ensure an indexOf call is equivalent with itself. (getAUse() is used later to find matching indexOf calls)

erik-krogh · erik-krogh · commit d5529e3a7ec2 · 2025-01-21T09:42:30.000+01:00
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -44,6 +44,8 @@ class IndexOfCall extends DataFlow::MethodCallNode {
    * Gets an `indexOf` call with the same receiver, argument, and method name, including this call itself.
    */
   IndexOfCall getAnEquivalentIndexOfCall() {
+    result = this
+    or
     exists(DataFlow::Node recv, string m |
       this.receiverAndMethodName(recv, m) and result.receiverAndMethodName(recv, m)
     |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/IncorrectSuffixCheck.expected
@@ -9,5 +9,4 @@
 | tst.js:67:32:67:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:76:25:76:57 | index = ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:80:10:80:57 | x.index ... th + 1) | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
-| tst.js:105:23:105:80 | ind === ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:110:65:110:164 | trusted ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js
@@ -102,7 +102,7 @@ function sameCheck(allowedOrigin) {
     const trustedAuthority = "example.com";
 
     const ind = trustedAuthority.indexOf("." + allowedOrigin);
-    return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK - but currently failing
+    return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK
 }
 
 function sameConcatenation(allowedOrigin) {

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ class IndexOfCall extends DataFlow::MethodCallNode {`
`44`	`44`	* Gets an `indexOf` call with the same receiver, argument, and method name, including this call itself.
`45`	`45`	`*/`
`46`	`46`	`IndexOfCall getAnEquivalentIndexOfCall() {`
	`47`	`+ result = this`
	`48`	`+ or`
`47`	`49`	`exists(DataFlow::Node recv, string m \|`
`48`	`50`	`this.receiverAndMethodName(recv, m) and result.receiverAndMethodName(recv, m)`
`49`	`51`	`\|`
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ function sameCheck(allowedOrigin) {`
`102`	`102`	`const trustedAuthority = "example.com";`
`103`	`103`
`104`	`104`	`const ind = trustedAuthority.indexOf("." + allowedOrigin);`
`105`		`- return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK - but currently failing`
	`105`	`+ return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`function sameConcatenation(allowedOrigin) {`