Skip to content

Commit 6f46a34

Browse files
asgerfasgerf
committed
JS: Refactor domEventSource() into a Range class
1 parent 498bfd2 commit 6f46a34

File tree

1 file changed

+28
-18
lines changed
  • javascript/ql/lib/semmle/javascript

1 file changed

+28
-18
lines changed

javascript/ql/lib/semmle/javascript/DOM.qll

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -388,23 +388,33 @@ module DOM {
388388
}
389389
}
390390

391-
/**
392-
* Gets a reference to a DOM event.
393-
*/
394-
private DataFlow::SourceNode domEventSource() {
395-
// e.g. <form onSubmit={e => e.target}/>
396-
exists(JsxAttribute attr | attr.getName().matches("on%") |
397-
result = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
398-
)
399-
or
400-
// node.addEventListener("submit", e => e.target)
401-
result = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
402-
or
403-
// node.onSubmit = (e => e.target);
404-
exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
405-
write.getPropertyName().matches("on%") and
406-
result = write.getRhs().getAFunctionValue().getParameter(0)
407-
)
391+
/** A data flow node that is a source of DOM events. */
392+
class DomEventSource extends DataFlow::Node instanceof DomEventSource::Range { }
393+
394+
/** Companion module to the `DomEventSource` class. */
395+
module DomEventSource {
396+
/**
397+
* A data flow node that should be considered a source of DOM events.
398+
*/
399+
abstract class Range extends DataFlow::Node { }
400+
401+
private class DefaultRange extends Range {
402+
DefaultRange() {
403+
// e.g. <form onSubmit={e => e.target}/>
404+
exists(JsxAttribute attr | attr.getName().matches("on%") |
405+
this = attr.getValue().flow().getABoundFunctionValue(0).getParameter(0)
406+
)
407+
or
408+
// node.addEventListener("submit", e => e.target)
409+
this = domValueRef().getAMethodCall("addEventListener").getABoundCallbackParameter(1, 0)
410+
or
411+
// node.onSubmit = (e => e.target);
412+
exists(DataFlow::PropWrite write | write = domValueRef().getAPropertyWrite() |
413+
write.getPropertyName().matches("on%") and
414+
this = write.getRhs().getAFunctionValue().getParameter(0)
415+
)
416+
}
417+
}
408418
}
409419

410420
/** Gets a data flow node that refers directly to a value from the DOM. */
@@ -419,7 +429,7 @@ module DOM {
419429
result = domValueRef().getAMethodCall(["item", "namedItem"])
420430
or
421431
t.startInProp("target") and
422-
result = domEventSource()
432+
result instanceof DomEventSource
423433
or
424434
t.startInProp(DataFlow::PseudoProperties::arrayElement()) and
425435
result = domElementCollection()

0 commit comments

Comments
 (0)