JS: add whitelist to js/useless-defensive-code

2026-04-29 18:55:14 +02:00 · 2018-10-10 14:37:36 +02:00
parent b073fcfca2
commit e29c57a58e
3 changed files with 15 additions and 8 deletions
--- a/javascript/ql/src/Expressions/UselessDefensiveProgramming.ql
+++ b/javascript/ql/src/Expressions/UselessDefensiveProgramming.ql
@@ -15,5 +15,18 @@ import javascript
 import semmle.javascript.DefensiveProgramming

 from DefensiveExpression e, boolean cv
-where e.getTheTestResult() = cv
+where e.getTheTestResult() = cv and
+      // whitelist
+      not (
+        // module environment detection
+        exists (VarAccess access, string name |
+          name = "exports" or name = "module" |
+          e.asExpr().(Internal::TypeofUndefinedTest).getOperand() = access and
+          access.getName() = name and
+          not exists (access.getVariable().getADeclaration())
+        )
+        or
+        // too benign in practice
+        e instanceof Internal::DefensiveInit
+      )
 select e, "This guard always evaluates to " + cv + "."
--- a/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll
+++ b/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll
@@ -390,7 +390,7 @@ module Internal {
  /**
   * A test for `undefined` using a `typeof` expression.
   */
-  private class TypeofUndefinedTest extends UndefinedNullTest {
+  class TypeofUndefinedTest extends UndefinedNullTest {

    TypeofTest test;