hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Provide better model for Array.splice

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2024-06-12 16:27:40 +02:00
parent 54a0e6dc45
commit ec18786488
3 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/lib/semmle/javascript/Arrays.qll
View File

@@ -77,8 +77,8 @@ module ArrayTaintTracking {
succ = call.getReceiver().getALocalSource() and
call.getCalleeName() = ["push", "unshift"]
or
// `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
pred = call.getArgument(2) and
// `array.splice(i, del, ...items)`: if any item is tainted, then so is `array`.
pred = call.getArgument(any(int i | i >= 2)) and
succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
or
// `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
@@ -274,14 +274,14 @@ private module ArrayDataFlow {
/**
* A step modeling that `splice` can insert elements into an array.
* For example in `array.splice(i, del, e)`: if `e` is tainted, then so is `array
* For example in `array.splice(i, del, ...items)`: if any item is tainted, then so is `array`
*/
private class ArraySpliceStep extends PreCallGraphStep {
override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
exists(DataFlow::MethodCallNode call |
call.getMethodName() = "splice" and
prop = arrayElement() and
element = call.getArgument(2) and
element = call.getArgument(any(int i | i >= 2)) and
call = obj.getAMethodCall()
)
}