Merge pull request #3019 from erik-krogh/ArrayStep

Approved by asgerf

javascript/ql/test/library-tests/Arrays/DataFlow.expected

@@ -0,0 +1,13 @@
+| arrays.js:2:16:2:23 | "source" | arrays.js:5:8:5:14 | obj.foo |
+| arrays.js:2:16:2:23 | "source" | arrays.js:11:10:11:15 | arr[i] |
+| arrays.js:2:16:2:23 | "source" | arrays.js:15:27:15:27 | e |
+| arrays.js:2:16:2:23 | "source" | arrays.js:16:23:16:23 | e |
+| arrays.js:2:16:2:23 | "source" | arrays.js:20:8:20:16 | arr.pop() |
+| arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
+| arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
+| arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:30:8:30:17 | arr4.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:33:8:33:17 | arr5.pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:35:8:35:26 | arr5.slice(2).pop() |
+| arrays.js:29:21:29:28 | "source" | arrays.js:41:8:41:17 | arr6.pop() |
+| arrays.js:44:4:44:11 | "source" | arrays.js:45:10:45:18 | ary.pop() |

javascript/ql/test/library-tests/Arrays/DataFlow.ql

@@ -0,0 +1,15 @@
+import javascript
+
+class ArrayFlowConfig extends DataFlow::Configuration {
+  ArrayFlowConfig() { this = "ArrayFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr().getStringValue() = "source" }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
+  }
+}
+
+from ArrayFlowConfig config, DataFlow::Node src, DataFlow::Node snk
+where config.hasFlow(src, snk)
+select src, snk

javascript/ql/test/library-tests/Arrays/arrays.js

@@ -0,0 +1,50 @@
+(function () {
+  let source = "source";
+
+  var obj = { foo: source };
+  sink(obj.foo); // NOT OK
+
+  var arr = [];
+  arr.push(source);
+
+  for (var i = 0; i < arr.length; i++) {
+    sink(arr[i]); // NOT OK
+  }
+
+
+  arr.forEach((e) => sink(e)); // NOT OK
+  arr.map((e) => sink(e)); // NOT OK
+
+  [1, 2, 3].map(i => "source").forEach(e => sink(e)); // NOT OK.
+
+  sink(arr.pop()); // NOT OK
+
+  var arr2 = ["source"];
+  sink(arr2.pop()); // NOT OK
+
+  var arr3 = ["source"];
+  sink(arr3.pop()); // NOT OK
+
+  var arr4 = [];
+  arr4.splice(0, 0, "source");
+  sink(arr4.pop()); // NOT OK
+
+  var arr5 = [].concat(arr4);
+  sink(arr5.pop()); // NOT OK
+
+  sink(arr5.slice(2).pop()); // NOT OK
+
+  var arr6 = [];
+  for (var i = 0; i < arr5.length; i++) {
+    arr6[i] = arr5[i];
+  }
+  sink(arr6.pop()); // NOT OK
+
+
+  ["source"].forEach((e, i, ary) => {
+    sink(ary.pop()); // NOT OK
+    sink(ary); // OK - its the array itself, not an element.
+  });
+
+  sink(arr[0]); // OK - tuple like usage. 
+});

javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected

@@ -2,6 +2,7 @@
 | a.js:1:15:1:23 | "tainted" | b.js:6:13:6:13 | x |
 | a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
+| callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
 | destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
 | destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |
@@ -44,6 +45,7 @@
 | tst2.js:6:24:6:37 | "also tainted" | tst2.js:11:15:11:24 | g(source2) |
 | tst6.mjs:12:14:12:21 | "source" | tst6.mjs:14:12:14:16 | a.m() |
 | tst6.mjs:16:15:16:23 | "source2" | tst6.mjs:18:13:18:24 | a.m.call(a2) |
+| tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |
 | tst.js:2:17:2:22 | "src1" | tst.js:39:17:39:17 | x |
 | tst.js:2:17:2:22 | "src1" | tst.js:41:19:41:19 | x |
 | tst.js:2:17:2:22 | "src1" | tst.js:45:17:45:17 | x |

javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected

@@ -2,6 +2,7 @@
 | a.js:1:15:1:23 | "tainted" | b.js:6:13:6:13 | x |
 | a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
+| callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
 | custom.js:1:14:1:26 | "verschmutzt" | custom.js:2:15:2:20 | quelle |
 | destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
@@ -45,6 +46,7 @@
 | tst2.js:6:24:6:37 | "also tainted" | tst2.js:11:15:11:24 | g(source2) |
 | tst6.mjs:12:14:12:21 | "source" | tst6.mjs:14:12:14:16 | a.m() |
 | tst6.mjs:16:15:16:23 | "source2" | tst6.mjs:18:13:18:24 | a.m.call(a2) |
+| tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |
 | tst.js:2:17:2:22 | "src1" | tst.js:39:17:39:17 | x |
 | tst.js:2:17:2:22 | "src1" | tst.js:41:19:41:19 | x |
 | tst.js:2:17:2:22 | "src1" | tst.js:45:17:45:17 | x |

javascript/ql/test/library-tests/InterProceduralFlow/TrackedNodes.expected

@@ -1,3 +1,6 @@
+| missing | callback.js:17:15:17:23 | "source2" | callback.js:8:16:8:20 | xs[i] |
+| missing | callback.js:17:15:17:23 | "source2" | callback.js:12:16:12:16 | x |
+| missing | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | missing | promises.js:1:2:1:2 | source | promises.js:6:26:6:28 | val |
 | missing | promises.js:1:2:1:2 | source | promises.js:7:16:7:18 | val |
 | missing | promises.js:1:2:1:2 | source | promises.js:37:11:37:11 | v |
@@ -30,3 +33,5 @@
 | missing | promises.js:16:7:16:21 | exceptional return of rej(rej_source) | promises.js:24:20:24:20 | v |
 | missing | promises.js:32:24:32:37 | "also tainted" | promises.js:37:11:37:11 | v |
 | missing | promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
+| missing | tst.js:2:17:2:22 | "src1" | tst.js:27:22:27:24 | elt |
+| missing | tst.js:2:17:2:22 | "src1" | tst.js:28:20:28:22 | elt |