JS: Unify access paths for captured variables

asger-semmle · asger-semmle · commit f3c80c738ec9 · 2019-04-18T11:27:15.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll
@@ -53,7 +53,12 @@ private SsaVariable getARefinementOf(SsaVariable variable) {
  */
 private newtype TAccessPath =
   MkSsaRoot(SsaVariable var) {
-    not exists(getRefinedVariable(var))
+    not exists(getRefinedVariable(var)) and
+    not var.getSourceVariable().isCaptured()
+  }
+  or
+  MkCapturedRoot(LocalVariable var) {
+    var.isCaptured()
   }
   or
   MkThisRoot(Function function) { function.getThisBinder() = function } or
@@ -78,6 +83,12 @@ class AccessPath extends TAccessPath {
       result = getARefinementOf*(var).getAUseIn(bb)
     )
     or
+    exists(Variable var |
+      this = MkCapturedRoot(var) and
+      result = var.getAnAccess() and
+      result.getBasicBlock() = bb
+    )
+    or
     exists(ThisExpr this_ |
       this = MkThisRoot(this_.getBinder()) and
       result = this_ and
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -12,7 +12,6 @@
 | callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
 | callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
-| captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:13:12:13:12 | x |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
 | closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |
