fix counting safe function call depth

rhysd · rhysd · commit 9e16139345b9 · 2024-10-26T12:23:37.000+09:00
diff --git a/expr_insecure.go b/expr_insecure.go
@@ -305,6 +305,9 @@ func (u *UntrustedInputChecker) OnVisitNodeEnter(n ExprNode) {
 func (u *UntrustedInputChecker) OnVisitNodeLeave(n ExprNode) {
 	// Skip unsafe checks if we are inside of safe function call expression
 	if u.safeCalls > 0 {
+		if f, ok := n.(*FuncCallNode); ok && isSafeFuncCall(f) {
+			u.safeCalls--
+		}
 		return
 	}
 
@@ -323,11 +326,6 @@ func (u *UntrustedInputChecker) OnVisitNodeLeave(n ExprNode) {
 		u.onIndexAccess()
 	case *ArrayDerefNode:
 		u.onObjectFilter()
-	case *FuncCallNode:
-		if isSafeFuncCall(n) {
-			u.safeCalls--
-		}
-		u.end()
 	default:
 		u.end()
 	}
diff --git a/expr_insecure_test.go b/expr_insecure_test.go
@@ -82,6 +82,9 @@ func testRunTrustedInputsCheckerForNode(t *testing.T, c *UntrustedInputChecker,
 		}
 	})
 	c.OnVisitEnd()
+	if c.safeCalls != 0 {
+		t.Fatalf("%q safe calls counter is not zero: %d", input, c.safeCalls)
+	}
 }
 
 func TestExprInsecureDetectUntrustedValue(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,9 @@ func testRunTrustedInputsCheckerForNode(t testing.T, c UntrustedInputChecker,`
`82`	`82`	`}`
`83`	`83`	`})`
`84`	`84`	`c.OnVisitEnd()`
	`85`	`+ if c.safeCalls != 0 {`
	`86`	`+ t.Fatalf("%q safe calls counter is not zero: %d", input, c.safeCalls)`
	`87`	`+ }`
`85`	`88`	`}`
`86`	`89`
`87`	`90`	`func TestExprInsecureDetectUntrustedValue(t *testing.T) {`