two bugfixes

erik-krogh · erik-krogh · commit b4b05696e138 · 2020-03-09T16:45:03.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -187,6 +187,8 @@ private module ArrayDataFlow {
    *
    * And array elements can be stored into a resulting array using `map(...)`.
    * E.g. in `arr.map(e => foo)`, the resulting array (`arr.map(e => foo)`) will contain the element `foo`.
+   *
+   * And the second parameter in the callback is the array ifself, so there is a `loadStoreStep` from the array to that second parameter.
    */
   private class ArrayIteration extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {
     ArrayIteration() {
@@ -200,7 +202,7 @@ private module ArrayDataFlow {
     override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
       prop = arrayElement() and
       pred = this.getReceiver() and
-      succ = getCallback(0).getParameter(any(int i | i = 0 or i = 2))
+      succ = getCallback(0).getParameter(0)
     }
 
     /**
@@ -212,6 +214,15 @@ private module ArrayDataFlow {
       pred = this.getCallback(0).getAReturn() and
       succ = this
     }
+
+    /**
+     * Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
+     */
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      prop = arrayElement() and
+      pred = this.getReceiver() and
+      succ = getCallback(0).getParameter(2)
+    }
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -612,7 +612,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   DataFlow::ValueNode getElement(int i) {
     result = this.(ArrayLiteralNode).getElement(i) or
     result = this.(ArrayConstructorInvokeNode).getElement(i) or
-    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" and call = this | 
       result = call.getArgument(i)
     )
   }
@@ -624,7 +624,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   int getSize() {
     result = this.(ArrayLiteralNode).getSize() or
     result = this.(ArrayConstructorInvokeNode).getSize() or
-    exists(DataFlow::CallNode call | call.getCalleeName() = "from" | 
+    exists(DataFlow::CallNode call | call.getCalleeName() = "from" and call = this | 
       result = call.getNumArgument()
     )
   }
diff --git a/javascript/ql/test/library-tests/Arrays/arrays.js b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -39,4 +39,10 @@
     arr6[i] = arr5[i];
   }
   sink(arr6.pop()); // NOT OK
+
+
+  Array.from("source").forEach((e, i, ary) => {
+    sink(ary.pop()); // NOT OK
+    sink(ary); // OK - its the array itself, not an element.
+  })
 });

Original file line number	Diff line number	Diff line change
`@@ -612,7 +612,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {`
`612`	`612`	`DataFlow::ValueNode getElement(int i) {`
`613`	`613`	`result = this.(ArrayLiteralNode).getElement(i) or`
`614`	`614`	`result = this.(ArrayConstructorInvokeNode).getElement(i) or`
`615`		`- exists(DataFlow::CallNode call \| call.getCalleeName() = "from" \|`
	`615`	`+ exists(DataFlow::CallNode call \| call.getCalleeName() = "from" and call = this \|`
`616`	`616`	`result = call.getArgument(i)`
`617`	`617`	`)`
`618`	`618`	`}`
`@@ -624,7 +624,7 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {`
`624`	`624`	`int getSize() {`
`625`	`625`	`result = this.(ArrayLiteralNode).getSize() or`
`626`	`626`	`result = this.(ArrayConstructorInvokeNode).getSize() or`
`627`		`- exists(DataFlow::CallNode call \| call.getCalleeName() = "from" \|`
	`627`	`+ exists(DataFlow::CallNode call \| call.getCalleeName() = "from" and call = this \|`
`628`	`628`	`result = call.getNumArgument()`
`629`	`629`	`)`
`630`	`630`	`}`