JS: Add explicit model of .join()

2026-04-21 23:14:03 +02:00 · 2024-08-12 13:14:18 +02:00
parent fa7ad03068
commit ed33a6e91b
1 changed files with 22 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
@@ -1,7 +1,7 @@
 /**
- * Contains a summary for relevant methods on arrays, except Array.prototype.join which is currently special-cased in StringConcatenation.qll.
+ * Contains a summary for relevant methods on arrays.
 *
- * Note that some of Array methods are modelled in `AmbiguousCoreMethods.qll`, and `join` and `toString` are special-cased elsewhere.
+ * Note that some of Array methods are modelled in `AmbiguousCoreMethods.qll`, and `toString` is special-cased elsewhere.
 */

 private import javascript
@@ -116,6 +116,26 @@ class ArrayConstructorSummary extends SummarizedCallable {
  }
 }

+/**
+ * A call to `join` with a separator argument.
+ *
+ * Calls without separators are modelled in `StringConcatenation.qll`.
+ */
+class Join extends SummarizedCallable {
+  Join() { this = "Array#join" }
+
+  override InstanceCall getACallSimple() {
+    result.getMethodName() = "join" and
+    result.getNumArgument() = [0, 1]
+  }
+
+  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+    preservesValue = false and
+    input = "Argument[this].ArrayElement" and
+    output = "ReturnValue"
+  }
+}
+
 class CopyWithin extends SummarizedCallable {
  CopyWithin() { this = "Array#copyWithin" }