JS: add lodash sinks for js/resource-exhaustion

esbena · esbena · commit c9f60d4c9782 · 2020-06-18T13:01:02.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -174,7 +174,8 @@ module ResourceExhaustion {
    */
   class TimerDurationSink extends Sink {
     TimerDurationSink() {
-      this = DataFlow::globalVarRef(["setTimeout", "setInterval"]).getACall().getArgument(1)
+      this = DataFlow::globalVarRef(["setTimeout", "setInterval"]).getACall().getArgument(1) or
+      this = LodashUnderscore::member(["delay", "throttle", "debounce"]).getACall().getArgument(1)
     }
 
     override DataFlow::FlowLabel getAFlowLabel() { any() }

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,8 @@ module ResourceExhaustion {`
`174`	`174`	`*/`
`175`	`175`	`class TimerDurationSink extends Sink {`
`176`	`176`	`TimerDurationSink() {`
`177`		`- this = DataFlow::globalVarRef(["setTimeout", "setInterval"]).getACall().getArgument(1)`
	`177`	`+ this = DataFlow::globalVarRef(["setTimeout", "setInterval"]).getACall().getArgument(1) or`
	`178`	`+ this = LodashUnderscore::member(["delay", "throttle", "debounce"]).getACall().getArgument(1)`
`178`	`179`	`}`
`179`	`180`
`180`	`181`	`override DataFlow::FlowLabel getAFlowLabel() { any() }`