two bugfixes

2026-04-29 18:55:14 +02:00 · 2020-03-09 16:45:03 +01:00
parent 0f0187d585
commit b4b05696e1
3 changed files with 20 additions and 3 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -187,6 +187,8 @@ private module ArrayDataFlow {
   *
   * And array elements can be stored into a resulting array using `map(...)`.
   * E.g. in `arr.map(e => foo)`, the resulting array (`arr.map(e => foo)`) will contain the element `foo`.
+   *
+   * And the second parameter in the callback is the array ifself, so there is a `loadStoreStep` from the array to that second parameter.
   */
  private class ArrayIteration extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {
    ArrayIteration() {
@@ -200,7 +202,7 @@ private module ArrayDataFlow {
    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      prop = arrayElement() and
      pred = this.getReceiver() and
-      succ = getCallback(0).getParameter(any(int i | i = 0 or i = 2))
+      succ = getCallback(0).getParameter(0)
    }

    /**
@@ -212,6 +214,15 @@ private module ArrayDataFlow {
      pred = this.getCallback(0).getAReturn() and
      succ = this
    }
+
+    /**
+     * Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
+     */
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      prop = arrayElement() and
+      pred = this.getReceiver() and
+      succ = getCallback(0).getParameter(2)
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -612,7 +612,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
  DataFlow::ValueNode getElement(int i) {
    result = this.(ArrayLiteralNode).getElement(i) or
    result = this.(ArrayConstructorInvokeNode).getElement(i) or
-    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" and call = this | 
      result = call.getArgument(i)
    )
  }
@@ -624,7 +624,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
  int getSize() {
    result = this.(ArrayLiteralNode).getSize() or
    result = this.(ArrayConstructorInvokeNode).getSize() or
-    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" and call = this | 
      result = call.getNumArgument()
    )
  }
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -39,4 +39,10 @@
    arr6[i] = arr5[i];
  }
  sink(arr6.pop()); // NOT OK
+
+
+  Array.from("source").forEach((e, i, ary) => {
+    sink(ary.pop()); // NOT OK
+    sink(ary); // OK - its the array itself, not an element.
+  })
 });