add support for delegating yield

erik-krogh · erik-krogh · commit 90422fe70520 · 2020-08-25T20:05:53.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/Generators.qll b/javascript/ql/src/semmle/javascript/Generators.qll
@@ -11,7 +11,19 @@ private module GeneratorDataFlow {
     override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       exists(DataFlow::FunctionNode f | f.getFunction().isGenerator() |
         prop = iteratorElement() and
-        exists(YieldExpr yield | yield.getContainer() = f.getFunction() |
+        exists(YieldExpr yield |
+          yield.getContainer() = f.getFunction() and not yield.isDelegating()
+        |
+          pred.asExpr() = yield.getOperand()
+        ) and
+        succ = f.getReturnNode()
+      )
+    }
+
+    override predicate loadStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+      exists(DataFlow::FunctionNode f | f.getFunction().isGenerator() |
+        prop = iteratorElement() and
+        exists(YieldExpr yield | yield.getContainer() = f.getFunction() and yield.isDelegating() |
           pred.asExpr() = yield.getOperand()
         ) and
         succ = f.getReturnNode()
diff --git a/javascript/ql/test/library-tests/Generators/generators.js b/javascript/ql/test/library-tests/Generators/generators.js
@@ -30,4 +30,24 @@
   } catch (e) {
     sink(e); // NOT OK
   }
+
+  function *delegating() {
+    yield* delegate();
+  }
+
+  function *delegate() {
+    yield source;
+  }
+
+  Array.from(delegating()).forEach(x => sink(x)); // NOT OK
+
+  function *delegating2() {
+    yield* returnsTaint();
+  }
+
+  function returnsTaint() {
+    return source;
+  }
+
+  Array.from(delegating2()).forEach(x => sink(x)); // OK
 });
