File tree Expand file tree Collapse file tree 1 file changed +16
-6
lines changed
javascript/ql/lib/semmle/javascript/dataflow Expand file tree Collapse file tree 1 file changed +16
-6
lines changed Original file line number Diff line number Diff line change @@ -729,9 +729,9 @@ module TaintTracking {
729729 // find target in root object recursively
730730 private predicate findInObject ( Expr root , Expr target ) {
731731 // when root is Object
732- exists ( ObjectExpr object , Property property , Expr propertyVal |
733- object = root and
734- property = object .getAProperty ( ) and
732+ exists ( Property property , Expr propertyVal |
733+ root instanceof ObjectExpr and
734+ property = root . ( ObjectExpr ) .getAProperty ( ) and
735735 propertyVal = property .getInit ( ) and
736736 (
737737 target = property .getNameExpr ( ) or
@@ -741,14 +741,24 @@ module TaintTracking {
741741 )
742742 or
743743 // when root is Array
744- exists ( ArrayExpr array , Expr child |
745- array = root and
746- child = array .getAChildExpr ( ) and
744+ exists ( Expr child |
745+ root instanceof ArrayExpr and
746+ child = root . ( ArrayExpr ) .getAChildExpr ( ) and
747747 (
748748 target = child or
749749 findInObject ( child , target )
750750 )
751751 )
752+ or
753+ // when root is VarRef
754+ exists ( Expr var |
755+ root instanceof VarRef and
756+ var = root .( VarRef ) .getAVariable ( ) .getAnAssignedExpr ( ) and
757+ (
758+ target = var or
759+ findInObject ( var , target )
760+ )
761+ )
752762 }
753763 }
754764
You can’t perform that action at this time.
0 commit comments