hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add flow summaries for TypedArray methods set and subarray

Browse Source
This commit is contained in:
Napalys
2025-04-07 13:43:50 +02:00
parent d689a55229
commit ff07ec8d8c
3 changed files with 33 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll
View File

@@ -36,3 +36,32 @@ class BufferTypedArray extends DataFlow::AdditionalFlowStep {
)
}
}
class SetLike extends SummarizedCallable {
SetLike() { this = "TypedArray#set" }
override InstanceCall getACall() {
result = typedArrayConstructorRef().getAnInstantiation().getReturn().getMember("set").getACall()
}
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = true and
input = "Argument[0].ArrayElement" and
output = "Argument[this].ArrayElement"
}
}
class SubArrayLike extends SummarizedCallable {
SubArrayLike() { this = "TypedArray#subarray" }
override InstanceCall getACall() {
result =
typedArrayConstructorRef().getAnInstantiation().getReturn().getMember("subarray").getACall()
}
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
preservesValue = true and
input = "Argument[this].ArrayElement" and
output = "ReturnValue.ArrayElement"
}
}

7
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -38,14 +38,13 @@ legacyDataFlowDifference
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
consistencyIssue
| nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
| stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
| stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:15 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:18 | expected an alert, but found none | NOT OK | Consistency |
| typed-arrays.js:22 | expected an alert, but found none | NOT OK | Consistency |
flow
| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
| addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -334,6 +333,8 @@ flow
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
| use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
| xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

4
javascript/ql/test/library-tests/TaintTracking/typed-arrays.js
View File

@@ -16,8 +16,4 @@ function test() {
const sub = y.subarray(1, 3)
sink(sub); // NOT OK
const clone = new y.constructor(y.length);
clone.set(y);
sink(clone); // NOT OK
}