JS: Add: dataflow step for find, findLast, findLastIndex callback functions

2026-04-25 08:45:14 +02:00 · 2024-11-19 09:42:11 +01:00
parent b64b837db3
commit c03d69af1e
4 changed files with 23 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -483,4 +483,18 @@ private module ArrayLibraries {
      )
    }
  }
+
+  /**
+   * Defines a data flow step that tracks the flow of data through callback functions in arrays.
+   */
+  private class ArrayCallBackDataFlowStep extends PreCallGraphStep {
+    override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = ["findLast", "find", "findLastIndex"] and
+        prop = arrayLikeElement() and
+        obj = call.getReceiver() and
+        element = call.getCallback(0).getParameter(0)
+      )
+    }
+  }
 }
--- a/javascript/ql/test/library-tests/Arrays/DataFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -26,5 +26,8 @@
 | arrays.js:53:4:53:11 | "source" | arrays.js:54:10:54:18 | ary.pop() |
 | arrays.js:99:31:99:38 | "source" | arrays.js:100:8:100:17 | arr8.pop() |
 | arrays.js:103:55:103:62 | "source" | arrays.js:105:8:105:25 | arr8_variant.pop() |
+| arrays.js:114:19:114:26 | "source" | arrays.js:115:50:115:53 | item |
 | arrays.js:114:19:114:26 | "source" | arrays.js:116:10:116:16 | element |
+| arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
 | arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
+| arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
--- a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -30,5 +30,8 @@
 | arrays.js:96:9:96:16 | "source" | arrays.js:96:8:96:36 | ["sourc ... => !!x) |
 | arrays.js:99:31:99:38 | "source" | arrays.js:100:8:100:17 | arr8.pop() |
 | arrays.js:103:55:103:62 | "source" | arrays.js:105:8:105:25 | arr8_variant.pop() |
+| arrays.js:114:19:114:26 | "source" | arrays.js:115:50:115:53 | item |
 | arrays.js:114:19:114:26 | "source" | arrays.js:116:10:116:16 | element |
+| arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
 | arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
+| arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -112,19 +112,19 @@

  {  // Test for findLast function
    const list = ["source"];
-    const element = list.findLast((item) => sink(item)); // NOT OK -- Not caught, currently missing dataflow tracking.
+    const element = list.findLast((item) => sink(item)); // NOT OK
    sink(element); // NOT OK
  }

  {  // Test for find function
    const list = ["source"];
-    const element = list.find((item) => sink(item)); // NOT OK -- Not caught, currently missing dataflow tracking.
+    const element = list.find((item) => sink(item)); // NOT OK
    sink(element); // NOT OK
  }

  {  // Test for findLastIndex function
    const list = ["source"];
-    const element = list.findLastIndex((item) => sink(item)); // NOT OK -- Not caught, currently missing dataflow tracking.
+    const element = list.findLastIndex((item) => sink(item)); // NOT OK
    sink(element); // OK
  }
 });