Merge pull request #1243 from asger-semmle/access-path-refinements

semmle-qlci · web-flow · commit ff25a3ee5ac9 · 2019-04-16T09:57:51.000+01:00
Approved by xiemaisi
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll
@@ -39,12 +39,23 @@ private PropertyName getPropertyName(PropAccess pacc) {
   )
 }
 
+private SsaVariable getRefinedVariable(SsaVariable variable) {
+  result = variable.getDefinition().(SsaRefinementNode).getAnInput()
+}
+
+private SsaVariable getARefinementOf(SsaVariable variable) {
+  variable = getRefinedVariable(result)
+}
+
 /**
  * A representation of a (nested) property access on an SSA variable
  * where each property name is either constant or itself an SSA variable.
  */
 private newtype TAccessPath =
-  MkSsaRoot(SsaVariable var) or
+  MkSsaRoot(SsaVariable var) {
+    not exists(getRefinedVariable(var))
+  }
+  or
   MkThisRoot(Function function) { function.getThisBinder() = function } or
   MkAccessStep(AccessPath base, PropertyName name) {
     exists(PropAccess pacc |
@@ -64,7 +75,7 @@ class AccessPath extends TAccessPath {
   Expr getAnInstanceIn(BasicBlock bb) {
     exists(SsaVariable var |
       this = MkSsaRoot(var) and
-      result = var.getAUseIn(bb)
+      result = getARefinementOf*(var).getAUseIn(bb)
     )
     or
     exists(ThisExpr this_ |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected b/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected
@@ -17,7 +17,9 @@
 | tst.js:134:14:134:16 | v.p | ExampleConfiguration |
 | tst.js:136:14:136:18 | v.p.q | ExampleConfiguration |
 | tst.js:148:9:148:27 | v | ExampleConfiguration |
+| tst.js:149:14:149:14 | v | ExampleConfiguration |
 | tst.js:154:9:154:27 | v | ExampleConfiguration |
+| tst.js:157:14:157:14 | v | ExampleConfiguration |
 | tst.js:160:9:160:30 | v | ExampleConfiguration |
 | tst.js:160:35:160:56 | v | ExampleConfiguration |
 | tst.js:167:14:167:14 | v | ExampleConfiguration |
@@ -36,6 +38,7 @@
 | tst.js:284:14:284:14 | v | ExampleConfiguration |
 | tst.js:331:14:331:14 | v | ExampleConfiguration |
 | tst.js:356:16:356:27 | x10 | ExampleConfiguration |
+| tst.js:356:32:356:34 | x10 | ExampleConfiguration |
 | tst.js:361:14:361:14 | v | ExampleConfiguration |
 | tst.js:371:14:371:16 | o.p | ExampleConfiguration |
 | tst.js:378:14:378:17 | o[p] | ExampleConfiguration |
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,3 +1,4 @@
+| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
diff --git a/javascript/ql/test/library-tests/TaintTracking/access-path-sanitizer.js b/javascript/ql/test/library-tests/TaintTracking/access-path-sanitizer.js
@@ -0,0 +1,17 @@
+function foo() {
+  let obj = { x: source() };
+  
+  sink(obj.x); // NOT OK
+
+  if (isSafe(obj.x)) {
+    sink(obj.x); // OK
+  }
+
+  if (typeof obj === "object" && isSafe(obj.x)) {
+    sink(obj.x); // OK
+  }
+
+  if (isSafe(obj.x) && typeof obj === "object") {
+    sink(obj.x); // OK
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+\| access-path-sanitizer.js:2:18:2:25 \| source() \| access-path-sanitizer.js:4:8:4:12 \| obj.x \|`
`1`	`2`	`\| addexpr.js:4:10:4:17 \| source() \| addexpr.js:7:8:7:8 \| x \|`
`2`	`3`	`\| addexpr.js:11:15:11:22 \| source() \| addexpr.js:21:8:21:12 \| value \|`
`3`	`4`	`\| advanced-callgraph.js:2:13:2:20 \| source() \| advanced-callgraph.js:6:22:6:22 \| v \|`