JS: Target post-update node instead of getALocalSource

asgerf · asgerf · commit a54f0a74f116 · 2025-02-17T15:00:02.000+01:00
getAPropertyWrite() contains getALocalSource() under the the hood. Don't rely on that to find the successor of a mutation.
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -409,7 +409,7 @@ module TaintTracking {
         not assgn.getWriteNode() instanceof Property and // not a write inside an object literal
         pred = assgn.getRhs() and
         assgn = obj.getAPropertyWrite() and
-        succ = obj
+        succ = assgn.getBase().getPostUpdateNode()
       |
         obj instanceof DataFlow::ObjectLiteralNode
         or

Original file line number	Diff line number	Diff line change
`@@ -409,7 +409,7 @@ module TaintTracking {`
`409`	`409`	`not assgn.getWriteNode() instanceof Property and // not a write inside an object literal`
`410`	`410`	`pred = assgn.getRhs() and`
`411`	`411`	`assgn = obj.getAPropertyWrite() and`
`412`		`- succ = obj`
	`412`	`+ succ = assgn.getBase().getPostUpdateNode()`
`413`	`413`	`\|`
`414`	`414`	`obj instanceof DataFlow::ObjectLiteralNode`
`415`	`415`	`or`