introduce PropRef#mayHavePropertyName

erik-krogh · erik-krogh · commit 1ad64bc6198f · 2020-04-27T11:47:51.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -537,6 +537,14 @@ module DataFlow {
      */
     abstract Expr getPropertyNameExpr();
 
+    /**
+     * Holds if this property reference may access a property named `propName`.
+     */
+    predicate mayHavePropertyName(string propName) {
+      propName = this.getPropertyName() or
+      this.getPropertyNameExpr().flow().mayHaveStringValue(propName)
+    }
+
     /**
      * Gets the name of the property being read or written,
      * if it can be statically determined.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -552,7 +552,7 @@ module JQuery {
       // Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
       exists(DataFlow::PropRead read | read = this.getCalleeNode() |
         read.getBase().getALocalSource() = [dollar(), objectRef()] and
-        read.getPropertyNameExpr().flow().mayHaveStringValue(name)
+        read.mayHavePropertyName(name)
       )
       or
       // Handle contributed JQuery objects that aren't source nodes (usually parameter uses)
@@ -616,10 +616,7 @@ module JQuery {
         )
       ) and
       plugin = write.getRhs() and
-      (
-        pluginName = write.getPropertyName() or
-        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
-      )
+      write.mayHavePropertyName(pluginName)
     )
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
@@ -81,10 +81,7 @@ module XssThroughDom {
     DOMTextSource() {
       exists(DataFlow::PropRead read | read = this |
         read.getBase().getALocalSource() = DOM::domValueRef() and
-        exists(string propName | propName = ["innerText", "textContent", "value", "name"] |
-          read.getPropertyName() = propName or
-          read.getPropertyNameExpr().flow().mayHaveStringValue(propName)
-        )
+        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
       )
       or
       exists(DataFlow::MethodCallNode mcn | mcn = this |

Original file line number	Diff line number	Diff line change
`@@ -552,7 +552,7 @@ module JQuery {`
`552`	`552`	// Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
`553`	`553`	`exists(DataFlow::PropRead read \| read = this.getCalleeNode() \|`
`554`	`554`	`read.getBase().getALocalSource() = [dollar(), objectRef()] and`
`555`		`- read.getPropertyNameExpr().flow().mayHaveStringValue(name)`
	`555`	`+ read.mayHavePropertyName(name)`
`556`	`556`	`)`
`557`	`557`	`or`
`558`	`558`	`// Handle contributed JQuery objects that aren't source nodes (usually parameter uses)`
`@@ -616,10 +616,7 @@ module JQuery {`
`616`	`616`	`)`
`617`	`617`	`) and`
`618`	`618`	`plugin = write.getRhs() and`
`619`		`- (`
`620`		`- pluginName = write.getPropertyName() or`
`621`		`- write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)`
`622`		`- )`
	`619`	`+ write.mayHavePropertyName(pluginName)`
`623`	`620`	`)`
`624`	`621`	`}`
`625`	`622`