mirror of
https://github.com/github/codeql.git
synced 2026-02-01 07:42:57 +01:00
41 lines
1.5 KiB
Plaintext
41 lines
1.5 KiB
Plaintext
/**
|
|
* @name Property access on null or undefined
|
|
* @description Trying to access a property of "null" or "undefined" will result
|
|
* in a runtime exception.
|
|
* @kind problem
|
|
* @problem.severity error
|
|
* @id js/property-access-on-non-object
|
|
* @tags correctness
|
|
* external/cwe/cwe-476
|
|
* @precision high
|
|
*/
|
|
|
|
import javascript
|
|
private import semmle.javascript.dataflow.InferredTypes
|
|
|
|
/**
|
|
* Holds if `e` is a direct reference to a const enum or namespace declaration.
|
|
*
|
|
* Reference to const enum members are constant-folded by the TypeScript compiler,
|
|
* even if the surrounding namespace object would not have been initialized at that point.
|
|
*
|
|
* If the base expression of a property access is a namespace, we can't currently tell
|
|
* if it is part of a const enum access, so we conservatively silence the alert in that case.
|
|
*/
|
|
predicate namespaceOrConstEnumAccess(VarAccess e) {
|
|
exists(NamespaceDeclaration decl | e.getVariable().getADeclaration() = decl.getIdentifier())
|
|
or
|
|
exists(EnumDeclaration decl | e.getVariable().getADeclaration() = decl.getIdentifier() |
|
|
decl.isConst()
|
|
)
|
|
}
|
|
|
|
from PropAccess pacc, DataFlow::AnalyzedNode base
|
|
where
|
|
base.asExpr() = pacc.getBase() and
|
|
forex(InferredType tp | tp = base.getAType() | tp = TTNull() or tp = TTUndefined()) and
|
|
not namespaceOrConstEnumAccess(pacc.getBase()) and
|
|
not pacc.isAmbient() and
|
|
not pacc instanceof OptionalUse
|
|
select pacc, "The base expression of this property access is always " + base.ppTypes() + "."
|