Merge pull request #1573 from asger-semmle/restrict-receiver-type

Approved by xiemaisi

Author: semmle-qlci

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -715,6 +715,15 @@ class ClassNode extends DataFlow::SourceNode {
     t.start() and
     result = getAReceiverNode()
     or
+    result = getAnInstanceReferenceAux(t) and
+    // Avoid tracking into the receiver of other classes.
+    // Note that this also blocks flows into a property of the receiver,
+    // but the `localFieldStep` rule will often compensate for this.
+    not result = any(DataFlow::ClassNode cls).getAReceiverNode()
+  }
+
+  pragma[noinline]
+  private DataFlow::SourceNode getAnInstanceReferenceAux(DataFlow::TypeTracker t) {
     exists(DataFlow::TypeTracker t2 |
       result = getAnInstanceReference(t2).track(t2, t)
     )

javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/this-calls.js

@@ -0,0 +1,27 @@
+import 'dummy';
+
+class Foo {
+  a() {
+    /** calls:Foo.b */
+    this.b();
+  }
+
+  /** name:Foo.b */
+  b() {}
+}
+
+class Bar {
+  a() {
+    /** calls:Bar.b */
+    this.b();
+  }
+
+  /** name:Bar.b */
+  b() {}
+}
+
+function callA(x) {
+  x.a();
+}
+callA(new Foo);
+callB(new Bar);