JS: Address review comments

asgerf · asgerf · commit d76859b7df0a · 2020-01-14T10:53:00.000Z
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.qhelp b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.qhelp
@@ -41,8 +41,8 @@
   <sample src="examples/PrototypePollutionUtility.js"/>
 
   <p>
-    However, if <code>src</code> is the object <code>{"__proto__": {"xxx": true}}</code>,
-    it will inject the property <code>xxx: true</code> in in <code>Object.prototype</code>.
+    However, if <code>src</code> is the object <code>{"__proto__": {"isAdmin": true}}</code>,
+    it will inject the property <code>isAdmin: true</code> in in <code>Object.prototype</code>.
   </p>
 
   <p>
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -226,7 +226,13 @@ class UnsafePropLabel extends FlowLabel {
  *
  * Note that in the above example, the flow from `key` to the base of the write (`dst`)
  * requires stepping through the recursive call.
- * Such a path would be absent for a shallow copying operation.
+ * Such a path would be absent for a shallow copying operation, where the `dst` object
+ * isn't derived from a property of the source object.
+ *
+ * This configuration can't enforce that all three paths must end at the same
+ * dynamic property write, so we treat the paths independently here and check
+ * for coinciding paths afterwards.  This means this configuration can't be used as
+ * a standalone configuration like in most path queries.
  */
 class PropNameTracking extends DataFlow::Configuration {
   PropNameTracking() { this = "PropNameTracking" }
diff --git a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
@@ -35,6 +35,24 @@ module GlobalAccessPath {
   }
 }
 
+/**
+ * Provides predicates for associating access paths with data flow nodes.
+ *
+ * For example, `AccessPath.getAReferenceTo(x)` can be used to obtain the global access path
+ * that `x` refers to, as in the following sample:
+ * ```
+ * function f() {
+ *   let v = foo.bar; // reference to 'foo.bar'
+ *   v.baz;           // reference to 'foo.bar.baz'
+ * }
+ *
+ * (function(ns) {
+ *   ns.x;            // reference to 'NS.x'
+ * })(NS = NS || {});
+ * ```
+ *
+ * A pseudo-property named `[number]` is sometimes used to represent array indices within an access path.
+ */
 module AccessPath {
   /**
    * A source node that can be the root of an access path.
