JS: Fix the ExtendCall restriction

asgerf · asgerf · commit 13b1e97caa13 · 2023-04-17T12:30:08.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -62,7 +62,11 @@ class Configuration extends TaintTracking::Configuration {
     // step because it preserves all properties, but the destination is not actually Object.prototype.
     exists(ExtendCall call |
       pred = call.getASourceOperand() and
-      succ = call.getDestinationOperand().getALocalSource() and
+      (
+        succ = call.getDestinationOperand().getALocalSource()
+        or
+        succ = call
+      ) and
       lbl instanceof ObjectPrototype
     )
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected
@@ -1 +0,0 @@
-| query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js:120 | did not expect an alert, but found an alert for PrototypePollutingAssignment | OK - 'object' is not Object.prototype itself (but possibly a copy) | PrototypePollutingAssignment |
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -190,16 +190,6 @@ nodes
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint |
-| tst.js:116:9:116:38 | taint |
-| tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:116:24:116:37 | req.query.data |
-| tst.js:116:24:116:37 | req.query.data |
-| tst.js:119:9:119:51 | object |
-| tst.js:119:18:119:51 | Object. ... taint]) |
-| tst.js:119:36:119:50 | plainObj[taint] |
-| tst.js:119:45:119:49 | taint |
-| tst.js:120:5:120:10 | object |
-| tst.js:120:5:120:10 | object |
 edges
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
@@ -376,15 +366,6 @@ edges
 | tst.js:102:24:102:37 | req.query.data | tst.js:102:17:102:38 | String( ... y.data) |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
-| tst.js:116:9:116:38 | taint | tst.js:119:45:119:49 | taint |
-| tst.js:116:17:116:38 | String( ... y.data) | tst.js:116:9:116:38 | taint |
-| tst.js:116:24:116:37 | req.query.data | tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:116:24:116:37 | req.query.data | tst.js:116:17:116:38 | String( ... y.data) |
-| tst.js:119:9:119:51 | object | tst.js:120:5:120:10 | object |
-| tst.js:119:9:119:51 | object | tst.js:120:5:120:10 | object |
-| tst.js:119:18:119:51 | Object. ... taint]) | tst.js:119:9:119:51 | object |
-| tst.js:119:36:119:50 | plainObj[taint] | tst.js:119:18:119:51 | Object. ... taint]) |
-| tst.js:119:45:119:49 | taint | tst.js:119:36:119:50 | plainObj[taint] |
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
@@ -413,4 +394,3 @@ edges
 | tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input |
 | tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
 | tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
-| tst.js:120:5:120:10 | object | tst.js:116:24:116:37 | req.query.data | tst.js:120:5:120:10 | object | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:116:24:116:37 | req.query.data | user controlled input |

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,11 @@ class Configuration extends TaintTracking::Configuration {`
`62`	`62`	`// step because it preserves all properties, but the destination is not actually Object.prototype.`
`63`	`63`	`exists(ExtendCall call \|`
`64`	`64`	`pred = call.getASourceOperand() and`
`65`		`- succ = call.getDestinationOperand().getALocalSource() and`
	`65`	`+ (`
	`66`	`+ succ = call.getDestinationOperand().getALocalSource()`
	`67`	`+ or`
	`68`	`+ succ = call`
	`69`	`+ ) and`
`66`	`70`	`lbl instanceof ObjectPrototype`
`67`	`71`	`)`
`68`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-\| query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js:120 \| did not expect an alert, but found an alert for PrototypePollutingAssignment \| OK - 'object' is not Object.prototype itself (but possibly a copy) \| PrototypePollutingAssignment \|`