Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e10a22e

Browse files
asgerfasgerf
committed
JS: Restrict size of some predicates
1 parent daab3c1 commit e10a22e

1 file changed

Lines changed: 9 additions & 6 deletions

File tree

javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,8 @@ module PrototypePollutingAssignment {
4141
) {
4242
// Step from x -> obj[x] while switching to the ObjectPrototype label
4343
// (If `x` can have the value `__proto__` then the result can be Object.prototype)
44-
exists(DataFlow::PropRead read |
45-
pred = read.getPropertyNameExpr().flow() and
44+
exists(DynamicPropRead read |
45+
pred = read.getPropertyNameNode() and
4646
succ = read and
4747
inlbl.isTaint() and
4848
outlbl instanceof ObjectPrototype and
@@ -53,7 +53,7 @@ module PrototypePollutingAssignment {
5353
// Exclude cases where the read has no prototype, or a prototype other than Object.prototype.
5454
not read = prototypeLessObject().getAPropertyRead() and
5555
// Exclude cases where this property has just been assigned to
56-
not read.(DynamicPropRead).hasDominatingAssignment()
56+
not read.hasDominatingAssignment()
5757
)
5858
or
5959
// Same as above, but for property projection.
@@ -69,8 +69,8 @@ module PrototypePollutingAssignment {
6969
override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
7070
super.isLabeledBarrier(node, lbl)
7171
or
72-
// Don't propagate the receiver into method calls, as the method lookup will fail on Object.prototype.
73-
node = any(DataFlow::MethodCallNode m).getReceiver() and
72+
// Don't propagate into the receiver, as the method lookups will generally fail on Object.prototype.
73+
node instanceof DataFlow::ThisNode and
7474
lbl instanceof ObjectPrototype
7575
}
7676

@@ -117,7 +117,10 @@ module PrototypePollutingAssignment {
117117
DataFlow::ValueNode {
118118
override PropAccess astNode;
119119

120-
PropertyPresenceCheck() { not isPropertyPresentOnObjectPrototype(astNode.getPropertyName()) }
120+
PropertyPresenceCheck() {
121+
astNode = any(ConditionGuardNode c).getTest() and // restrict size of charpred
122+
not isPropertyPresentOnObjectPrototype(astNode.getPropertyName())
123+
}
121124

122125
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
123126
e = astNode.getBase() and

0 commit comments

Comments
 (0)