Merge pull request github#3359 from erik-krogh/MayHavePropName

semmle-qlci · web-flow · commit 384df88df1e0 · 2020-05-14T13:52:45.000+01:00
Approved by esbena
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -536,6 +536,14 @@ module DataFlow {
      */
     abstract Expr getPropertyNameExpr();
 
+    /**
+     * Holds if this property reference may access a property named `propName`.
+     */
+    predicate mayHavePropertyName(string propName) {
+      propName = this.getPropertyName() or
+      this.getPropertyNameExpr().flow().mayHaveStringValue(propName)
+    }
+
     /**
      * Gets the name of the property being read or written,
      * if it can be statically determined.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -590,7 +590,7 @@ module JQuery {
       // Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
       exists(DataFlow::PropRead read | read = this.getCalleeNode() |
         read.getBase().getALocalSource() = [dollar(), objectRef()] and
-        read.getPropertyNameExpr().flow().mayHaveStringValue(name)
+        read.mayHavePropertyName(name)
       )
       or
       // Handle contributed JQuery objects that aren't source nodes (usually parameter uses)
@@ -654,10 +654,7 @@ module JQuery {
         )
       ) and
       plugin = write.getRhs() and
-      (
-        pluginName = write.getPropertyName() or
-        write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)
-      )
+      write.mayHavePropertyName(pluginName)
     )
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
@@ -81,10 +81,7 @@ module XssThroughDom {
     DOMTextSource() {
       exists(DataFlow::PropRead read | read = this |
         read.getBase().getALocalSource() = DOM::domValueRef() and
-        exists(string propName | propName = ["innerText", "textContent", "value", "name"] |
-          read.getPropertyName() = propName or
-          read.getPropertyNameExpr().flow().mayHaveStringValue(propName)
-        )
+        read.mayHavePropertyName(["innerText", "textContent", "value", "name"])
       )
       or
       exists(DataFlow::MethodCallNode mcn | mcn = this |

Original file line number	Diff line number	Diff line change
`@@ -590,7 +590,7 @@ module JQuery {`
`590`	`590`	// Handle basic dynamic method dispatch (e.g. `$element[html ? 'html' : 'text'](content)`)
`591`	`591`	`exists(DataFlow::PropRead read \| read = this.getCalleeNode() \|`
`592`	`592`	`read.getBase().getALocalSource() = [dollar(), objectRef()] and`
`593`		`- read.getPropertyNameExpr().flow().mayHaveStringValue(name)`
	`593`	`+ read.mayHavePropertyName(name)`
`594`	`594`	`)`
`595`	`595`	`or`
`596`	`596`	`// Handle contributed JQuery objects that aren't source nodes (usually parameter uses)`
`@@ -654,10 +654,7 @@ module JQuery {`
`654`	`654`	`)`
`655`	`655`	`) and`
`656`	`656`	`plugin = write.getRhs() and`
`657`		`- (`
`658`		`- pluginName = write.getPropertyName() or`
`659`		`- write.getPropertyNameExpr().flow().mayHaveStringValue(pluginName)`
`660`		`- )`
	`657`	`+ write.mayHavePropertyName(pluginName)`
`661`	`658`	`)`
`662`	`659`	`}`
`663`	`660`