JS: Restrict class values flowing through globals

asger-semmle · asger-semmle · commit d3f587c12acc · 2019-10-09T12:16:11.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -674,7 +674,12 @@ class ClassNode extends DataFlow::SourceNode {
    */
   DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) {
     t.start() and
-    result.(AnalyzedNode).getAValue() = getAbstractClassValue()
+    result.(AnalyzedNode).getAValue() = getAbstractClassValue() and
+    (
+      not CallGraph::isIndefiniteGlobal(result)
+      or
+      result.getAstNode().getFile() = this.getAstNode().getFile()
+    )
     or
     exists(DataFlow::TypeTracker t2 | result = getAClassReference(t2).track(t2, t))
   }
diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/InconsistentNew.expected
@@ -1,3 +1,2 @@
-| arraydef.js:1:1:1:19 | function Array() {} | Function Array is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | arraycalls.js:2:1:2:13 | new Array(45) | here | arraycalls.js:1:1:1:9 | Array(45) | here |
 | m.js:1:8:1:22 | functio ...  = x;\\n} | Function A is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | c1.js:2:1:2:9 | new A(42) | here | c2.js:2:1:2:5 | A(23) | here |
 | tst.js:1:1:1:22 | functio ...  = y;\\n} | Function Point is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). | tst.js:6:1:6:17 | new Point(23, 42) | here | tst.js:7:1:7:13 | Point(56, 72) | here |

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`		`-\| arraydef.js:1:1:1:19 \| function Array() {} \| Function Array is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). \| arraycalls.js:2:1:2:13 \| new Array(45) \| here \| arraycalls.js:1:1:1:9 \| Array(45) \| here \|`
`2`	`1`	`\| m.js:1:8:1:22 \| functio ... = x;\\n} \| Function A is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). \| c1.js:2:1:2:9 \| new A(42) \| here \| c2.js:2:1:2:5 \| A(23) \| here \|`
`3`	`2`	`\| tst.js:1:1:1:22 \| functio ... = y;\\n} \| Function Point is sometimes invoked as a constructor (for example $@), and sometimes as a normal function (for example $@). \| tst.js:6:1:6:17 \| new Point(23, 42) \| here \| tst.js:7:1:7:13 \| Point(56, 72) \| here \|`