JS: Make barrier guards work with use-use flow

2026-04-28 02:05:14 +02:00 · 2024-10-08 16:26:03 +02:00
parent 67fdd864c9
commit e784813c3b
5 changed files with 113 additions and 5 deletions
--- a/javascript/ql/test/library-tests/TripleDot/useuse.js
+++ b/javascript/ql/test/library-tests/TripleDot/useuse.js
@@ -111,3 +111,34 @@ function t7() {
    const c = new Sub(source('t7.1'));
    sink(c.field); // $ hasTaintFlow=t7.1
 }
+
+function t8() {
+    function foo(x) {
+        const obj = {};
+        obj.field = x;
+
+        sink(obj.field); // $ hasTaintFlow=t8.1
+
+        if (obj) {
+            sink(obj.field); // $ hasTaintFlow=t8.1
+        } else {
+            sink(obj.field);
+        }
+
+        if (!obj) {
+            sink(obj.field);
+        } else {
+            sink(obj.field); // $ hasTaintFlow=t8.1
+        }
+
+        if (!obj || !obj) {
+            sink(obj.field);
+        } else {
+            sink(obj.field); // $ hasTaintFlow=t8.1
+        }
+    }
+
+    // The guards used above are specific to taint-tracking, to ensure only taint flows in
+    const taint = source('t8.1') + ' taint';
+    foo(taint);
+}