add model for the array-from polyfill

2026-05-01 03:35:13 +02:00 · 2021-07-15 10:51:55 +02:00
parent d34e748c83
commit f6f63e2811
4 changed files with 28 additions and 2 deletions
--- a/javascript/change-notes/2021-07-15-array-libs.md
+++ b/javascript/change-notes/2021-07-15-array-libs.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow through more array libraries.
+  Affected packages are
+    [array-from](https://npmjs.com/package/array-from)
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -68,7 +68,7 @@ module ArrayTaintTracking {
    succ = call
    or
    // `e = Array.from(x)`: if `x` is tainted, then so is `e`.
-    call = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() and
+    call = arrayFromCall() and
    pred = call.getAnArgument() and
    succ = call
    or
@@ -97,7 +97,7 @@ private module ArrayDataFlow {
      DataFlow::Node pred, DataFlow::Node succ, string fromProp, string toProp
    ) {
      exists(DataFlow::CallNode call |
-        call = DataFlow::globalVarRef("Array").getAMemberCall("from") and
+        call = arrayFromCall() and
        pred = call.getArgument(0) and
        succ = call and
        fromProp = arrayLikeElement() and
@@ -298,3 +298,19 @@ private module ArrayDataFlow {
    }
  }
 }
+
+private import ArrayLibraries
+
+/**
+ * Classes and predicates modelling various libraries that work on arrays or array-like structures.
+ */
+private module ArrayLibraries {
+  /**
+   * Gets a call to `Array.from` or a polyfill implementing the same functionality.
+   */
+  DataFlow::CallNode arrayFromCall() {
+    result = DataFlow::globalVarRef("Array").getAMemberCall("from")
+    or
+    result = DataFlow::moduleImport("array-from").getACall()
+  }
+}
--- a/javascript/ql/test/library-tests/Arrays/DataFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -7,6 +7,7 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:56:10:56:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:60:10:60:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:66:10:66:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:71:10:71:10 | x |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -65,4 +65,9 @@
  for (const x of arr7) {
    sink(x); // NOT OK
  }
+
+  const arrayFrom = require("array-from");
+  for (const x of arrayFrom(arr)) {
+    sink(x); // NOT OK
+  }
 });