JS: Prevent bad join in hasOwnProperty

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll

@@ -67,14 +67,31 @@ class LocalObject extends DataFlow::SourceNode {
     not exposedAsReceiver(this)
   }
 
+  pragma[nomagic]
   predicate hasOwnProperty(string name) {
     // the property is defined in the initializer,
     any(DataFlow::PropWrite write).writes(this, name, _) and
     // and it is never deleted
-    not exists(DeleteExpr del, DataFlow::PropRef ref |
+    not hasDeleteWithName(name) and
+    // and there is no deleted property with computed name
+    not hasDeleteWithComputedProperty()
+  }
+
+  pragma[noinline]
+  private predicate hasDeleteWithName(string name) {
+    exists(DeleteExpr del, DataFlow::PropRef ref |
+      del.getOperand().flow() = ref and
+      flowsTo(ref.getBase()) and
+      ref.getPropertyName() = name
+    )
+  }
+
+  pragma[noinline]
+  private predicate hasDeleteWithComputedProperty() {
+    exists(DeleteExpr del, DataFlow::PropRef ref |
       del.getOperand().flow() = ref and
       flowsTo(ref.getBase()) and
-      (ref.getPropertyName() = name or not exists(ref.getPropertyName()))
+      not exists(ref.getPropertyName())
     )
   }
 }