filter out writes to number indexes

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll

@@ -79,7 +79,15 @@ class Configuration extends TaintTracking::Configuration {
       source.getNode() = src and sink.getNode() = snk
     |
       snk = write.getBase() and
-      exists(write.getPropertyName())
+      (
+        // fixed property name
+        exists(write.getPropertyName())
+        or
+        // non-string property name (likely number)
+        exists(Expr prop | prop = write.getPropertyNameExpr() |
+          not prop.analyze().getAType() = TTString()
+        )
+      )
     )
   }
 

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

@@ -86,6 +86,8 @@ nodes
 | lib.js:91:24:91:27 | path |
 | lib.js:92:3:92:12 | maybeProto |
 | lib.js:92:3:92:12 | maybeProto |
+| lib.js:95:3:95:12 | maybeProto |
+| lib.js:95:3:95:12 | maybeProto |
 | tst.js:5:9:5:38 | taint |
 | tst.js:5:17:5:38 | String( ... y.data) |
 | tst.js:5:24:5:37 | req.query.data |
@@ -203,6 +205,8 @@ edges
 | lib.js:90:43:90:46 | path | lib.js:91:24:91:27 | path |
 | lib.js:91:7:91:28 | maybeProto | lib.js:92:3:92:12 | maybeProto |
 | lib.js:91:7:91:28 | maybeProto | lib.js:92:3:92:12 | maybeProto |
+| lib.js:91:7:91:28 | maybeProto | lib.js:95:3:95:12 | maybeProto |
+| lib.js:91:7:91:28 | maybeProto | lib.js:95:3:95:12 | maybeProto |
 | lib.js:91:20:91:28 | obj[path] | lib.js:91:7:91:28 | maybeProto |
 | lib.js:91:24:91:27 | path | lib.js:91:20:91:28 | obj[path] |
 | tst.js:5:9:5:38 | taint | tst.js:8:12:8:16 | taint |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js

@@ -90,4 +90,7 @@ module.exports.delete = function() {
 module.exports.fixedProp = function (obj, path, value) {
   var maybeProto = obj[path];
   maybeProto.foo = value; // OK - fixed properties from library inputs are OK.
+
+  var i = 0;
+  maybeProto[i + 2] = value; // OK - number properties are OK.
 }