Merge pull request #10046 from erik-krogh/protoFunc

JS: generalize `BarrierGuardFunction`to work on function that have multiple parameters
2026-04-28 02:05:14 +02:00 · 2022-08-17 14:50:54 +02:00
parent 6e495ba6e5 14cfe2e250
commit bd4947fdbd
3 changed files with 77 additions and 5 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/PrototypePollutingFunction.expected
@@ -1528,6 +1528,31 @@ nodes
 | tests.js:571:24:571:31 | src[key] |
 | tests.js:571:28:571:30 | key |
 | tests.js:571:28:571:30 | key |
+| tests.js:576:30:576:32 | src |
+| tests.js:576:30:576:32 | src |
+| tests.js:577:14:577:16 | key |
+| tests.js:577:14:577:16 | key |
+| tests.js:577:14:577:16 | key |
+| tests.js:580:38:580:40 | src |
+| tests.js:580:38:580:40 | src |
+| tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:45 | src[key] |
+| tests.js:582:17:582:19 | key |
+| tests.js:582:17:582:19 | key |
+| tests.js:582:17:582:19 | key |
+| tests.js:582:24:582:26 | src |
+| tests.js:582:24:582:26 | src |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] |
+| tests.js:582:28:582:30 | key |
+| tests.js:582:28:582:30 | key |
 edges
 | examples/PrototypePollutingFunction.js:1:16:1:18 | dst | examples/PrototypePollutingFunction.js:5:19:5:21 | dst |
 | examples/PrototypePollutingFunction.js:1:16:1:18 | dst | examples/PrototypePollutingFunction.js:5:19:5:21 | dst |
@@ -3461,6 +3486,38 @@ edges
 | tests.js:571:28:571:30 | key | tests.js:571:24:571:31 | src[key] |
 | tests.js:571:28:571:30 | key | tests.js:571:24:571:31 | src[key] |
 | tests.js:571:28:571:30 | key | tests.js:571:24:571:31 | src[key] |
+| tests.js:576:30:576:32 | src | tests.js:580:38:580:40 | src |
+| tests.js:576:30:576:32 | src | tests.js:580:38:580:40 | src |
+| tests.js:576:30:576:32 | src | tests.js:582:24:582:26 | src |
+| tests.js:576:30:576:32 | src | tests.js:582:24:582:26 | src |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:17:582:19 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:28:582:30 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:28:582:30 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:28:582:30 | key |
+| tests.js:577:14:577:16 | key | tests.js:582:28:582:30 | key |
+| tests.js:580:38:580:40 | src | tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:40 | src | tests.js:580:38:580:45 | src[key] |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:580:38:580:45 | src[key] | tests.js:576:30:576:32 | src |
+| tests.js:582:24:582:26 | src | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:26 | src | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:26 | src | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:26 | src | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:24:582:31 | src[key] | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:28:582:30 | key | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:28:582:30 | key | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:28:582:30 | key | tests.js:582:24:582:31 | src[key] |
+| tests.js:582:28:582:30 | key | tests.js:582:24:582:31 | src[key] |
 #select
 | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | examples/PrototypePollutingFunction.js:2:14:2:16 | key | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | Properties are copied from $@ to $@ without guarding against prototype pollution. | examples/PrototypePollutingFunction.js:2:21:2:23 | src | src | examples/PrototypePollutingFunction.js:7:13:7:15 | dst | dst |
 | path-assignment.js:15:13:15:18 | target | path-assignment.js:8:19:8:25 | keys[i] | path-assignment.js:15:13:15:18 | target | The property chain $@ is recursively assigned to $@ without guarding against prototype pollution. | path-assignment.js:8:19:8:25 | keys[i] | here | path-assignment.js:15:13:15:18 | target | target |
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js
@@ -572,3 +572,18 @@ function copyHasOwnProperty3(dst, src) {
        }
    }
 }
+
+function indirectHasOwn(dst, src) {
+    for (let key in src) {
+        if (!src.hasOwnProperty(key)) continue;
+        if (hasOwn(dst, key) && isObject(dst[key])) {
+            indirectHasOwn(dst[key], src[key]);
+        } else {
+            dst[key] = src[key];
+        }
+    }
+}
+
+function hasOwn(obj, key) {
+    return obj.hasOwnProperty(key)
+}