Skip to content

Commit cff8dc0

Browse files
asgerfasgerf
committed
JS: Improve flow through Array.prototype.reduce
1 parent bbb6d08 commit cff8dc0

File tree

3 files changed

+20
-3
lines changed

3 files changed

+20
-3
lines changed

javascript/ql/lib/semmle/javascript/Arrays.qll

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,9 +45,20 @@ module ArrayTaintTracking {
4545
)
4646
or
4747
// `array.reduce` with tainted value in callback
48+
// The callback parameters are: (previousValue, currentValue, currentIndex, array)
4849
call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and
49-
pred = call.getArgument(0).(DataFlow::FunctionNode).getAReturn() and // Require the argument to be a closure to avoid spurious call/return flow
50-
succ = call
50+
exists(DataFlow::FunctionNode callback |
51+
callback = call.getArgument(0) // Require the argument to be a closure to avoid spurious call/return flow
52+
|
53+
pred = callback.getAReturn() and
54+
succ = call
55+
or
56+
pred = call.getReceiver() and
57+
succ = callback.getParameter([1, 3]) // into currentValue or array
58+
or
59+
pred = [call.getArgument(1), callback.getAReturn()] and
60+
succ = callback.getParameter(0) // into previousValue
61+
)
5162
or
5263
// `array.push(e)`, `array.unshift(e)`: if `e` is tainted, then so is `array`.
5364
pred = call.getAnArgument() and

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ typeInferenceMismatch
1616
| arrays.js:2:15:2:22 | source() | arrays.js:8:10:8:22 | arrayIfy(foo) |
1717
| arrays.js:2:15:2:22 | source() | arrays.js:11:10:11:28 | union(["bla"], foo) |
1818
| arrays.js:2:15:2:22 | source() | arrays.js:14:10:14:18 | flat(foo) |
19+
| arrays.js:2:15:2:22 | source() | arrays.js:19:10:19:12 | res |
1920
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
2021
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
2122
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |

javascript/ql/test/library-tests/TaintTracking/arrays.js

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,9 @@ function test() {
1212

1313
const flat = require("arr-flatten");
1414
sink(flat(foo)); // NOT OK
15-
}
15+
16+
let res = foo.reduce((prev, current) => {
17+
return prev + '<b>' + current + '</b>';
18+
}, '');
19+
sink(res); // NOT OK
20+
}

0 commit comments

Comments
 (0)