JS: Workaround for JSON externs

asger-semmle · asger-semmle · commit e7166c2a1c2d · 2019-08-30T18:19:19.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
@@ -116,6 +116,11 @@ module GlobalAccessPath {
       // Note: Avoid unneeded materialization of DataFlow::Node.getFile()
       rhs.getAstNode().getFile() = file
     )
+    or
+    // Hard-code JSON methods from the externs file, since they aren't explicitly assigned.
+    (accessPath = "JSON.parse" or accessPath = "JSON.stringify") and
+    file.getBaseName() = "es5.js" and
+    any(TopLevel tl | tl.getFile() = file).isExterns()
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,11 @@ module GlobalAccessPath {`
`116`	`116`	`// Note: Avoid unneeded materialization of DataFlow::Node.getFile()`
`117`	`117`	`rhs.getAstNode().getFile() = file`
`118`	`118`	`)`
	`119`	`+ or`
	`120`	`+ // Hard-code JSON methods from the externs file, since they aren't explicitly assigned.`
	`121`	`+ (accessPath = "JSON.parse" or accessPath = "JSON.stringify") and`
	`122`	`+ file.getBaseName() = "es5.js" and`
	`123`	`+ any(TopLevel tl \| tl.getFile() = file).isExterns()`
`119`	`124`	`}`
`120`	`125`
`121`	`126`	`/**`