handle basic dynamic method dispatch for jQuery methods

2026-04-25 08:45:14 +02:00 · 2020-04-03 11:47:53 +02:00
parent 964a619450
commit dd9aec056c
1 changed files with 6 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -538,9 +538,13 @@ module JQuery {
    MethodCall() {
      this = dollarCall() and name = "$"
      or
-      this = dollar().getAMemberCall(name)
+      this = ([dollar(), objectRef()]).getAMemberCall(name)
      or
-      this = objectRef().getAMethodCall(name)
+      // Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
+      exists(DataFlow::PropRead read | read = this.getCalleeNode() |
+        read.getBase().getALocalSource() = [dollar(), objectRef()] and
+        read.getPropertyNameExpr().flow().mayHaveStringValue(name)
+      )
      or
      // Handle contributed JQuery objects that aren't source nodes (usually parameter uses)
      getReceiver() = legacyObjectSource() and