JavaScript: Switch detection of callback-based string replacement to data flow.

Max Schaefer · Max Schaefer · commit 83f5b614e9e5 · 2019-11-22T09:24:34.000Z
diff --git a/javascript/ql/src/semmle/javascript/StandardLibrary.qll b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -281,7 +281,7 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
   }
 
   /**
-   * Holds if this is a global replacement, that is, the first argument is a regulare expression
+   * Holds if this is a global replacement, that is, the first argument is a regular expression
    * with the `g` flag.
    */
   predicate isGlobal() {
@@ -303,7 +303,7 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
       replacer.getParameter(0).flowsToExpr(pr.getPropertyNameExpr()) and
       pr = map.getAPropertyRead() and
       pr.flowsTo(replacer.getAReturn()) and
-      map.asExpr().(ObjectExpr).getPropertyByName(old).getInit().getStringValue() = new
+      map.hasPropertyWrite(old, any(DataFlow::Node repl | repl.getStringValue() = new))
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ class StringReplaceCall extends DataFlow::MethodCallNode {`
`281`	`281`	`}`
`282`	`282`
`283`	`283`	`/**`
`284`		`- * Holds if this is a global replacement, that is, the first argument is a regulare expression`
	`284`	`+ * Holds if this is a global replacement, that is, the first argument is a regular expression`
`285`	`285`	* with the `g` flag.
`286`	`286`	`*/`
`287`	`287`	`predicate isGlobal() {`
`@@ -303,7 +303,7 @@ class StringReplaceCall extends DataFlow::MethodCallNode {`
`303`	`303`	`replacer.getParameter(0).flowsToExpr(pr.getPropertyNameExpr()) and`
`304`	`304`	`pr = map.getAPropertyRead() and`
`305`	`305`	`pr.flowsTo(replacer.getAReturn()) and`
`306`		`- map.asExpr().(ObjectExpr).getPropertyByName(old).getInit().getStringValue() = new`
	`306`	`+ map.hasPropertyWrite(old, any(DataFlow::Node repl \| repl.getStringValue() = new))`
`307`	`307`	`)`
`308`	`308`	`}`
`309`	`309`	`}`