Merge pull request github#11853 from erik-krogh/assignMore

JS: add local flow when recognizing Object.assign calls for library-inputs

Author: erik-krogh

javascript/ql/lib/semmle/javascript/PackageExports.qll

@@ -200,7 +200,8 @@ private DataFlow::Node getAValueExportedByPackage() {
   or
   // Object.assign and friends
   exists(ExtendCall assign |
-    getAValueExportedByPackage() = [assign, assign.getDestinationOperand()] and
+    getAValueExportedByPackage() = [assign, assign.getDestinationOperand().getALocalSource()]
+  |
     result = assign.getASourceOperand()
   )
   or

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected

@@ -35,6 +35,7 @@
 | lib/lib.js:36:3:36:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/lib.js:42:29:42:30 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/lib.js:45:29:45:30 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/lib.js:53:6:53:7 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/moduleLib/moduleLib.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/snapdragon.js:7:28:7:29 | a* | Strings starting with 'a' and with many repetitions of 'a' can start matching anywhere after the start of the preceeding aa*$ |

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected

@@ -37,6 +37,10 @@ nodes
 | lib/lib.js:44:12:44:25 | name.substr(1) |
 | lib/lib.js:45:17:45:20 | name |
 | lib/lib.js:45:17:45:20 | name |
+| lib/lib.js:52:22:52:25 | name |
+| lib/lib.js:52:22:52:25 | name |
+| lib/lib.js:53:16:53:19 | name |
+| lib/lib.js:53:16:53:19 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name |
 | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -273,6 +277,10 @@ edges
 | lib/lib.js:44:5:44:25 | name | lib/lib.js:45:17:45:20 | name |
 | lib/lib.js:44:12:44:15 | name | lib/lib.js:44:12:44:25 | name.substr(1) |
 | lib/lib.js:44:12:44:25 | name.substr(1) | lib/lib.js:44:5:44:25 | name |
+| lib/lib.js:52:22:52:25 | name | lib/lib.js:53:16:53:19 | name |
+| lib/lib.js:52:22:52:25 | name | lib/lib.js:53:16:53:19 | name |
+| lib/lib.js:52:22:52:25 | name | lib/lib.js:53:16:53:19 | name |
+| lib/lib.js:52:22:52:25 | name | lib/lib.js:53:16:53:19 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
 | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name |
@@ -471,6 +479,7 @@ edges
 | lib/lib.js:36:2:36:17 | /f*g/.test(name) | lib/lib.js:32:32:32:40 | arguments | lib/lib.js:36:13:36:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:36:3:36:4 | f* | regular expression | lib/lib.js:32:32:32:40 | arguments | library input |
 | lib/lib.js:42:17:42:33 | name.match(/f*g/) | lib/lib.js:41:32:41:35 | name | lib/lib.js:42:17:42:20 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:42:29:42:30 | f* | regular expression | lib/lib.js:41:32:41:35 | name | library input |
 | lib/lib.js:45:17:45:33 | name.match(/f*g/) | lib/lib.js:41:32:41:35 | name | lib/lib.js:45:17:45:20 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:45:29:45:30 | f* | regular expression | lib/lib.js:41:32:41:35 | name | library input |
+| lib/lib.js:53:5:53:20 | /f*g/.test(name) | lib/lib.js:52:22:52:25 | name | lib/lib.js:53:16:53:19 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:53:6:53:7 | f* | regular expression | lib/lib.js:52:22:52:25 | name | library input |
 | lib/moduleLib/moduleLib.js:2:2:2:17 | /a*b/.test(name) | lib/moduleLib/moduleLib.js:1:28:1:31 | name | lib/moduleLib/moduleLib.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/moduleLib/moduleLib.js:2:3:2:4 | a* | regular expression | lib/moduleLib/moduleLib.js:1:28:1:31 | name | library input |
 | lib/otherLib/js/src/index.js:2:2:2:17 | /a*b/.test(name) | lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/otherLib/js/src/index.js:2:3:2:4 | a* | regular expression | lib/otherLib/js/src/index.js:1:28:1:31 | name | library input |
 | lib/snapdragon.js:7:15:7:32 | this.match(/aa*$/) | lib/snapdragon.js:3:34:3:38 | input | lib/snapdragon.js:7:15:7:18 | this | This $@ that depends on $@ may run slow on strings starting with 'a' and with many repetitions of 'a'. | lib/snapdragon.js:7:28:7:29 | a* | regular expression | lib/snapdragon.js:3:34:3:38 | input | library input |

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js

@@ -43,4 +43,13 @@ module.exports.foo = function (name) {
 
     name = name.substr(1);
     var data2 = name.match(/f*g/); // NOT OK
-}
+}
+
+var indirectAssign = {};
+module.exports.indirectAssign = indirectAssign;
+
+Object.assign(indirectAssign, {
+  myThing: function (name) {
+    /f*g/.test(name); // NOT OK
+  },
+});