Merge pull request github#11565 from asgerf/js/rephined-variable-in-access-path

asgerf · web-flow · commit afe7872838bd · 2022-12-07T09:26:38.000+01:00
JS: handle rephined variable in access path
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/AccessPaths.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/AccessPaths.qll
@@ -45,6 +45,8 @@ private PropAccess namedPropAccess(AccessPath base, PropertyName name, BasicBloc
 
 private SsaVariable getRefinedVariable(SsaVariable variable) {
   result = variable.getDefinition().(SsaRefinementNode).getAnInput()
+  or
+  result = variable.getDefinition().(SsaPhiNode).getRephinedVariable()
 }
 
 private SsaVariable getARefinementOf(SsaVariable variable) { variable = getRefinedVariable(result) }
diff --git a/javascript/ql/test/library-tests/TaintTracking/refinement-sanitizer.js b/javascript/ql/test/library-tests/TaintTracking/refinement-sanitizer.js
@@ -0,0 +1,34 @@
+import * as dummy from 'dummy';
+
+function oneUse() {
+    let taint = source();
+
+    if (!isSafe(taint)) {
+        return;
+    }
+
+    let array = [];
+    if (taint) {
+        array.push(taint);
+    }
+
+    sink(array.join()); // OK
+}
+
+function secondUse() {
+    let taint = source();
+
+    if (!isSafe(taint)) {
+        return;
+    }
+
+    let array = [];
+    if (taint) {
+        array.push(taint);
+    }
+    if (taint) {
+        array.push(taint);
+    }
+
+    sink(array.join()); // OK
+}

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ private PropAccess namedPropAccess(AccessPath base, PropertyName name, BasicBloc`
`45`	`45`
`46`	`46`	`private SsaVariable getRefinedVariable(SsaVariable variable) {`
`47`	`47`	`result = variable.getDefinition().(SsaRefinementNode).getAnInput()`
	`48`	`+ or`
	`49`	`+ result = variable.getDefinition().(SsaPhiNode).getRephinedVariable()`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`private SsaVariable getARefinementOf(SsaVariable variable) { variable = getRefinedVariable(result) }`