introduce StringSplitCall and use it

Author: erik-krogh

javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql

@@ -27,11 +27,10 @@ class DangerousScheme extends string {
 /** Returns a node that refers to the scheme of `url`. */
 DataFlow::SourceNode schemeOf(DataFlow::Node url) {
   // url.split(":")[0]
-  exists(DataFlow::MethodCallNode split |
-    split.getMethodName() = "split" and
-    split.getArgument(0).getStringValue() = ":" and
-    result = split.getAPropertyRead("0") and
-    url = split.getReceiver()
+  exists(StringSplitCall split |
+    split.getSplitAt() = ":" and
+    result = split.getAnElementRead(0) and
+    url = split.getUnsplit()
   )
   or
   // url.getScheme(), url.getProtocol(), getScheme(url), getProtocol(url)

javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql

@@ -21,11 +21,10 @@ import semmle.javascript.DynamicPropertyAccess
  *
  * We restrict this to parameter nodes to focus on "deep assignment" functions.
  */
-class SplitCall extends MethodCallNode {
+class SplitCall extends StringSplitCall {
   SplitCall() {
-    getMethodName() = "split" and
-    getArgument(0).mayHaveStringValue(".") and
-    getReceiver().getALocalSource() instanceof ParameterNode
+    getSplitAt() = "." and
+    getUnsplit() instanceof ParameterNode
   }
 }
 

javascript/ql/src/semmle/javascript/StandardLibrary.qll

@@ -146,3 +146,37 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
     )
   }
 }
+
+/**
+ * A call to `String.prototype.split`.
+ *
+ * We heuristically include any call to a method called `split`, provided it either
+ * has exactly one arguments, or local data flow suggests that the receiver may be a string.
+ */
+class StringSplitCall extends DataFlow::MethodCallNode {
+  StringSplitCall() {
+    this.getMethodName() = "split" and
+    (getNumArgument() = 1 or getReceiver().mayHaveStringValue(_))
+  }
+
+  /**
+   * Gets a string that determines where the string is split.
+   */
+  string getSplitAt() {
+    getArgument(0).mayHaveStringValue(result)
+    or
+    result =
+      getArgument(0).getALocalSource().(DataFlow::RegExpCreationNode).getRoot().getAMatchedString()
+  }
+
+  /**
+   * Gets a the SourceNode for the string before it is split.
+   */
+  DataFlow::SourceNode getUnsplit() { result = getReceiver().getALocalSource() }
+
+  /**
+   * Gets a read of the `i`th element from the split string.
+   */
+  bindingset[i]
+  DataFlow::Node getAnElementRead(int i) { result = getAPropertyRead(i.toString()) }
+}

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -70,16 +70,12 @@ module ClientSideUrlRedirect {
    * A sanitizer that reads the first part a location split by "?", e.g. `location.href.split('?')[0]`.
    */
   class QueryPrefixSanitizer extends Sanitizer {
-    DataFlow::PropRead read;
+    StringSplitCall splitCall;
 
     QueryPrefixSanitizer() {
-      this = read and
-      read.getPropertyName() = "0" and
-      exists(DataFlow::MethodCallNode splitCall | splitCall = read.getBase().getALocalSource() |
-        splitCall.getMethodName() = "split" and
-        splitCall.getArgument(0).mayHaveStringValue("?") and
-        splitCall.getReceiver() = [DOM::locationRef(), DOM::locationRef().getAPropertyRead("href")]
-      )
+      this = splitCall.getAnElementRead(0) and
+      splitCall.getSplitAt() = "?" and
+      splitCall.getUnsplit() = [DOM::locationRef(), DOM::locationRef().getAPropertyRead("href")]
     }
   }