mirror of
https://github.com/github/codeql.git
synced 2026-02-23 18:33:42 +01:00
42 lines
1.2 KiB
XML
42 lines
1.2 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>
|
|
It is very common to check whether a number is within the bounds of an array or string
|
|
using a comparison of form <tt>i < array.length</tt>, and later perform an indexing
|
|
access <tt>array[i]</tt>.
|
|
|
|
If this comparison is mistyped as <tt>i < array</tt>, a type coercion will be performed,
|
|
which almost never has the intended effect.
|
|
</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>
|
|
Check if one of the operands is an array or a string, and make sure to compare against its <tt>length</tt>,
|
|
not against the value itself.
|
|
</p>
|
|
</recommendation>
|
|
|
|
<example>
|
|
<p>
|
|
The following example shows a mistyped loop condition <tt>i < array</tt>:
|
|
</p>
|
|
<sample src="examples/MissingDotLengthInComparison.js" />
|
|
<p>
|
|
If the above is executed with <tt>array</tt> set to <tt>[3,5,7]</tt>, the loop will not run at all.
|
|
The error can be corrected by changing the loop condition to <tt>i < array.length</tt>:
|
|
</p>
|
|
<sample src="examples/MissingDotLengthInComparisonGood.js" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>Mozilla Developer Network:
|
|
<a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/length">Array.length</a>
|
|
</li>
|
|
</references>
|
|
|
|
</qhelp> |