JS: step through refinements in AccessPaths

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll

@@ -39,12 +39,23 @@ private PropertyName getPropertyName(PropAccess pacc) {
   )
 }
 
+private SsaVariable getRefinedVariable(SsaVariable variable) {
+  result = variable.getDefinition().(SsaRefinementNode).getAnInput()
+}
+
+private SsaVariable getARefinementOf(SsaVariable variable) {
+  variable = getRefinedVariable(result)
+}
+
 /**
  * A representation of a (nested) property access on an SSA variable
  * where each property name is either constant or itself an SSA variable.
  */
 private newtype TAccessPath =
-  MkSsaRoot(SsaVariable var) or
+  MkSsaRoot(SsaVariable var) {
+    not exists(getRefinedVariable(var))
+  }
+  or
   MkThisRoot(Function function) { function.getThisBinder() = function } or
   MkAccessStep(AccessPath base, PropertyName name) {
     exists(PropAccess pacc |
@@ -64,7 +75,7 @@ class AccessPath extends TAccessPath {
   Expr getAnInstanceIn(BasicBlock bb) {
     exists(SsaVariable var |
       this = MkSsaRoot(var) and
-      result = var.getAUseIn(bb)
+      result = getARefinementOf*(var).getAUseIn(bb)
     )
     or
     exists(ThisExpr this_ |

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,5 +1,4 @@
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
-| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:15:10:15:14 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |

javascript/ql/test/library-tests/TaintTracking/access-path-sanitizer.js

@@ -12,6 +12,6 @@ function foo() {
   }
 
   if (isSafe(obj.x) && typeof obj === "object") {
-    sink(obj.x); // OK - but flagged anyway
+    sink(obj.x); // OK
   }
 }