JS: Restrict domValueRef to known DOM property names

2025-12-20 10:46:30 +01:00 · 2020-06-10 15:10:10 +01:00
parent bb2b7fb6fb
commit f23c6030aa
2 changed files with 15 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -291,11 +291,25 @@ module DOM {
     */
    abstract class Range extends DataFlow::Node { }

+    private string getADomPropertyName() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomRootType(decl.getDeclaringType().getASupertype*())
+      )
+    }
+
    private class DefaultRange extends Range {
      DefaultRange() {
        this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
        or
-        this = domValueRef().getAPropertyRead()
+        exists(DataFlow::PropRead read |
+          this = read and
+          read = domValueRef().getAPropertyRead()
+        |
+          not read.mayHavePropertyName(_)
+          or
+          read.mayHavePropertyName(getADomPropertyName())
+        )
        or
        this = domElementCreationOrQuery()
        or