Merge pull request #1243 from asger-semmle/access-path-refinements

Approved by xiemaisi
2026-04-28 02:05:14 +02:00 · 2019-04-16 09:57:51 +01:00
parent 65e508ae3b b8ec7083d4
commit ff25a3ee5a
4 changed files with 34 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll
@@ -39,12 +39,23 @@ private PropertyName getPropertyName(PropAccess pacc) {
  )
 }

+private SsaVariable getRefinedVariable(SsaVariable variable) {
+  result = variable.getDefinition().(SsaRefinementNode).getAnInput()
+}
+
+private SsaVariable getARefinementOf(SsaVariable variable) {
+  variable = getRefinedVariable(result)
+}
+
 /**
 * A representation of a (nested) property access on an SSA variable
 * where each property name is either constant or itself an SSA variable.
 */
 private newtype TAccessPath =
-  MkSsaRoot(SsaVariable var) or
+  MkSsaRoot(SsaVariable var) {
+    not exists(getRefinedVariable(var))
+  }
+  or
  MkThisRoot(Function function) { function.getThisBinder() = function } or
  MkAccessStep(AccessPath base, PropertyName name) {
    exists(PropAccess pacc |
@@ -64,7 +75,7 @@ class AccessPath extends TAccessPath {
  Expr getAnInstanceIn(BasicBlock bb) {
    exists(SsaVariable var |
      this = MkSsaRoot(var) and
-      result = var.getAUseIn(bb)
+      result = getARefinementOf*(var).getAUseIn(bb)
    )
    or
    exists(ThisExpr this_ |
--- a/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected
+++ b/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected
@@ -17,7 +17,9 @@
 | tst.js:134:14:134:16 | v.p | ExampleConfiguration |
 | tst.js:136:14:136:18 | v.p.q | ExampleConfiguration |
 | tst.js:148:9:148:27 | v | ExampleConfiguration |
+| tst.js:149:14:149:14 | v | ExampleConfiguration |
 | tst.js:154:9:154:27 | v | ExampleConfiguration |
+| tst.js:157:14:157:14 | v | ExampleConfiguration |
 | tst.js:160:9:160:30 | v | ExampleConfiguration |
 | tst.js:160:35:160:56 | v | ExampleConfiguration |
 | tst.js:167:14:167:14 | v | ExampleConfiguration |
@@ -36,6 +38,7 @@
 | tst.js:284:14:284:14 | v | ExampleConfiguration |
 | tst.js:331:14:331:14 | v | ExampleConfiguration |
 | tst.js:356:16:356:27 | x10 | ExampleConfiguration |
+| tst.js:356:32:356:34 | x10 | ExampleConfiguration |
 | tst.js:361:14:361:14 | v | ExampleConfiguration |
 | tst.js:371:14:371:16 | o.p | ExampleConfiguration |
 | tst.js:378:14:378:17 | o[p] | ExampleConfiguration |
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,3 +1,4 @@
+| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
--- a/javascript/ql/test/library-tests/TaintTracking/access-path-sanitizer.js
+++ b/javascript/ql/test/library-tests/TaintTracking/access-path-sanitizer.js
@@ -0,0 +1,17 @@
+function foo() {
+  let obj = { x: source() };
+  
+  sink(obj.x); // NOT OK
+
+  if (isSafe(obj.x)) {
+    sink(obj.x); // OK
+  }
+
+  if (typeof obj === "object" && isSafe(obj.x)) {
+    sink(obj.x); // OK
+  }
+
+  if (isSafe(obj.x) && typeof obj === "object") {
+    sink(obj.x); // OK
+  }
+}