move extend aliasing to getAnAliasedSourceNode

erik-krogh · erik-krogh · commit 5d901ef72855 · 2021-11-10T18:08:50.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll
@@ -426,6 +426,17 @@ module AccessPath {
       result = AccessPath::getAReferenceTo(root, accessPath)
     )
     or
+    // step over extend calls. Handle aliasing both ways through the extend call.
+    exists(
+      DataFlow::SourceNode rootOne, DataFlow::SourceNode rootTwo, string accessPath,
+      ExtendCall extendCall
+    |
+      rootOne = [extendCall, extendCall.getAnOperand().getALocalSource()] and
+      rootTwo = [extendCall, extendCall.getAnOperand().getALocalSource()] and
+      node = pragma[only_bind_into](AccessPath::getAReferenceTo(rootOne, accessPath)) and
+      result = AccessPath::getAReferenceTo(rootTwo, accessPath)
+    )
+    or
     result = node.getALocalSource()
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -76,19 +76,8 @@ private predicate aliasPropertyPresenceStepHelper(
 ) {
   exists(PropertyPresenceSanitizer sanitizer |
     src = sanitizer.getPropRead() and
+    sink = AccessPath::getAnAliasedSourceNode(src) and
     srcBB = src.getBasicBlock() and
-    sinkBB = sink.getBasicBlock() and
-    (
-      sink = AccessPath::getAnAliasedSourceNode(src)
-      or
-      // step over extend calls
-      exists(ExtendCall extendCall, string prop |
-        src = extendCall.getASourceOperand().getALocalSource().getAPropertyReference(prop) and
-        sink =
-          [extendCall, extendCall.getDestinationOperand()]
-              .(DataFlow::SourceNode)
-              .getAPropertyReference(prop)
-      )
-    )
+    sinkBB = sink.getBasicBlock()
   )
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected
@@ -1,5 +1,3 @@
-WARNING: Unused predicate sink (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:30,6-10)
-WARNING: Unused predicate source (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:28,10-16)
 nodes
 | unsafe-jquery-plugin.js:2:38:2:44 | options |
 | unsafe-jquery-plugin.js:2:38:2:44 | options |

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-WARNING: Unused predicate sink (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:30,6-10)`
`2`		`-WARNING: Unused predicate source (/home/erik/dev/code/ql/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:28,10-16)`
`3`	`1`	`nodes`
`4`	`2`	`\| unsafe-jquery-plugin.js:2:38:2:44 \| options \|`
`5`	`3`	`\| unsafe-jquery-plugin.js:2:38:2:44 \| options \|`