Merge pull request #75 from asger-semmle/server-side-url-redirect-performance

Approved by xiemaisi
2026-05-01 03:35:13 +02:00 · 2018-08-20 14:53:16 +01:00
parent b931e88686 4dc1462b6b
commit e1f3637b66
1 changed files with 6 additions and 7 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll
@@ -36,12 +36,9 @@ module ServerSideUrlRedirect {
  }

  /**
-   * Gets a "prefix predecessor" of `nd`, that is, either a normal data flow predecessor
-   * or the left operand of `nd` if it is a concatenation.
+   * Gets the left operand of `nd` if it is a concatenation.
   */
-  private DataFlow::Node prefixPred(DataFlow::Node nd) {
-    result = nd.getAPredecessor()
-    or
+  private DataFlow::Node getPrefixOperand(DataFlow::Node nd) {
    exists (Expr e | e instanceof AddExpr or e instanceof AssignAddExpr |
      nd = DataFlow::valueNode(e) and
      result = DataFlow::valueNode(e.getChildExpr(0))
@@ -53,7 +50,8 @@ module ServerSideUrlRedirect {
   */
  private DataFlow::Node prefixCandidate(Sink sink) {
    result = sink or
-    result = prefixPred(prefixCandidate(sink))
+    result = getPrefixOperand(prefixCandidate(sink)) or
+    result = prefixCandidate(sink).getAPredecessor()
  }
  
  /**
@@ -62,7 +60,8 @@ module ServerSideUrlRedirect {
  private Expr getAPrefix(Sink sink) {
    exists (DataFlow::Node prefix |
      prefix = prefixCandidate(sink) and
-      not exists(prefixPred(prefix)) and
+      not exists(getPrefixOperand(prefix)) and
+      not exists(prefix.getAPredecessor()) and
      result = prefix.asExpr()
    )
  }