JS: Exclude some sinks in UnvalidatedDynamicMethodCall

asgerf · asgerf · commit 4c9f406e34be · 2025-01-06T10:32:11.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll
@@ -182,7 +182,11 @@ module UnvalidatedDynamicMethodCall {
       exists(InvokeExpr invk |
         this = invk.getCallee().flow() and
         // don't flag invocations inside a try-catch
-        not invk.getASuccessor() instanceof CatchClause
+        not invk.getASuccessor() instanceof CatchClause and
+        // Filter out `foo.bar()` calls as they usually aren't interesting.
+        // Technically this could be reachable if preceded by `foo.bar = obj[taint]`
+        // but such sinks are more likely to be FPs and also slow down the query.
+        not invk.getCallee() instanceof DotExpr
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,11 @@ module UnvalidatedDynamicMethodCall {`
`182`	`182`	`exists(InvokeExpr invk \|`
`183`	`183`	`this = invk.getCallee().flow() and`
`184`	`184`	`// don't flag invocations inside a try-catch`
`185`		`- not invk.getASuccessor() instanceof CatchClause`
	`185`	`+ not invk.getASuccessor() instanceof CatchClause and`
	`186`	+ // Filter out `foo.bar()` calls as they usually aren't interesting.
	`187`	+ // Technically this could be reachable if preceded by `foo.bar = obj[taint]`
	`188`	`+ // but such sinks are more likely to be FPs and also slow down the query.`
	`189`	`+ not invk.getCallee() instanceof DotExpr`
`186`	`190`	`)`
`187`	`191`	`}`
`188`	`192`