Skip to content

Commit 446896b

Browse files
committed
rewrite some expression based predicates in TaintTracking.qll
1 parent b62e5b1 commit 446896b

File tree

1 file changed

+16
-17
lines changed

1 file changed

+16
-17
lines changed

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 16 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -580,16 +580,15 @@ module TaintTracking {
580580
*/
581581
private class ComputedPropWriteTaintStep extends SharedTaintStep {
582582
override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
583-
exists(AssignExpr assgn, IndexExpr idx, DataFlow::SourceNode obj |
584-
assgn.getTarget() = idx and
585-
obj.flowsToExpr(idx.getBase()) and
586-
not exists(idx.getPropertyName()) and
587-
pred = DataFlow::valueNode(assgn.getRhs()) and
583+
exists(DataFlow::PropWrite assgn, DataFlow::SourceNode obj |
584+
not exists(assgn.getPropertyName()) and
585+
pred = assgn.getRhs() and
586+
assgn = obj.getAPropertyWrite() and
588587
succ = obj
589588
|
590589
obj instanceof DataFlow::ObjectLiteralNode
591590
or
592-
obj.getAPropertyRead("length").flowsToExpr(idx.getPropertyNameExpr())
591+
obj.getAPropertyRead("length").flowsToExpr(assgn.getPropertyNameExpr())
593592
)
594593
}
595594
}
@@ -614,8 +613,8 @@ module TaintTracking {
614613
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node target) {
615614
exists(DataFlow::ValueNode succ | target = succ |
616615
// string operations that propagate taint
617-
exists(string name | name = succ.getAstNode().(MethodCallExpr).getMethodName() |
618-
pred.asExpr() = succ.getAstNode().(MethodCallExpr).getReceiver() and
616+
exists(string name | name = succ.(DataFlow::MethodCallNode).getMethodName() |
617+
pred = succ.(DataFlow::MethodCallNode).getReceiver() and
619618
(
620619
// sorted, interesting, properties of String.prototype
621620
name =
@@ -634,7 +633,7 @@ module TaintTracking {
634633
name = "join"
635634
)
636635
or
637-
exists(int i | pred.asExpr() = succ.getAstNode().(MethodCallExpr).getArgument(i) |
636+
exists(int i | pred = succ.(DataFlow::MethodCallNode).getArgument(i) |
638637
name = "concat"
639638
or
640639
name = ["replace", "replaceAll"] and i = 1
@@ -649,10 +648,10 @@ module TaintTracking {
649648
)
650649
or
651650
// String.fromCharCode and String.fromCodePoint
652-
exists(int i, MethodCallExpr mce |
653-
mce = succ.getAstNode() and
654-
pred.asExpr() = mce.getArgument(i) and
655-
(mce.getMethodName() = "fromCharCode" or mce.getMethodName() = "fromCodePoint")
651+
exists(int i, DataFlow::MethodCallNode mcn |
652+
mcn = succ and
653+
pred = mcn.getArgument(i) and
654+
mcn.getMethodName() = ["fromCharCode", "fromCodePoint"]
656655
)
657656
or
658657
// `(encode|decode)URI(Component)?` propagate taint
@@ -778,11 +777,11 @@ module TaintTracking {
778777
* the parameters in `input`.
779778
*/
780779
predicate isUrlSearchParams(DataFlow::SourceNode params, DataFlow::Node input) {
781-
exists(DataFlow::GlobalVarRefNode urlSearchParams, NewExpr newUrlSearchParams |
780+
exists(DataFlow::GlobalVarRefNode urlSearchParams, DataFlow::NewNode newUrlSearchParams |
782781
urlSearchParams.getName() = "URLSearchParams" and
783-
newUrlSearchParams = urlSearchParams.getAnInstantiation().asExpr() and
784-
params.asExpr() = newUrlSearchParams and
785-
input.asExpr() = newUrlSearchParams.getArgument(0)
782+
newUrlSearchParams = urlSearchParams.getAnInstantiation() and
783+
params = newUrlSearchParams and
784+
input = newUrlSearchParams.getArgument(0)
786785
)
787786
}
788787

0 commit comments

Comments
 (0)