JS: Add tests for captured 'this' (genuine FN)

asgerf · asgerf · commit 0d3cf90055c2 · 2023-10-09T13:58:31.000+02:00
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -7,6 +7,9 @@ legacyDataFlowDifference
 | callbacks.js:44:17:44:24 | source() | callbacks.js:38:35:38:35 | x | only flow with NEW data flow library |
 | capture-flow.js:89:13:89:20 | source() | capture-flow.js:89:6:89:21 | test3c(source()) | only flow with NEW data flow library |
 | capture-flow.js:101:12:101:19 | source() | capture-flow.js:102:6:102:20 | test5("safe")() | only flow with OLD data flow library |
+| capture-flow.js:274:33:274:40 | source() | capture-flow.js:272:10:272:17 | this.foo | only flow with OLD data flow library |
+| capture-flow.js:274:33:274:40 | source() | capture-flow.js:274:6:274:45 | new Cap ... ()).foo | only flow with OLD data flow library |
+| capture-flow.js:283:34:283:41 | source() | capture-flow.js:284:6:284:44 | new Cap ... e').foo | only flow with NEW data flow library |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:40:8:40:14 | e.taint | only flow with NEW data flow library |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:44:8:44:19 | f_safe.taint | only flow with NEW data flow library |
 | constructor-calls.js:20:15:20:22 | source() | constructor-calls.js:39:8:39:14 | e.param | only flow with NEW data flow library |
@@ -113,6 +116,9 @@ flow
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:248:18:248:27 | this.field |
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:252:14:252:36 | objectW ... s.field |
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:253:14:253:23 | this.field |
+| capture-flow.js:262:16:262:23 | source() | capture-flow.js:264:14:264:21 | this.foo |
+| capture-flow.js:283:34:283:41 | source() | capture-flow.js:283:6:283:46 | new Cap ... ()).foo |
+| capture-flow.js:283:34:283:41 | source() | capture-flow.js:284:6:284:44 | new Cap ... e').foo |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | case.js:2:16:2:23 | source() | case.js:5:8:5:35 | changeC ... source) |
 | case.js:2:16:2:23 | source() | case.js:8:8:8:24 | camelCase(source) |
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -9,6 +9,8 @@ legacyDataFlowDifference
 | callbacks.js:44:17:44:24 | source() | callbacks.js:38:35:38:35 | x | only flow with NEW data flow library |
 | capture-flow.js:89:13:89:20 | source() | capture-flow.js:89:6:89:21 | test3c(source()) | only flow with NEW data flow library |
 | capture-flow.js:101:12:101:19 | source() | capture-flow.js:102:6:102:20 | test5("safe")() | only flow with OLD data flow library |
+| capture-flow.js:274:33:274:40 | source() | capture-flow.js:272:10:272:17 | this.foo | only flow with OLD data flow library |
+| capture-flow.js:274:33:274:40 | source() | capture-flow.js:274:6:274:45 | new Cap ... ()).foo | only flow with OLD data flow library |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:40:8:40:14 | e.taint | only flow with NEW data flow library |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:44:8:44:19 | f_safe.taint | only flow with NEW data flow library |
 | constructor-calls.js:20:15:20:22 | source() | constructor-calls.js:39:8:39:14 | e.param | only flow with NEW data flow library |
@@ -90,6 +92,8 @@ flow
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:248:18:248:27 | this.field |
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:252:14:252:36 | objectW ... s.field |
 | capture-flow.js:259:23:259:30 | source() | capture-flow.js:253:14:253:23 | this.field |
+| capture-flow.js:262:16:262:23 | source() | capture-flow.js:264:14:264:21 | this.foo |
+| capture-flow.js:283:34:283:41 | source() | capture-flow.js:283:6:283:46 | new Cap ... ()).foo |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:24:8:24:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:28:8:28:19 | c_safe.taint |
diff --git a/javascript/ql/test/library-tests/TaintTracking/capture-flow.js b/javascript/ql/test/library-tests/TaintTracking/capture-flow.js
@@ -257,3 +257,28 @@ function testObjectWithMethods(taint) {
     objectWithMethods.functionAddedLater();
 }
 testObjectWithMethods(source());
+
+function captureThis() {
+    this.foo = source();
+    window.addEventListener('click', () => {
+        sink(this.foo); // NOT OK
+    });
+}
+
+function CaptureThisWithoutJump(x) {
+    [1].forEach(() => {
+        this.foo = x;
+    });
+    sink(this.foo); // NOT OK [INCONSISTENCY]
+}
+sink(new CaptureThisWithoutJump(source()).foo); // NOT OK [INCONSISTENCY]
+sink(new CaptureThisWithoutJump('safe').foo); // OK
+
+function CaptureThisWithoutJump2(x) {
+    this.foo = x;
+    let y;
+    [1].forEach(() => y = this.foo);
+    return y;
+}
+sink(new CaptureThisWithoutJump2(source()).foo); // NOT OK
+sink(new CaptureThisWithoutJump2('safe').foo); // OK [INCONSISTENCY]
