Skip to content

Commit 1954a60

Browse files
committed
reuse existing predicate from UnsafeJqueryPlugin
1 parent 09b6727 commit 1954a60

File tree

2 files changed

+24
-37
lines changed

2 files changed

+24
-37
lines changed

javascript/ql/src/semmle/javascript/frameworks/jQuery.qll

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -497,24 +497,11 @@ module JQuery {
497497
}
498498
}
499499

500-
/**
501-
* Gets a node that is written to `$.fn[something]`.
502-
* JQuery plugins are registered this way.
503-
*/
504-
private DataFlow::Node getAFnWrite() {
505-
exists(DataFlow::PropWrite write, DataFlow::PropRead jQueryFN |
506-
write.getBase() = jQueryFN and
507-
jQueryFN.getBase().getALocalSource() = JQuery::dollar() and
508-
jQueryFN.getPropertyName() = "fn" and
509-
result = write.getRhs()
510-
)
511-
}
512-
513500
/**
514501
* Gets a node that is backtracked from a node written to `$.fn[something]`.
515502
*/
516503
private DataFlow::SourceNode writtenToJqueryFN(DataFlow::TypeBackTracker t) {
517-
t.start() and result = getAFnWrite().getALocalSource()
504+
t.start() and result = any(DataFlow::Node plugin | jQueryPluginDefinition(_, plugin)).getALocalSource()
518505
or
519506
exists(DataFlow::TypeBackTracker t2 | result = writtenToJqueryFN(t2).backtrack(t2, t))
520507
}
@@ -624,4 +611,27 @@ module JQuery {
624611
node = getArgument(0)
625612
}
626613
}
614+
615+
/**
616+
* Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>`.
617+
*/
618+
predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
619+
exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
620+
fn = jquery().getAPropertyRead("fn") and
621+
(
622+
write = fn.getAPropertyWrite()
623+
or
624+
exists(ExtendCall extend, DataFlow::SourceNode source |
625+
fn.flowsTo(extend.getDestinationOperand()) and
626+
source = extend.getASourceOperand() and
627+
write = source.getAPropertyWrite()
628+
)
629+
) and
630+
plugin = write.getRhs() and
631+
(
632+
pluginName = write.getPropertyName() or
633+
write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
634+
)
635+
)
636+
}
627637
}

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll

Lines changed: 0 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -49,29 +49,6 @@ module UnsafeJQueryPlugin {
4949
}
5050
}
5151

52-
/**
53-
* Holds for jQuery plugin definitions of the form `$.fn.<pluginName> = <plugin>`.
54-
*/
55-
private predicate jQueryPluginDefinition(string pluginName, DataFlow::Node plugin) {
56-
exists(DataFlow::PropRead fn, DataFlow::PropWrite write |
57-
fn = jquery().getAPropertyRead("fn") and
58-
(
59-
write = fn.getAPropertyWrite()
60-
or
61-
exists(ExtendCall extend, DataFlow::SourceNode source |
62-
fn.flowsTo(extend.getDestinationOperand()) and
63-
source = extend.getASourceOperand() and
64-
write = source.getAPropertyWrite()
65-
)
66-
) and
67-
plugin = write.getRhs() and
68-
(
69-
pluginName = write.getPropertyName() or
70-
write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
71-
)
72-
)
73-
}
74-
7552
/**
7653
* Gets a node that is registered as a jQuery plugin method at `def`.
7754
*/

0 commit comments

Comments
 (0)