Merge pull request #3497 from esbena/js/yield-and-local-objects

semmle-qlci · web-flow · commit 0c081a8e87f1 · 2020-05-19T09:02:22.000+01:00
Approved by asgerf, erik-krogh
diff --git a/change-notes/1.25/analysis-javascript.md b/change-notes/1.25/analysis-javascript.md
@@ -41,6 +41,7 @@
 | Unknown directive (`js/unknown-directive`) | Less results | This query no longer flags directives generated by the Babel compiler. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
 | Zip Slip (`js/zipslip`) | More results | This query now recognizes additional vulnerabilities. |
+| Unused property (`js/unused-property`) | Less results | This query no longer flags properties of objects that are operands of `yield` expressions. |
 
 ## Changes to libraries
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll b/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll
@@ -12,6 +12,8 @@ private predicate isEscape(DataFlow::Node escape, string cause) {
   or
   escape = any(DataFlow::FunctionNode fun).getAReturn() and cause = "return"
   or
+  escape = any(YieldExpr yield).getOperand().flow() and cause = "yield"
+  or
   escape = any(ThrowStmt t).getExpr().flow() and cause = "throw"
   or
   escape = any(GlobalVariable v).getAnAssignedExpr().flow() and cause = "global"
diff --git a/javascript/ql/test/library-tests/LocalObjects/tst.js b/javascript/ql/test/library-tests/LocalObjects/tst.js
@@ -89,3 +89,9 @@
 	let bound = {};
 	bound::unknown();
 });
+
+(async function* f() {
+  yield* {
+    get p() { }
+  };
+});
diff --git a/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst-yield.js b/javascript/ql/test/query-tests/Declarations/UnusedProperty/tst-yield.js
@@ -0,0 +1,5 @@
+async function* f() {
+  yield* {
+    get p() { }
+  };
+}
