JS: Restrict class values flowing through globals

2025-12-17 09:13:20 +01:00 · 2019-09-08 15:32:48 +01:00
parent dbfd0ae03b
commit d3f587c12a
2 changed files with 6 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -674,7 +674,12 @@ class ClassNode extends DataFlow::SourceNode {
   */
  DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) {
    t.start() and
-    result.(AnalyzedNode).getAValue() = getAbstractClassValue()
+    result.(AnalyzedNode).getAValue() = getAbstractClassValue() and
+    (
+      not CallGraph::isIndefiniteGlobal(result)
+      or
+      result.getAstNode().getFile() = this.getAstNode().getFile()
+    )
    or
    exists(DataFlow::TypeTracker t2 | result = getAClassReference(t2).track(t2, t))
  }
--- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected
+++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected
@@ -1,3 +1,2 @@
-| arraydef.js:1:1:1:19 | function Array() {} | Function Array is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | arraycalls.js:2:1:2:13 | new Array(45) | here | arraycalls.js:1:1:1:9 | Array(45) | here |
 | m.js:1:8:1:22 | functio ...  = x;\\n} | Function A is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | c1.js:2:1:2:9 | new A(42) | here | c2.js:2:1:2:5 | A(23) | here |
 | tst.js:1:1:1:22 | functio ...  = y;\\n} | Function Point is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | tst.js:6:1:6:17 | new Point(23, 42) | here | tst.js:7:1:7:13 | Point(56, 72) | here |