JS: Add: taint step to handle propagation of data flow from the array to callback

Napalys · Napalys · commit 28ead4011abb · 2024-11-19T14:15:15.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/Arrays.qll b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -492,7 +492,20 @@ private module ArrayLibraries {
       exists(DataFlow::MethodCallNode call |
         call.getMethodName() = ["findLast", "find", "findLastIndex"] and
         prop = arrayLikeElement() and
-        obj = call.getReceiver() and
+        obj = call.getReceiver().getALocalSource() and
+        element = call.getCallback(0).getParameter(0)
+      )
+    }
+  }
+
+  /**
+   * This step models the propagation of data from the array to the callback function's parameter.
+   */
+  private class ArrayCallBackDataTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node obj, DataFlow::Node element) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = ["findLast", "find", "findLastIndex"] and
+        obj = call.getReceiver().getALocalSource() and
         element = call.getCallback(0).getParameter(0)
       )
     }
diff --git a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -35,5 +35,8 @@
 | arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
 | arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
 | arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
+| arrays.js:131:17:131:24 | source() | arrays.js:132:46:132:49 | item |
 | arrays.js:131:17:131:24 | source() | arrays.js:133:10:133:17 | element1 |
+| arrays.js:137:17:137:24 | source() | arrays.js:138:50:138:53 | item |
 | arrays.js:137:17:137:24 | source() | arrays.js:139:10:139:17 | element1 |
+| arrays.js:143:17:143:24 | source() | arrays.js:144:55:144:58 | item |
diff --git a/javascript/ql/test/library-tests/Arrays/arrays.js b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -129,19 +129,19 @@
   }
   {
     const arr = source();
-    const element1 = arr.find((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.find((item) => sink(item)); // NOT OK
     sink(element1); // NOT OK
   }
 
   {
     const arr = source();
-    const element1 = arr.findLast((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.findLast((item) => sink(item)); // NOT OK
     sink(element1); // NOT OK
   }
   
   {
     const arr = source();
-    const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK
     sink(element1); // OK
   }
 });

Original file line number	Diff line number	Diff line change
`@@ -129,19 +129,19 @@`
`129`	`129`	`}`
`130`	`130`	`{`
`131`	`131`	`const arr = source();`
`132`		`- const element1 = arr.find((item) => sink(item)); // NOT OK - only found with taint-tracking.`
	`132`	`+ const element1 = arr.find((item) => sink(item)); // NOT OK`
`133`	`133`	`sink(element1); // NOT OK`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`{`
`137`	`137`	`const arr = source();`
`138`		`- const element1 = arr.findLast((item) => sink(item)); // NOT OK - only found with taint-tracking.`
	`138`	`+ const element1 = arr.findLast((item) => sink(item)); // NOT OK`
`139`	`139`	`sink(element1); // NOT OK`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`{`
`143`	`143`	`const arr = source();`
`144`		`- const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK - only found with taint-tracking.`
	`144`	`+ const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK`
`145`	`145`	`sink(element1); // OK`
`146`	`146`	`}`
`147`	`147`	`});`