JS: Restrict domValueRef to known DOM property names

2025-12-20 10:46:30 +01:00 · 2020-06-10 15:10:10 +01:00
parent bb2b7fb6fb
commit f23c6030aa
2 changed files with 15 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -291,11 +291,25 @@ module DOM {
     */
    abstract class Range extends DataFlow::Node { }

+    private string getADomPropertyName() {
+      exists(ExternalInstanceMemberDecl decl |
+        result = decl.getName() and
+        isDomRootType(decl.getDeclaringType().getASupertype*())
+      )
+    }
+
    private class DefaultRange extends Range {
      DefaultRange() {
        this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
        or
-        this = domValueRef().getAPropertyRead()
+        exists(DataFlow::PropRead read |
+          this = read and
+          read = domValueRef().getAPropertyRead()
+        |
+          not read.mayHavePropertyName(_)
+          or
+          read.mayHavePropertyName(getADomPropertyName())
+        )
        or
        this = domElementCreationOrQuery()
        or
--- a/javascript/ql/test/library-tests/DOM/Customizations.expected
+++ b/javascript/ql/test/library-tests/DOM/Customizations.expected
@@ -4,9 +4,5 @@ test_locationRef
 | customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |
-| tst.js:45:8:45:7 | this |
-| tst.js:46:7:46:12 | this.x |
 | tst.js:49:3:49:8 | window |
 | tst.js:50:3:50:8 | window |
-| tst.js:50:3:50:14 | window.myApp |
-| tst.js:50:3:50:18 | window.myApp.foo |