JS: introduce RelationalComparison.isInclucive

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 2b41f62eb068 · 2018-08-23T14:51:39.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -1545,6 +1545,14 @@ class RelationalComparison extends Comparison {
   Expr getGreaterOperand() {
     result = getAnOperand() and result != getLesserOperand()
   }
+
+  /**
+   * Holds if this is a comparison with `<=` or `>=`.
+   */
+  predicate isInclusive() {
+    this instanceof LEExpr or
+    this instanceof GEExpr
+  }
 }
 
 /** A (pre or post) increment expression. */
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -643,16 +643,6 @@ module TaintTracking {
 
   }
 
-  /**
-   * A less-than or greater-than expression
-   */
-  private class ExclusiveRelationalComparison extends RelationalComparison {
-    ExclusiveRelationalComparison() {
-      this instanceof LTExpr or
-      this instanceof GTExpr
-    }
-  }
-
   /** 
    * A check of the form `if(whitelist.indexOf(x) >= 0)`, which sanitizes `x` in its "then" branch. 
    *
@@ -671,17 +661,17 @@ module TaintTracking {
         polarity = true and
         greater = indexOf and
         (
-          lesser.getIntValue() = 0 
+          lesser.getIntValue() >= 0
           or
-          lesser.getIntValue() = -1 and astNode instanceof ExclusiveRelationalComparison
+          lesser.getIntValue() = -1 and not astNode.isInclusive()
         )
         or 
         polarity = false and
         lesser = indexOf and
         (
           greater.getIntValue() = -1
           or
-          greater.getIntValue() = 0 and astNode instanceof ExclusiveRelationalComparison
+          greater.getIntValue() = 0 and not astNode.isInclusive()
         )
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -1545,6 +1545,14 @@ class RelationalComparison extends Comparison {`
`1545`	`1545`	`Expr getGreaterOperand() {`
`1546`	`1546`	`result = getAnOperand() and result != getLesserOperand()`
`1547`	`1547`	`}`
	`1548`	`+`
	`1549`	`+ /**`
	`1550`	+ * Holds if this is a comparison with `<=` or `>=`.
	`1551`	`+ */`
	`1552`	`+ predicate isInclusive() {`
	`1553`	`+ this instanceof LEExpr or`
	`1554`	`+ this instanceof GEExpr`
	`1555`	`+ }`
`1548`	`1556`	`}`
`1549`	`1557`
`1550`	`1558`	`/** A (pre or post) increment expression. */`
Original file line number	Diff line number	Diff line change
`@@ -643,16 +643,6 @@ module TaintTracking {`
`643`	`643`
`644`	`644`	`}`
`645`	`645`
`646`		`- /**`
`647`		`- * A less-than or greater-than expression`
`648`		`- */`
`649`		`- private class ExclusiveRelationalComparison extends RelationalComparison {`
`650`		`- ExclusiveRelationalComparison() {`
`651`		`- this instanceof LTExpr or`
`652`		`- this instanceof GTExpr`
`653`		`- }`
`654`		`- }`
`655`		`-`
`656`	`646`	`/**`
`657`	`647`	* A check of the form `if(whitelist.indexOf(x) >= 0)`, which sanitizes `x` in its "then" branch.
`658`	`648`	`*`
`@@ -671,17 +661,17 @@ module TaintTracking {`
`671`	`661`	`polarity = true and`
`672`	`662`	`greater = indexOf and`
`673`	`663`	`(`
`674`		`- lesser.getIntValue() = 0`
	`664`	`+ lesser.getIntValue() >= 0`
`675`	`665`	`or`
`676`		`- lesser.getIntValue() = -1 and astNode instanceof ExclusiveRelationalComparison`
	`666`	`+ lesser.getIntValue() = -1 and not astNode.isInclusive()`
`677`	`667`	`)`
`678`	`668`	`or`
`679`	`669`	`polarity = false and`
`680`	`670`	`lesser = indexOf and`
`681`	`671`	`(`
`682`	`672`	`greater.getIntValue() = -1`
`683`	`673`	`or`
`684`		`- greater.getIntValue() = 0 and astNode instanceof ExclusiveRelationalComparison`
	`674`	`+ greater.getIntValue() = 0 and not astNode.isInclusive()`
`685`	`675`	`)`
`686`	`676`	`)`
`687`	`677`	`}`