JavaScript: Fix uses of TypeTracker with custom flow steps.

These steps need to check that the type hasn't been tracked into a property.
2026-04-29 02:35:15 +02:00 · 2019-03-28 10:33:04 +00:00
parent b2faac30c9
commit c097031c7e
3 changed files with 14 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
@@ -51,6 +51,7 @@ module SocketIO {
        // exclude getter versions
        exists(mcn.getAnArgument()) and
        result = mcn and
+        t2.getProp() = "" and
        t = t2
      )
    )
@@ -110,6 +111,7 @@ module SocketIO {
      or
      // invocation of a chainable method
      result = pred.getAMethodCall(namespaceChainableMethod()) and
+      t2.getProp() = "" and
      t = t2
      or
      // invocation of chainable getter method
@@ -119,6 +121,7 @@ module SocketIO {
        m = "volatile"
      |
        result = pred.getAPropertyRead(m) and
+        t2.getProp() = "" and
        t = t2
      )
    )
@@ -171,6 +174,7 @@ module SocketIO {
        m = EventEmitter::chainableMethod()
      |
        result = pred.getAMethodCall(m) and
+        t2.getProp() = "" and
        t = t2
      )
      or
@@ -182,6 +186,7 @@ module SocketIO {
        m = "volatile"
      |
        result = pred.getAPropertyRead(m) and
+        t2.getProp() = "" and
        t = t2
      )
    )
--- a/javascript/ql/test/library-tests/frameworks/SocketIO/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/SocketIO/tests.expected
@@ -149,6 +149,7 @@ test_ServerNode
 | tst.js:15:1:15:15 | io.attach(http) | tst.js:1:12:1:33 | socket.io server |
 | tst.js:16:1:16:15 | io.bind(engine) | tst.js:1:12:1:33 | socket.io server |
 | tst.js:17:1:17:23 | io.onco ... socket) | tst.js:1:12:1:33 | socket.io server |
+| tst.js:79:1:79:10 | obj.server | tst.js:1:12:1:33 | socket.io server |
 test_ClientSendNode_getAReceiver
 | client2.js:14:1:14:32 | sock.em ... there") | tst.js:72:3:72:43 | socket. ...  => {}) |
 | client2.js:16:1:16:36 | sock.wr ...  => {}) | tst.js:70:3:70:35 | socket. ...  => {}) |
--- a/javascript/ql/test/library-tests/frameworks/SocketIO/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/SocketIO/tst.js
@@ -71,3 +71,11 @@ ns.on('connection', (socket) => {
  socket.once('message', (data1, data2) => {});
  socket.addListener(eventName(), () => {});
 });
+
+var obj = {
+  server: io,
+  serveClient: function() { return null; }
+};
+obj.server;                    // SocketIO::ServerNode
+obj.serveClient(false);        // not a SocketIO::ServerNode
+obj.serveClient(false).server; // not a SocketIO::ServerNode