Skip to content

Commit 73dd4c8

Browse files
semmle-qlcisemmle-qlci
authored
Merge pull request #3133 from asger-semmle/js/dictionary-taint-step-regression
Approved by esbena
2 parents 93f7c95 + a317b87 commit 73dd4c8

File tree

1 file changed

+15
-15
lines changed

1 file changed

+15
-15
lines changed

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -287,32 +287,32 @@ module TaintTracking {
287287
/**
288288
* A taint propagating data flow edge for assignments of the form `o[k] = v`, where
289289
* `k` is not a constant and `o` refers to some object literal; in this case, we consider
290-
* taint to flow from `v` to any variable that refers to the object literal.
290+
* taint to flow from `v` to that object literal.
291291
*
292292
* The rationale for this heuristic is that if properties of `o` are accessed by
293293
* computed (that is, non-constant) names, then `o` is most likely being treated as
294294
* a map, not as a real object. In this case, it makes sense to consider the entire
295295
* map to be tainted as soon as one of its entries is.
296296
*/
297-
private class DictionaryTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
298-
override VarAccess astNode;
299-
DataFlow::Node source;
300-
301-
DictionaryTaintStep() {
302-
exists(AssignExpr assgn, IndexExpr idx, AbstractObjectLiteral obj |
303-
assgn.getTarget() = idx and
304-
idx.getBase().analyze().getAValue() = obj and
305-
not exists(idx.getPropertyName()) and
306-
astNode.analyze().getAValue() = obj and
307-
source = DataFlow::valueNode(assgn.getRhs())
308-
)
309-
}
297+
private class DictionaryTaintStep extends AdditionalTaintStep {
298+
DictionaryTaintStep() { dictionaryTaintStep(_, this) }
310299

311300
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
312-
pred = source and succ = this
301+
succ = this and
302+
dictionaryTaintStep(pred, succ)
313303
}
314304
}
315305

306+
/** Holds if there is a step `pred -> succ` used by `DictionaryTaintStep`. */
307+
private predicate dictionaryTaintStep(DataFlow::Node pred, DataFlow::ObjectLiteralNode succ) {
308+
exists(AssignExpr assgn, IndexExpr idx |
309+
assgn.getTarget() = idx and
310+
succ.flowsToExpr(idx.getBase()) and
311+
not exists(idx.getPropertyName()) and
312+
pred = DataFlow::valueNode(assgn.getRhs())
313+
)
314+
}
315+
316316
/**
317317
* A taint propagating data flow edge for assignments of the form `c1.state.p = v`,
318318
* where `c1` is an instance of React component `C`; in this case, we consider

0 commit comments

Comments
 (0)