Merge pull request #1214 from asger-semmle/taint-addexpr-phi

Approved by esben-semmle, xiemaisi
2026-04-27 17:55:19 +02:00 · 2019-04-08 11:55:06 +01:00
parent 6e7ae8a0a9 e55330b820
commit f54366bf95
7 changed files with 55 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/StringConcatenation.qll
+++ b/javascript/ql/src/semmle/javascript/StringConcatenation.qll
@@ -10,7 +10,7 @@ module StringConcatenation {
    result = expr.flow()
    or
    exists(SsaExplicitDefinition def | def.getDef() = expr |
-      result = DataFlow::valueNode(def.getVariable().getAUse())
+      result = DataFlow::ssaDefinitionNode(def)
    )
  }

--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -366,7 +366,9 @@ module TaintTracking {
   * Note that since we cannot easily distinguish string append from addition,
   * we consider any `+` operation to propagate taint.
   */
-  class StringConcatenationTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
+  class StringConcatenationTaintStep extends AdditionalTaintStep {
+    StringConcatenationTaintStep() { StringConcatenation::taintStep(_, this) }
+
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      succ = this and
      StringConcatenation::taintStep(pred, succ)