JS: Detect property enumeration through for-own

asgerf · asgerf · commit 34a9dce33d72 · 2020-02-06T14:59:52.000Z
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -120,6 +120,30 @@ class EntriesEnumeratedPropName extends EnumeratedPropName {
   }
 }
 
+/**
+ * Property enumeration through the `for-own` package.
+ */
+class ForOwnEnumeratedPropName extends EnumeratedPropName {
+  CallNode call;
+  FunctionNode callback;
+
+  ForOwnEnumeratedPropName() {
+    call = moduleImport("for-own").getACall() and
+    callback = call.getCallback(1) and
+    this = callback.getParameter(1)
+  }
+
+  override Node getSourceObject() {
+    result = call.getArgument(0)
+  }
+
+  override SourceNode getASourceProp() {
+    result = super.getASourceProp()
+    or
+    result = callback.getParameter(0)
+  }
+}
+
 /**
  * Holds if the properties of `node` are enumerated locally.
  */
