Added support for Array.prototype.toSorted function

Napalys · Napalys · commit 3f0a54c2e81c · 2024-11-12T12:02:04.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/Arrays.qll b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -458,4 +458,18 @@ private module ArrayLibraries {
       )
     }
   }
+
+  /**
+   * A taint propagating data flow edge arising from array transformation operations
+   * that return a new array instead of modifying the original array in place.
+   */
+  private class ImmutableArrayTransformStep extends TaintTracking::SharedTaintStep {
+    override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = "toSorted" and
+        pred = call.getReceiver() and
+        succ = call
+      )
+    }
+  }
 }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -234,6 +234,8 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
 | tst.js:2:13:2:20 | source() | tst.js:54:14:54:19 | unsafe |
 | tst.js:2:13:2:20 | source() | tst.js:61:10:61:20 | x.reverse() |
+| tst.js:2:13:2:20 | source() | tst.js:63:10:63:21 | x.toSorted() |
+| tst.js:2:13:2:20 | source() | tst.js:65:10:65:16 | xSorted |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/externs.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/externs.js
@@ -371,6 +371,18 @@ Array.prototype.slice = function(opt_begin, opt_end) {};
  */
 Array.prototype.sort = function(opt_compareFunction) {};
 
+/**
+ * Returns a new array with the elements sorted.
+ *
+ * @param {function(T,T):number=} opt_compareFunction Specifies a function that
+ *     defines the sort order. If omitted, the array elements are converted to strings,
+ *     then sorted according to each character's Unicode code point value.
+ * @this {{length: number}|Array.}
+ * @template T
+ * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/toSorted
+ */
+Array.prototype.toSorted = function(opt_compareFunction) {};
+
 /**
  * Changes the content of an array, adding new elements while removing old
  * elements.

Original file line number	Diff line number	Diff line change
`@@ -458,4 +458,18 @@ private module ArrayLibraries {`
`458`	`458`	`)`
`459`	`459`	`}`
`460`	`460`	`}`
	`461`	`+`
	`462`	`+ /**`
	`463`	`+ * A taint propagating data flow edge arising from array transformation operations`
	`464`	`+ * that return a new array instead of modifying the original array in place.`
	`465`	`+ */`
	`466`	`+ private class ImmutableArrayTransformStep extends TaintTracking::SharedTaintStep {`
	`467`	`+ override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`468`	`+ exists(DataFlow::MethodCallNode call \|`
	`469`	`+ call.getMethodName() = "toSorted" and`
	`470`	`+ pred = call.getReceiver() and`
	`471`	`+ succ = call`
	`472`	`+ )`
	`473`	`+ }`
	`474`	`+ }`
`461`	`475`	`}`