restrict the number of stored array elements

2026-04-30 19:26:02 +02:00 · 2020-05-15 10:01:27 +02:00
parent 4eb96848a6
commit dd3342ba6f
2 changed files with 11 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -253,14 +253,10 @@ private module ArrayDataFlow {
   */
  private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::ArrayCreationNode {
    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
-      prop = arrayElement() and
-      element = this.getAnElement() and
-      obj = this
-      or
      exists(int i |
        element = this.getElement(i) and
        obj = this and
-        prop = i.toString()
+        prop = arrayElement(i)
      )
    }
  }
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -607,6 +607,16 @@ module PseudoProperties {
   */
  string arrayElement() { result = pseudoProperty("arrayElement") }

+  /**
+   * Gets a pseudo-property for the location of the `i`th element in an `Array`.
+   */
+  bindingset[i]
+  string arrayElement(int i) {
+    i < 5 and result = i.toString()
+    or
+    result = arrayElement()
+  }
+
  /**
   * Gets a pseudo-property for the location of elements in some array-like object. (Set, Array, or Iterator).
   */