JS: precise flow through calls to .apply()
#10126
Conversation
…r the arguments object
| @@ -0,0 +1,85 @@ | |||
| function foo1(arg1, arg2) { | |||
There was a problem hiding this comment.
| function foo1(arg1, arg2) { | |
| import * as dummy from 'dummy'; | |
| function foo1(arg1, arg2) { |
Could you make sure the file is seen as a module, not a script?
There was a problem hiding this comment.
It didn't change any results 👍
|
|
||
| ReflectiveParametersNode() { this = TReflectiveParametersNode(function) } | ||
|
|
||
| override string toString() { result = "the arguments object of " + function.describe() } |
There was a problem hiding this comment.
| override string toString() { result = "the arguments object of " + function.describe() } | |
| override string toString() { result = "'arguments' object of " + function.describe() } |
These don't usually start with the. I added quotes because I think it might avoid confusion in some cases
| override BasicBlock getBasicBlock() { result = function.getEntry().getBasicBlock() } | ||
|
|
||
| /** | ||
| * Gets the function corresponding to this reflektive parameters node. |
There was a problem hiding this comment.
| * Gets the function corresponding to this reflektive parameters node. | |
| * Gets the function whose `arguments` object is represented by this node. |
| @@ -68,7 +68,7 @@ module PrototypePollutingAssignment { | |||
| /** | |||
| * A parameter of an exported function, seen as a source prototype-polluting assignment. | |||
| */ | |||
| class ExternalInputSource extends Source, DataFlow::SourceNode { | |||
There was a problem hiding this comment.
Wouldn't it make more sense to treat ReflectiveParmaetersNode as a SourceNode?
There was a problem hiding this comment.
The ReflectiveParametersNode is a source node (but when I try to put that into the extends clause I get a non-monotonic recursion).
But the source should still not be a SourceNode, because the getALibraryInputParameter() predicate does not return a ReflectiveParametersNode, that predicate returns either a parameter or a reference to the arguments variable.
The location of ReflectiveParametersNode looks bad as a source (the location is the entire function), so I avoid using ReflectiveParametersNode directly as a source.
The cause of those lost nodes is the change of But we still have taint on those lines. So I think it's OK that we loose those tainted nodes. I'll start an evaluation on |
|
Hi @erik-krogh, |
Great! You're very welcome to open pull requests with those changes. |
For some context see this external contribution that never got merged: #6559
The improve performance of global dataflow by inlining a step predicate commit got the predicate from 4m8s to 1m36s on
bwip-js.An evaluation looks good. There are a few new results, and the performance looks good.
(The new
js/unsafe-jquery-pluginresults are from the newargumentsnode, the others are from the improved flow through arrays).In an earlier evaluation I did a comparison where I disabled
ReflectiveParametersNode: https://github.com/github/codeql-dca-main/tree/data/erik-krogh/myApply-no-parms-node-nightly-codescanning/reportsThe query-suite is bigger, so it finds more results.
If you look at the
alert-meta-comparisonin the two evaluations you can see that most of the new flow doesn't have anything to do withReflectiveParametersNode.(Library inputs worked slightly different back when I did that evaluation, so those numbers are off).
/cc @yuske This is inspired by your attempt to do the same thing: #6559