use small steps in TypeBackTracker correctly

2026-05-01 19:55:15 +02:00 · 2022-07-11 16:22:54 +02:00
parent 2aaedacd5d
commit fd10947ca0
5 changed files with 23 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/TypeTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TypeTracking.qll
@@ -312,7 +312,7 @@ class TypeBackTracker extends TTypeBackTracker {
   *   result = < some API call >.getArgument(< n >)
   *   or
   *   exists (DataFlow::TypeBackTracker t2 |
-   *     t = t2.smallstep(result, myType(t2))
+   *     t2 = t.smallstep(result, myType(t2))
   *   )
   * }
   *
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -80,7 +80,7 @@ module UnsafeHtmlConstruction {
    t.start() and
    result = sink
    or
-    exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, isUsedInXssSink(t2, sink)))
+    exists(DataFlow::TypeBackTracker t2 | t2 = t.smallstep(result, isUsedInXssSink(t2, sink)))
    or
    exists(DataFlow::TypeBackTracker t2 |
      t.continue() = t2 and