JS: Restrict AP length in prototype-polluting function

asgerf · asgerf · commit 0cdda8716126 · 2025-01-06T14:33:41.000+01:00
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -277,6 +277,12 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {
     node instanceof DataFlow::VarAccessBarrier or
     node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
   }
+
+  int accessPathLimit() {
+    // Speed up the query. For the pattern we're looking for the value rarely
+    // flows through any contents, apart from a capture content.
+    result = 1
+  }
 }
 
 class FlowState = PropNameTrackingConfig::FlowState;

Original file line number	Diff line number	Diff line change
`@@ -277,6 +277,12 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {`
`277`	`277`	`node instanceof DataFlow::VarAccessBarrier or`
`278`	`278`	`node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()`
`279`	`279`	`}`
	`280`	`+`
	`281`	`+ int accessPathLimit() {`
	`282`	`+ // Speed up the query. For the pattern we're looking for the value rarely`
	`283`	`+ // flows through any contents, apart from a capture content.`
	`284`	`+ result = 1`
	`285`	`+ }`
`280`	`286`	`}`
`281`	`287`
`282`	`288`	`class FlowState = PropNameTrackingConfig::FlowState;`