }

+  override predicate isSanitizerEdge(
+    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl
+  ) {
+    // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
+    // step because it preserves all properties, but the destination is not actually Object.prototype.
+    exists(ExtendCall call |
+      pred = call.getASourceOperand() and
+      succ = call.getDestinationOperand().getALocalSource() and
+      lbl instanceof ObjectPrototype
+    )
+  }
+
  override predicate isAdditionalFlowStep(
    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
  ) {