change succ in storeStep to be a SourceNode

2026-04-26 01:05:15 +02:00 · 2020-04-15 20:40:58 +02:00
parent 6827b84bdc
commit fd51142200
5 changed files with 29 additions and 30 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -155,10 +155,10 @@ private module ArrayDataFlow {
      this.getMethodName() = "unshift"
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = this.getAnArgument() and
-      obj = this.getReceiver().getALocalSource()
+      obj.getAMethodCall() = this
    }
  }

@@ -188,10 +188,10 @@ private module ArrayDataFlow {
      element = this
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = this.(DataFlow::PropWrite).getRhs() and
-      this = obj.(DataFlow::SourceNode).getAPropertyWrite()
+      this = obj.getAPropertyWrite()
    }
  }

@@ -234,7 +234,7 @@ private module ArrayDataFlow {
      element = getCallback(0).getParameter(0)
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      this.getMethodName() = "map" and
      prop = arrayElement() and
      element = this.getCallback(0).getAReturn() and
@@ -254,7 +254,7 @@ private module ArrayDataFlow {
  private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {
    ArrayCreationStep() { this instanceof DataFlow::ArrayCreationNode }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = this.(DataFlow::ArrayCreationNode).getAnElement() and
      obj = this
@@ -268,10 +268,10 @@ private module ArrayDataFlow {
  private class ArraySpliceStep extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {
    ArraySpliceStep() { this.getMethodName() = "splice" }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = getArgument(2) and
-      obj = this.getReceiver().getALocalSource()
+      this = obj.getAMethodCall()
    }
  }

--- a/javascript/ql/src/semmle/javascript/Collections.qll
+++ b/javascript/ql/src/semmle/javascript/Collections.qll
@@ -52,9 +52,9 @@ abstract private class CollectionFlowStep extends DataFlow::AdditionalFlowStep {
  /**
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
   */
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, PseudoProperty prop) { none() }

-  final override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
    this.store(pred, succ, prop)
  }

@@ -132,8 +132,8 @@ private module CollectionDataFlow {
  private class SetAdd extends CollectionFlowStep, DataFlow::MethodCallNode {
    SetAdd() { this.getMethodName() = "add" }

-    override predicate store(DataFlow::Node element, DataFlow::Node obj, PseudoProperty prop) {
-      this = obj.(DataFlow::SourceNode).getAMethodCall() and
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
      element = this.getArgument(0) and
      prop = setElement()
    }
@@ -226,8 +226,8 @@ private module CollectionDataFlow {
  class MapSet extends CollectionFlowStep, DataFlow::MethodCallNode {
    MapSet() { this.getMethodName() = "set" }

-    override predicate store(DataFlow::Node element, DataFlow::Node obj, PseudoProperty prop) {
-      this = obj.(DataFlow::SourceNode).getAMethodCall() and
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
      element = this.getArgument(1) and
      prop = getAPseudoProperty()
    }
--- a/javascript/ql/src/semmle/javascript/Promises.qll
+++ b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -232,9 +232,9 @@ abstract private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
  /**
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
   */
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }

-  final override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
    this.store(pred, succ, prop)
  }

@@ -273,7 +273,7 @@ private module PromiseFlow {

    PromiseDefitionStep() { this = promise }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = promise.getResolveParameter().getACall().getArgument(0) and
      succ = this
@@ -302,7 +302,7 @@ private module PromiseFlow {

    CreationStep() { this = promise }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = promise.getValue() and
      succ = this
@@ -368,7 +368,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = getCallback([0 .. 1]).getAReturn() and
      succ = this
@@ -402,7 +402,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = errorProp() and
      pred = getCallback(0).getExceptionalReturn() and
      succ = this
@@ -430,7 +430,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = errorProp() and
      pred = getCallback(0).getExceptionalReturn() and
      succ = this
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -244,8 +244,11 @@ abstract class Configuration extends string {
   * EXPERIMENTAL. This API may change in the future.
   *
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
   */
-  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+    none()
+  }

  /**
   * EXPERIMENTAL. This API may change in the future.
@@ -540,9 +543,10 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
   * EXPERIMENTAL. This API may change in the future.
   *
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
   */
  cached
-  predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }

  /**
   * EXPERIMENTAL. This API may change in the future.
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -603,15 +603,10 @@ module TaintTracking {
     * 3) A `URLSearchParams` object (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value,
     *    which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
     */
-    override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      succ = this and
      (
-        (
-          prop = "searchParams" or
-          prop = "hash" or
-          prop = "search" or
-          prop = hiddenUrlPseudoProperty()
-        ) and
+        prop = ["searchParams", "hash", "search", hiddenUrlPseudoProperty()] and
        exists(DataFlow::NewNode newUrl | succ = newUrl |
          newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
          pred = newUrl.getArgument(0)