JS: Fix the FP

asger-semmle · asger-semmle · commit 7007698de41d · 2019-09-06T15:39:40.000+01:00
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -35,7 +35,11 @@ class IndexOfCall extends DataFlow::MethodCallNode {
    */
   IndexOfCall getAnEquivalentIndexOfCall() {
     result.getReceiver().getALocalSource() = this.getReceiver().getALocalSource() and
-    result.getArgument(0).getALocalSource() = this.getArgument(0).getALocalSource() and
+    (
+      result.getArgument(0).getALocalSource() = this.getArgument(0).getALocalSource()
+      or
+      result.getArgument(0).getStringValue() = this.getArgument(0).getStringValue()
+    ) and
     result.getMethodName() = this.getMethodName()
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck.expected
@@ -9,5 +9,3 @@
 | tst.js:67:32:67:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:76:25:76:57 | index = ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:80:10:80:57 | x.index ... th + 1) | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
-| tst.js:94:49:94:112 | x.lastI ... .length | This suffix check is missing a length comparison to correctly handle lastIndexOf returning -1. |
-| tst.js:98:49:98:112 | x.lastI ... .length | This suffix check is missing a length comparison to correctly handle lastIndexOf returning -1. |
