JS: Address review comments

2025-12-20 18:56:32 +01:00 · 2020-01-14 10:30:28 +00:00
parent 2c05ee8ab8
commit d76859b7df
3 changed files with 27 additions and 3 deletions
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.qhelp
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.qhelp
@@ -41,8 +41,8 @@
  <sample src="examples/PrototypePollutionUtility.js"/>

  <p>
-    However, if <code>src</code> is the object <code>{"__proto__": {"xxx": true}}</code>,
-    it will inject the property <code>xxx: true</code> in in <code>Object.prototype</code>.
+    However, if <code>src</code> is the object <code>{"__proto__": {"isAdmin": true}}</code>,
+    it will inject the property <code>isAdmin: true</code> in in <code>Object.prototype</code>.
  </p>

  <p>
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -226,7 +226,13 @@ class UnsafePropLabel extends FlowLabel {
 *
 * Note that in the above example, the flow from `key` to the base of the write (`dst`)
 * requires stepping through the recursive call.
- * Such a path would be absent for a shallow copying operation.
+ * Such a path would be absent for a shallow copying operation, where the `dst` object
+ * isn't derived from a property of the source object.
+ *
+ * This configuration can't enforce that all three paths must end at the same
+ * dynamic property write, so we treat the paths independently here and check
+ * for coinciding paths afterwards.  This means this configuration can't be used as
+ * a standalone configuration like in most path queries.
 */
 class PropNameTracking extends DataFlow::Configuration {
  PropNameTracking() { this = "PropNameTracking" }
--- a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
+++ b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
@@ -35,6 +35,24 @@ module GlobalAccessPath {
  }
 }

+/**
+ * Provides predicates for associating access paths with data flow nodes.
+ *
+ * For example, `AccessPath.getAReferenceTo(x)` can be used to obtain the global access path
+ * that `x` refers to, as in the following sample:
+ * ```
+ * function f() {
+ *   let v = foo.bar; // reference to 'foo.bar'
+ *   v.baz;           // reference to 'foo.bar.baz'
+ * }
+ *
+ * (function(ns) {
+ *   ns.x;            // reference to 'NS.x'
+ * })(NS = NS || {});
+ * ```
+ *
+ * A pseudo-property named `[number]` is sometimes used to represent array indices within an access path.
+ */
 module AccessPath {
  /**
   * A source node that can be the root of an access path.