merge two cases of jQuery method calls

erik-krogh · erik-krogh · commit 12f4ce811125 · 2020-04-20T13:28:55.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -538,12 +538,13 @@ module JQuery {
     MethodCall() {
       this = dollarCall() and name = "$"
       or
-      this = ([dollar(), objectRef()]).getAMemberCall(name)
-      or
       // Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
       exists(DataFlow::PropRead read | read = this.getCalleeNode() |
         read.getBase().getALocalSource() = [dollar(), objectRef()] and
-        read.getPropertyNameExpr().flow().mayHaveStringValue(name)
+        (
+          read.getPropertyNameExpr().flow().mayHaveStringValue(name) or
+          read.getPropertyName() = name
+        )
       )
       or
       // Handle contributed JQuery objects that aren't source nodes (usually parameter uses)
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/xss-through-dom.js
@@ -58,5 +58,8 @@
 	
 	$("#id").get(0).innerHTML = $("input").getAttribute("id"); // OK.
 	
-	$("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK. 
+	$("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK.
+	
+	var valMethod = $("textarea").val;
+	$("#id").get(0).innerHTML = valMethod(); // OK - Not a method call, not valid receiver for jQuery. 
 })();
