JS: bugfix in indexOf-based include test

asger-semmle · asger-semmle · commit b6626995cf70 · 2019-01-18T10:40:48.000Z
diff --git a/javascript/ql/src/semmle/javascript/StringOps.qll b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -250,15 +250,15 @@ module StringOps {
         polarity = true and
         greater = indexOf and
         (
-          lesser.getIntValue() >= 0
+          lesser.getIntValue() = 0 and astNode.isInclusive()
           or
           lesser.getIntValue() = -1 and not astNode.isInclusive()
         )
         or
         polarity = false and
         lesser = indexOf and
         (
-          greater.getIntValue() = -1
+          greater.getIntValue() = -1 and astNode.isInclusive()
           or
           greater.getIntValue() = 0 and not astNode.isInclusive()
         )
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -688,6 +688,31 @@ module TaintTracking {
     override predicate appliesTo(Configuration cfg) { any() }
   }
 
+  /**
+   * A check of form `x.indexOf(y) > 0` or similar, which sanitizes `y` in the "then" branch.
+   *
+   * The more typical case of `x.indexOf(y) >= 0` is covered by `StringInclusionSanitizer`.
+   */
+  class PositiveIndexOfSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    MethodCallExpr indexOf;
+    override RelationalComparison astNode;
+
+    PositiveIndexOfSanitizer() {
+      indexOf.getMethodName() = "indexOf" and
+      exists (int bound |
+        astNode.getGreaterOperand() = indexOf and
+        astNode.getLesserOperand().getIntValue() = bound and
+        bound >= 0)
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = true and
+      e = indexOf.getArgument(0)
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
   /** A check of the form `if(x == 'some-constant')`, which sanitizes `x` in its "then" branch. */
   class ConstantComparison extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
     Expr x;
diff --git a/javascript/ql/test/library-tests/StringOps/Includes/Includes.expected b/javascript/ql/test/library-tests/StringOps/Includes/Includes.expected
@@ -0,0 +1,7 @@
+| tst.js:4:7:4:19 | A.includes(B) | tst.js:4:7:4:7 | A | tst.js:4:18:4:18 | B | true |
+| tst.js:5:7:5:22 | _.includes(A, B) | tst.js:5:18:5:18 | A | tst.js:5:21:5:21 | B | true |
+| tst.js:6:7:6:25 | A.indexOf(B) !== -1 | tst.js:6:7:6:7 | A | tst.js:6:17:6:17 | B | true |
+| tst.js:7:7:7:23 | A.indexOf(B) >= 0 | tst.js:7:7:7:7 | A | tst.js:7:17:7:17 | B | true |
+| tst.js:8:7:8:19 | ~A.indexOf(B) | tst.js:8:8:8:8 | A | tst.js:8:18:8:18 | B | true |
+| tst.js:11:7:11:25 | A.indexOf(B) === -1 | tst.js:11:7:11:7 | A | tst.js:11:17:11:17 | B | false |
+| tst.js:12:7:12:22 | A.indexOf(B) < 0 | tst.js:12:7:12:7 | A | tst.js:12:17:12:17 | B | false |
diff --git a/javascript/ql/test/library-tests/StringOps/Includes/Includes.ql b/javascript/ql/test/library-tests/StringOps/Includes/Includes.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from StringOps::Includes include
+select include, include.getBaseString(), include.getSubstring(), include.getPolarity()
diff --git a/javascript/ql/test/library-tests/StringOps/Includes/tst.js b/javascript/ql/test/library-tests/StringOps/Includes/tst.js
@@ -0,0 +1,18 @@
+import * as _ from 'lodash';
+
+function test() {
+  if (A.includes(B)) {}
+  if (_.includes(A, B)) {}
+  if (A.indexOf(B) !== -1) {}
+  if (A.indexOf(B) >= 0) {}
+  if (~A.indexOf(B)) {}
+  
+  // negated
+  if (A.indexOf(B) === -1) {}
+  if (A.indexOf(B) < 0) {}
+  
+  // non-examples
+  if (A.indexOf(B) === 0) {}
+  if (A.indexOf(B) !== 0) {}
+  if (A.indexOf(B) > 0) {}
+}
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -5,6 +5,7 @@
 | constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
+| indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
diff --git a/javascript/ql/test/library-tests/TaintTracking/indexOf.js b/javascript/ql/test/library-tests/TaintTracking/indexOf.js
@@ -0,0 +1,15 @@
+let whitelist = ['a', 'b', 'c'];
+
+function test() {
+  let x = source();
+  
+  if (whitelist.indexOf(x) < -1) {
+    // unreachable
+  } else {
+    sink(x); // NOT OK
+  }
+
+  if (whitelist.indexOf(x) > 1) {
+    sink(x) // OK
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -250,15 +250,15 @@ module StringOps {`
`250`	`250`	`polarity = true and`
`251`	`251`	`greater = indexOf and`
`252`	`252`	`(`
`253`		`- lesser.getIntValue() >= 0`
	`253`	`+ lesser.getIntValue() = 0 and astNode.isInclusive()`
`254`	`254`	`or`
`255`	`255`	`lesser.getIntValue() = -1 and not astNode.isInclusive()`
`256`	`256`	`)`
`257`	`257`	`or`
`258`	`258`	`polarity = false and`
`259`	`259`	`lesser = indexOf and`
`260`	`260`	`(`
`261`		`- greater.getIntValue() = -1`
	`261`	`+ greater.getIntValue() = -1 and astNode.isInclusive()`
`262`	`262`	`or`
`263`	`263`	`greater.getIntValue() = 0 and not astNode.isInclusive()`
`264`	`264`	`)`