JS: Handle exec() == undefined

asgerf · asgerf · commit 8a3863363991 · 2020-06-02T16:52:07.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -1355,6 +1355,11 @@ class EqualityTest extends @equalitytest, Comparison {
     (this instanceof NEqExpr or this instanceof StrictNEqExpr) and
     result = false
   }
+
+  /**
+   * Holds if the equality operator is strict (`===` or `!==`).
+   */
+  predicate isStrict() { this instanceof StrictEqExpr or this instanceof StrictNEqExpr }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/StringOps.qll b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -744,10 +744,16 @@ module StringOps {
      * Holds if `e` evaluating to `polarity` implies that `operand` is not null.
      */
     private predicate impliesNotNull(Expr e, Expr operand, boolean polarity) {
-      exists(EqualityTest test |
+      exists(EqualityTest test, Expr other |
         e = test and
         polarity = test.getPolarity().booleanNot() and
-        test.hasOperands(any(NullLiteral n), operand)
+        test.hasOperands(other, operand) and
+        SyntacticConstants::isNullOrUndefined(other) and
+        not (
+          // 'exec() === undefined' doesn't work
+          other instanceof SyntacticConstants::UndefinedConstant and
+          test.isStrict()
+        )
       )
       or
       isCoercedToBoolean(e) and
diff --git a/javascript/ql/test/library-tests/StringOps/RegExpTest/RegExpTest.expected b/javascript/ql/test/library-tests/StringOps/RegExpTest/RegExpTest.expected
@@ -16,6 +16,7 @@ regexpTest
 | tst.js:25:23:25:27 | match |
 | tst.js:29:21:29:36 | regexp.test(str) |
 | tst.js:33:21:33:39 | str.matches(regexp) |
+| tst.js:40:9:40:37 | regexp. ... defined |
 #select
 | tst.js:6:9:6:28 | /^[a-z]+$/.test(str) | tst.js:6:10:6:17 | ^[a-z]+$ | tst.js:6:9:6:18 | /^[a-z]+$/ | tst.js:6:25:6:27 | str | true |
 | tst.js:7:9:7:36 | /^[a-z] ... != null | tst.js:7:10:7:17 | ^[a-z]+$ | tst.js:7:9:7:18 | /^[a-z]+$/ | tst.js:7:25:7:27 | str | true |
@@ -34,3 +35,4 @@ regexpTest
 | tst.js:25:23:25:27 | match | tst.js:3:17:3:24 | ^[a-z]+$ | tst.js:17:17:17:22 | regexp | tst.js:17:29:17:31 | str | true |
 | tst.js:29:21:29:36 | regexp.test(str) | tst.js:3:17:3:24 | ^[a-z]+$ | tst.js:29:21:29:26 | regexp | tst.js:29:33:29:35 | str | true |
 | tst.js:33:21:33:39 | str.matches(regexp) | tst.js:3:17:3:24 | ^[a-z]+$ | tst.js:33:33:33:38 | regexp | tst.js:33:21:33:23 | str | true |
+| tst.js:40:9:40:37 | regexp. ... defined | tst.js:3:17:3:24 | ^[a-z]+$ | tst.js:40:9:40:14 | regexp | tst.js:40:21:40:23 | str | false |
diff --git a/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js b/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js
@@ -36,4 +36,7 @@ function f(str) {
     something({
         someOption: regexp.exec(str) // not recognized as RegExpTest
     })
+
+    if (regexp.exec(str) == undefined) {}
+    if (regexp.exec(str) === undefined) {} // not recognized as RegExpTest
 }

Original file line number	Diff line number	Diff line change
`@@ -1355,6 +1355,11 @@ class EqualityTest extends @equalitytest, Comparison {`
`1355`	`1355`	`(this instanceof NEqExpr or this instanceof StrictNEqExpr) and`
`1356`	`1356`	`result = false`
`1357`	`1357`	`}`
	`1358`	`+`
	`1359`	`+ /**`
	`1360`	+ * Holds if the equality operator is strict (`===` or `!==`).
	`1361`	`+ */`
	`1362`	`+ predicate isStrict() { this instanceof StrictEqExpr or this instanceof StrictNEqExpr }`
`1358`	`1363`	`}`
`1359`	`1364`
`1360`	`1365`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -36,4 +36,7 @@ function f(str) {`
`36`	`36`	`something({`
`37`	`37`	`someOption: regexp.exec(str) // not recognized as RegExpTest`
`38`	`38`	`})`
	`39`	`+`
	`40`	`+ if (regexp.exec(str) == undefined) {}`
	`41`	`+ if (regexp.exec(str) === undefined) {} // not recognized as RegExpTest`
`39`	`42`	`}`