support VarRef

tyage · tyage · commit 8a7f23a8ea41 · 2022-10-04T14:45:39.000+09:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -729,9 +729,9 @@ module TaintTracking {
     // find target in root object recursively
     private predicate findInObject(Expr root, Expr target) {
       // when root is Object
-      exists(ObjectExpr object, Property property, Expr propertyVal |
-        object = root and
-        property = object.getAProperty() and
+      exists(Property property, Expr propertyVal |
+        root instanceof ObjectExpr and
+        property = root.(ObjectExpr).getAProperty() and
         propertyVal = property.getInit() and
         (
           target = property.getNameExpr() or
@@ -741,14 +741,24 @@ module TaintTracking {
       )
       or
       // when root is Array
-      exists(ArrayExpr array, Expr child |
-        array = root and
-        child = array.getAChildExpr() and
+      exists(Expr child |
+        root instanceof ArrayExpr and
+        child = root.(ArrayExpr).getAChildExpr() and
         (
           target = child or
           findInObject(child, target)
         )
       )
+      or
+      // when root is VarRef
+      exists(Expr var |
+        root instanceof VarRef and
+        var = root.(VarRef).getAVariable().getAnAssignedExpr() and
+        (
+          target = var or
+          findInObject(var, target)
+        )
+      )
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -729,9 +729,9 @@ module TaintTracking {`
`729`	`729`	`// find target in root object recursively`
`730`	`730`	`private predicate findInObject(Expr root, Expr target) {`
`731`	`731`	`// when root is Object`
`732`		`- exists(ObjectExpr object, Property property, Expr propertyVal \|`
`733`		`- object = root and`
`734`		`- property = object.getAProperty() and`
	`732`	`+ exists(Property property, Expr propertyVal \|`
	`733`	`+ root instanceof ObjectExpr and`
	`734`	`+ property = root.(ObjectExpr).getAProperty() and`
`735`	`735`	`propertyVal = property.getInit() and`
`736`	`736`	`(`
`737`	`737`	`target = property.getNameExpr() or`
`@@ -741,14 +741,24 @@ module TaintTracking {`
`741`	`741`	`)`
`742`	`742`	`or`
`743`	`743`	`// when root is Array`
`744`		`- exists(ArrayExpr array, Expr child \|`
`745`		`- array = root and`
`746`		`- child = array.getAChildExpr() and`
	`744`	`+ exists(Expr child \|`
	`745`	`+ root instanceof ArrayExpr and`
	`746`	`+ child = root.(ArrayExpr).getAChildExpr() and`
`747`	`747`	`(`
`748`	`748`	`target = child or`
`749`	`749`	`findInObject(child, target)`
`750`	`750`	`)`
`751`	`751`	`)`
	`752`	`+ or`
	`753`	`+ // when root is VarRef`
	`754`	`+ exists(Expr var \|`
	`755`	`+ root instanceof VarRef and`
	`756`	`+ var = root.(VarRef).getAVariable().getAnAssignedExpr() and`
	`757`	`+ (`
	`758`	`+ target = var or`
	`759`	`+ findInObject(var, target)`
	`760`	`+ )`
	`761`	`+ )`
`752`	`762`	`}`
`753`	`763`	`}`
`754`	`764`