JS: Fix flow through +=

2026-05-13 18:59:27 +02:00 · 2019-04-05 13:55:48 +01:00
parent 15fa4f8b7a
commit e55330b820
7 changed files with 55 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/StringConcatenation.qll
+++ b/javascript/ql/src/semmle/javascript/StringConcatenation.qll
@@ -10,7 +10,7 @@ module StringConcatenation {
    result = expr.flow()
    or
    exists(SsaExplicitDefinition def | def.getDef() = expr |
-      result = DataFlow::valueNode(def.getVariable().getAUse())
+      result = DataFlow::ssaDefinitionNode(def)
    )
  }

--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -366,7 +366,9 @@ module TaintTracking {
   * Note that since we cannot easily distinguish string append from addition,
   * we consider any `+` operation to propagate taint.
   */
-  class StringConcatenationTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
+  class StringConcatenationTaintStep extends AdditionalTaintStep {
+    StringConcatenationTaintStep() { StringConcatenation::taintStep(_, this) }
+
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      succ = this and
      StringConcatenation::taintStep(pred, succ)