JS: Lower access path limit to 2

asgerf · asgerf · commit 9d2672fa639e · 2023-10-11T13:12:00.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -879,7 +879,7 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
   none() // TODO: could be useful, but not currently implemented for JS
 }
 
-int accessPathLimit() { result = 5 }
+int accessPathLimit() { result = 2 }
 
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -16,16 +16,16 @@ legacyDataFlowDifference
 | exceptions.js:53:14:53:21 | source() | exceptions.js:54:10:54:10 | e | only flow with NEW data flow library |
 | getters-and-setters.js:53:21:53:28 | source() | getters-and-setters.js:53:10:53:30 | getX(ne ... rce())) | only flow with NEW data flow library |
 | nested-props.js:14:15:14:22 | source() | nested-props.js:15:10:15:16 | obj.x.y | only flow with NEW data flow library |
-| nested-props.js:19:17:19:24 | source() | nested-props.js:20:10:20:18 | obj.x.y.z | only flow with NEW data flow library |
 | nested-props.js:27:18:27:25 | source() | nested-props.js:28:10:28:14 | obj.x | only flow with NEW data flow library |
 | nested-props.js:51:22:51:29 | source() | nested-props.js:52:10:52:16 | obj.x.y | only flow with NEW data flow library |
 | object-bypass-sanitizer.js:35:29:35:36 | source() | object-bypass-sanitizer.js:23:14:23:20 | obj.foo | only flow with OLD data flow library |
 | object-bypass-sanitizer.js:35:29:35:36 | source() | object-bypass-sanitizer.js:28:10:28:30 | sanitiz ... bj).foo | only flow with OLD data flow library |
 | promise.js:12:20:12:27 | source() | promise.js:13:8:13:23 | resolver.promise | only flow with OLD data flow library |
 | sanitizer-guards.js:57:11:57:18 | source() | sanitizer-guards.js:64:8:64:8 | x | only flow with NEW data flow library |
-| stringification-read-steps.js:7:22:7:29 | source() | stringification-read-steps.js:17:10:17:31 | JSON.st ... object) | only flow with NEW data flow library |
-| stringification-read-steps.js:7:22:7:29 | source() | stringification-read-steps.js:25:10:25:31 | JSON.st ... object) | only flow with NEW data flow library |
 consistencyIssue
+| library-tests/TaintTracking/nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
+| library-tests/TaintTracking/stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
+| library-tests/TaintTracking/stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
 flow
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -206,7 +206,6 @@ flow
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
 | nested-props.js:14:15:14:22 | source() | nested-props.js:15:10:15:16 | obj.x.y |
-| nested-props.js:19:17:19:24 | source() | nested-props.js:20:10:20:18 | obj.x.y.z |
 | nested-props.js:27:18:27:25 | source() | nested-props.js:28:10:28:14 | obj.x |
 | nested-props.js:35:13:35:20 | source() | nested-props.js:36:10:36:20 | doLoad(obj) |
 | nested-props.js:43:13:43:20 | source() | nested-props.js:44:10:44:18 | id(obj).x |
@@ -261,8 +260,6 @@ flow
 | string-replace.js:3:13:3:20 | source() | string-replace.js:21:6:21:41 | safe(). ...  taint) |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:22:6:22:48 | safe(). ...  taint) |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:24:6:24:45 | taint.r ...  + '!') |
-| stringification-read-steps.js:7:22:7:29 | source() | stringification-read-steps.js:17:10:17:31 | JSON.st ... object) |
-| stringification-read-steps.js:7:22:7:29 | source() | stringification-read-steps.js:25:10:25:31 | JSON.st ... object) |
 | summarize-store-load-in-call.js:9:15:9:22 | source() | summarize-store-load-in-call.js:9:10:9:23 | blah(source()) |
 | thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
 | thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -17,7 +17,6 @@ legacyDataFlowDifference
 | exceptions.js:53:14:53:21 | source() | exceptions.js:54:10:54:10 | e | only flow with NEW data flow library |
 | getters-and-setters.js:53:21:53:28 | source() | getters-and-setters.js:53:10:53:30 | getX(ne ... rce())) | only flow with NEW data flow library |
 | nested-props.js:14:15:14:22 | source() | nested-props.js:15:10:15:16 | obj.x.y | only flow with NEW data flow library |
-| nested-props.js:19:17:19:24 | source() | nested-props.js:20:10:20:18 | obj.x.y.z | only flow with NEW data flow library |
 | nested-props.js:27:18:27:25 | source() | nested-props.js:28:10:28:14 | obj.x | only flow with NEW data flow library |
 | nested-props.js:51:22:51:29 | source() | nested-props.js:52:10:52:16 | obj.x.y | only flow with NEW data flow library |
 | sanitizer-guards.js:57:11:57:18 | source() | sanitizer-guards.js:64:8:64:8 | x | only flow with NEW data flow library |
@@ -136,7 +135,6 @@ flow
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
 | nested-props.js:14:15:14:22 | source() | nested-props.js:15:10:15:16 | obj.x.y |
-| nested-props.js:19:17:19:24 | source() | nested-props.js:20:10:20:18 | obj.x.y.z |
 | nested-props.js:27:18:27:25 | source() | nested-props.js:28:10:28:14 | obj.x |
 | nested-props.js:35:13:35:20 | source() | nested-props.js:36:10:36:20 | doLoad(obj) |
 | nested-props.js:43:13:43:20 | source() | nested-props.js:44:10:44:18 | id(obj).x |
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -1,4 +1,5 @@
 legacyDataFlowDifference
+| react-redux.jsx:70:30:70:37 | source() | react-redux.jsx:77:10:77:28 | props.propFromAsync | only flow with OLD data flow library |
 reducerArg
 | exportedReducer.js:12:12:12:35 | (state, ... > state |
 | react-redux.jsx:12:33:17:9 | (state, ...       } |
@@ -112,7 +113,6 @@ taintFlow
 | react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:74:10:74:35 | props.p ... lAction |
 | react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:75:10:75:36 | props.p ... Action2 |
 | react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:76:10:76:36 | props.p ... Action3 |
-| react-redux.jsx:70:30:70:37 | source() | react-redux.jsx:77:10:77:28 | props.propFromAsync |
 reactComponentRef
 | accessPaths.js:7:1:15:1 | functio ... pan>;\\n} | accessPaths.js:7:1:15:1 | functio ... pan>;\\n} |
 | react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} | react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} |

Original file line number	Diff line number	Diff line change
`@@ -879,7 +879,7 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {`
`879`	`879`	`none() // TODO: could be useful, but not currently implemented for JS`
`880`	`880`	`}`
`881`	`881`
`882`		`-int accessPathLimit() { result = 5 }`
	`882`	`+int accessPathLimit() { result = 2 }`
`883`	`883`
`884`	`884`	`/**`
`885`	`885`	* Holds if flow is allowed to pass from parameter `p` and back to itself as a