Skip to content

Commit b336c29

Browse files
asgerfasgerf
committed
JS: Track functions with methods
1 parent 4ef2a5f commit b336c29

File tree

3 files changed

+21
-12
lines changed

3 files changed

+21
-12
lines changed

javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,9 @@ module CallGraph {
7979
cls.getAClassReference(t.continue()) = result
8080
)
8181
or
82-
exists(DataFlow::ObjectLiteralNode object, string prop |
82+
exists(DataFlow::SourceNode object, string prop |
8383
function = object.getAPropertySource(prop) and
84-
result = getAnObjectLiteralRef(object).getAPropertyRead(prop) and
84+
result = getAnAllocationSiteRef(object).getAPropertyRead(prop) and
8585
t.start()
8686
)
8787
or
@@ -203,21 +203,26 @@ module CallGraph {
203203
)
204204
or
205205
exists(DataFlow::ObjectLiteralNode object, string name |
206-
ref = getAnObjectLiteralRef(object).getAPropertyRead(name) and
206+
ref = getAnAllocationSiteRef(object).getAPropertyRead(name) and
207207
result = object.getPropertyGetter(name)
208208
or
209-
ref = getAnObjectLiteralRef(object).getAPropertyWrite(name) and
209+
ref = getAnAllocationSiteRef(object).getAPropertyWrite(name) and
210210
result = object.getPropertySetter(name)
211211
)
212212
}
213213

214-
private predicate shouldTrackObjectLiteral(DataFlow::ObjectLiteralNode node) {
214+
private predicate shouldTrackObjectWithMethods(DataFlow::SourceNode node) {
215215
(
216+
(
217+
node instanceof DataFlow::ObjectLiteralNode
218+
or
219+
node instanceof DataFlow::FunctionNode
220+
) and
216221
node.getAPropertySource() instanceof DataFlow::FunctionNode
217222
or
218-
exists(node.getPropertyGetter(_))
223+
exists(node.(DataFlow::ObjectLiteralNode).getPropertyGetter(_))
219224
or
220-
exists(node.getPropertySetter(_))
225+
exists(node.(DataFlow::ObjectLiteralNode).getPropertySetter(_))
221226
) and
222227
not node.getTopLevel().isExterns()
223228
}
@@ -228,14 +233,14 @@ module CallGraph {
228233
* To avoid false flow from callbacks passed in via "named parameters", we only track object
229234
* literals out of returns, not into calls.
230235
*/
231-
private StepSummary objectLiteralStep() { result = LevelStep() or result = ReturnStep() }
236+
private StepSummary objectWithMethodsStep() { result = LevelStep() or result = ReturnStep() }
232237

233-
/** Gets a node that refers to the given object literal, via a limited form of type tracking. */
238+
/** Gets a node that refers to the given object, via a limited form of type tracking. */
234239
cached
235-
DataFlow::SourceNode getAnObjectLiteralRef(DataFlow::ObjectLiteralNode node) {
236-
shouldTrackObjectLiteral(node) and
240+
DataFlow::SourceNode getAnAllocationSiteRef(DataFlow::SourceNode node) {
241+
shouldTrackObjectWithMethods(node) and
237242
result = node
238243
or
239-
StepSummary::step(getAnObjectLiteralRef(node), result, objectLiteralStep())
244+
StepSummary::step(getAnAllocationSiteRef(node), result, objectWithMethodsStep())
240245
}
241246
}

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,8 @@ typeInferenceMismatch
8383
| exceptions.js:158:13:158:20 | source() | exceptions.js:161:10:161:10 | e |
8484
| factory-function.js:21:13:21:20 | source() | factory-function.js:7:10:7:12 | obj |
8585
| factory-function.js:22:13:22:20 | source() | factory-function.js:7:10:7:12 | obj |
86+
| factory-function.js:26:7:26:14 | source() | factory-function.js:16:14:16:16 | obj |
87+
| factory-function.js:27:7:27:14 | source() | factory-function.js:16:14:16:16 | obj |
8688
| getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:9:10:9:18 | new C().x |
8789
| getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:13:18:13:20 | c.x |
8890
| getters-and-setters.js:27:15:27:22 | source() | getters-and-setters.js:23:18:23:18 | v |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,8 @@
4545
| exceptions.js:158:13:158:20 | source() | exceptions.js:161:10:161:10 | e |
4646
| factory-function.js:21:13:21:20 | source() | factory-function.js:7:10:7:12 | obj |
4747
| factory-function.js:22:13:22:20 | source() | factory-function.js:7:10:7:12 | obj |
48+
| factory-function.js:26:7:26:14 | source() | factory-function.js:16:14:16:16 | obj |
49+
| factory-function.js:27:7:27:14 | source() | factory-function.js:16:14:16:16 | obj |
4850
| getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:9:10:9:18 | new C().x |
4951
| getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:13:18:13:20 | c.x |
5052
| getters-and-setters.js:27:15:27:22 | source() | getters-and-setters.js:23:18:23:18 | v |

0 commit comments

Comments
 (0)