Removed taint from ArrayBuffer constructor as it accepts length

Author: Napalys

javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll

@@ -74,20 +74,6 @@ private class ArrayBufferEntryPoint extends API::EntryPoint {
 pragma[nomagic]
 API::Node arrayBufferConstructorRef() { result = any(ArrayBufferEntryPoint a).getANode() }
 
-class ArrayBufferConstructorSummary extends SummarizedCallable {
-  ArrayBufferConstructorSummary() { this = "ArrayBuffer constructor" }
-
-  override DataFlow::InvokeNode getACall() {
-    result = arrayBufferConstructorRef().getAnInstantiation()
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = true and
-    input = "Argument[0].ArrayElement" and
-    output = "ReturnValue.ArrayElement"
-  }
-}
-
 class TransferLike extends SummarizedCallable {
   TransferLike() { this = "ArrayBuffer#transfer" }
 

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -40,18 +40,18 @@ legacyDataFlowDifference
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 | only flow with NEW data flow library |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str | only flow with NEW data flow library |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 | only flow with NEW data flow library |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
 consistencyIssue
 | nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
 | stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
 | stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
-| typed-arrays.js:40 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
+| typed-arrays.js:23 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
+| typed-arrays.js:28 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
+| typed-arrays.js:32 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
+| typed-arrays.js:36 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
+| typed-arrays.js:42 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
 flow
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -342,12 +342,8 @@ flow
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
 | typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:22:10:22:13 | view |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:26:10:26:14 | view1 |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:30:10:30:23 | transferedView |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:34:10:34:24 | transferedView2 |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:46:10:46:12 | str |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:50:10:50:13 | str2 |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str |
+| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

javascript/ql/test/library-tests/TaintTracking/typed-arrays.js

@@ -17,21 +17,23 @@ function test() {
     const sub = y.subarray(1, 3)
     sink(sub); // NOT OK
 
-    const buffer = new ArrayBuffer(x);
+    const buffer = new ArrayBuffer(8);
     const view = new Uint8Array(buffer);
-    sink(view); // NOT OK
+    view.set(x, 3);
+    sink(buffer); // NOT OK -- Should be flagged but it is not.
 
-    const sharedBuffer = new SharedArrayBuffer(x);
+    const sharedBuffer = new SharedArrayBuffer(8);
     const view1 = new Uint8Array(sharedBuffer);
-    sink(view1); // NOT OK
+    view1.set(x, 3);
+    sink(sharedBuffer); // NOT OK -- Should be flagged but it is not.
 
     const transfered = buffer.transfer();
     const transferedView = new Uint8Array(transfered);
-    sink(transferedView); // NOT OK
+    sink(transferedView); // NOT OK -- Should be flagged but it is not.
 
     const transfered2 = buffer.transferToFixedLength();
     const transferedView2 = new Uint8Array(transfered2);
-    sink(transferedView2); // NOT OK
+    sink(transferedView2); // NOT OK -- Should be flagged but it is not.
 
     var typedArrayToString = (function () {
         return function (a) { return String.fromCharCode.apply(null, a); };