JS: Add another test and TODO about an issue with constant array indices

asgerf · asgerf · commit 63bd75789560 · 2024-09-05T13:44:54.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/Contents.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/Contents.qll
@@ -255,7 +255,10 @@ module Public {
     Content asSingleton() { this = MkSingletonContent(result) }
 
     /** Gets the property name to be accessed. */
-    PropertyName asPropertyName() { result = this.asSingleton().asPropertyName() }
+    PropertyName asPropertyName() {
+      // TODO: array indices should be mapped to a ContentSet that also reads from UnknownArrayElement
+      result = this.asSingleton().asPropertyName()
+    }
 
     /** Gets the array index to be accessed. */
     int asArrayIndex() { result = this.asSingleton().asArrayIndex() }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -51,6 +51,9 @@ flow
 | array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
 | array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
 | array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
+| array-mutation.js:43:10:43:17 | source() | array-mutation.js:44:8:44:11 | k[0] |
+| array-mutation.js:43:10:43:17 | source() | array-mutation.js:45:8:45:11 | k[1] |
+| array-mutation.js:43:10:43:17 | source() | array-mutation.js:46:8:46:11 | k[2] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
 | arrays-init.js:2:16:2:23 | source() | arrays-init.js:28:8:28:13 | arr[1] |
diff --git a/javascript/ql/test/library-tests/TripleDot/tst.js b/javascript/ql/test/library-tests/TripleDot/tst.js
@@ -163,3 +163,12 @@ function t15() {
     args.push(source('t15.1'));
     target('safe', ...args);
 }
+
+function t16() {
+    let array = new Array(Math.floor(Math.random() * 10))
+    array.push(source("t16.1"));
+    sink(array[0]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
+    sink(array[1]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
+    sink(array[2]); // $ MISSING: hasValueFlow=t16.1 SPURIOUS: hasTaintFlow=t16.1
+    sink(array); // $ hasTaintFlow=t16.1
+}
