JS: Support Reflect.ownKeys

2026-04-21 23:14:03 +02:00 · 2019-11-21 12:03:22 +00:00
parent 8af233307a
commit f7543aec95
3 changed files with 115 additions and 4 deletions
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -71,7 +71,7 @@ abstract class EnumeratedPropName extends DataFlow::Node {
 }

 /**
- * Property enumeration through `for-in` for `Object.keys` or `Object.getOwnPropertyName`.
+ * Property enumeration through `for-in` for `Object.keys` or similar.
 */
 class ForInEnumeratedPropName extends EnumeratedPropName {
  DataFlow::Node object;
@@ -82,9 +82,13 @@ class ForInEnumeratedPropName extends EnumeratedPropName {
      object = stmt.getIterationDomain().flow()
    )
    or
-    exists(CallNode call, string name |
-      call = globalVarRef("Object").getAMemberCall(name) and
-      (name = "keys" or name = "getOwnPropertyNames") and
+    exists(CallNode call |
+      call = globalVarRef("Object").getAMemberCall("keys")
+      or
+      call = globalVarRef("Object").getAMemberCall("getOwnPropertyNames")
+      or
+      call = globalVarRef("Reflect").getAMemberCall("ownKeys")
+    |
      object = call.getArgument(0) and
      this = getAnEnumeratedArrayElement(call)
    )