use callgraph instead of type-inference for array taint-steps

erik-krogh · erik-krogh · commit ae56285331ff · 2021-03-02T14:06:09.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -25,7 +25,7 @@ module ArrayTaintTracking {
     // `array.map(function (elt, i, ary) { ... })`: if `array` is tainted, then so are
     // `elt` and `ary`; similar for `forEach`
     exists(Function f |
-      call.getArgument(0).analyze().getAValue().(AbstractFunction).getFunction() = f and
+      call.getArgument(0).getAFunctionValue(0).getFunction() = f and
       call.(DataFlow::MethodCallNode).getMethodName() = ["map", "forEach"] and
       pred = call.getReceiver() and
       succ = DataFlow::parameterNode(f.getParameter([0, 2]))
