add support for Array.prototype.find and polyfills

2026-04-30 11:15:13 +02:00 · 2021-07-15 11:16:06 +02:00
parent f6f63e2811
commit e64f29fe8f
4 changed files with 39 additions and 1 deletions
--- a/javascript/change-notes/2021-07-15-array-libs.md
+++ b/javascript/change-notes/2021-07-15-array-libs.md
@@ -1,4 +1,6 @@
 lgtm,codescanning
 * The dataflow libraries now model dataflow through more array libraries.
  Affected packages are
-    [array-from](https://npmjs.com/package/array-from)
+    [array-from](https://npmjs.com/package/array-from),
+    [array.prototype.find](https://npmjs.com/package/array.prototype.find),
+    [array-find](https://npmjs.com/package/array-find)
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -79,6 +79,11 @@ module ArrayTaintTracking {
    call.(DataFlow::MethodCallNode).getMethodName() = "concat" and
    succ = call and
    pred = call.getAnArgument()
+    or
+    // find
+    // `e = arr.find(callback)`
+    call = arrayFindCall(pred) and
+    succ = call
  }
 }

@@ -297,6 +302,19 @@ private module ArrayDataFlow {
      )
    }
  }
+
+  /**
+   * A step modelling that elements from an array `arr` are received by calling `find`.
+   */
+  private class ArrayFindStep extends DataFlow::SharedFlowStep {
+    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      exists(DataFlow::CallNode call |
+        call = arrayFindCall(pred) and
+        succ = call and
+        prop = arrayElement()
+      )
+    }
+  }
 }

 private import ArrayLibraries
@@ -313,4 +331,15 @@ private module ArrayLibraries {
    or
    result = DataFlow::moduleImport("array-from").getACall()
  }
+
+  /**
+   * Gets a call to `Array.prototype.find` or a polyfill implementing the same functionality.
+   */
+  DataFlow::CallNode arrayFindCall(DataFlow::Node array) {
+    result.(DataFlow::MethodCallNode).getMethodName() = "find" and
+    array = result.getReceiver()
+    or
+    result = DataFlow::moduleImport(["array.prototype.find", "array-find"]).getACall() and
+    array = result.getArgument(0)
+  }
 }
--- a/javascript/ql/test/library-tests/Arrays/DataFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -8,6 +8,8 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:60:10:60:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:66:10:66:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:71:10:71:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:74:8:74:29 | arr.fin ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:77:8:77:35 | arrayFi ... llback) |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -70,4 +70,9 @@
  for (const x of arrayFrom(arr)) {
    sink(x); // NOT OK
  }
+
+  sink(arr.find(someCallback)); // NOT OK
+
+  const arrayFind = require("array-find");
+  sink(arrayFind(arr, someCallback)); // NOT OK
 });