From a72507a6217ba77bc753b70a7e12fa9406d8493a Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 1 Nov 2018 21:22:03 -0400 Subject: [PATCH 1/3] JavaScript: Remove a `pragma[noopt]`. --- javascript/ql/src/semmle/javascript/dataflow/Configuration.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index e2c5f325b0d5..bee459c20e2b 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -537,7 +537,6 @@ private predicate isRelevant(DataFlow::Node nd, DataFlow::Configuration cfg) { * either `pred` is an argument of `f` and `succ` the corresponding parameter, or * `pred` is a variable definition whose value is captured by `f` at `succ`. */ -pragma[noopt] private predicate callInputStep(Function f, DataFlow::Node invk, DataFlow::Node pred, DataFlow::Node succ, DataFlow::Configuration cfg) { From 94bba880804e47e3fecb6c88e5b96c8d59cfa6a9 Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 1 Nov 2018 21:22:51 -0400 Subject: [PATCH 2/3] JavaScript: Avoid unhelpful magic. --- javascript/ql/src/semmle/javascript/dataflow/Configuration.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index bee459c20e2b..56743f25b3ec 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -566,6 +566,7 @@ private predicate callInputStep(Function f, DataFlow::Node invk, * Note that the summary does not take the initial step from argument to parameter * into account. */ +pragma[nomagic] private predicate reachableFromInput(Function f, DataFlow::Node invk, DataFlow::Node input, DataFlow::Node nd, DataFlow::Configuration cfg, PathSummary summary) { From e77ea6217910a0b1ab82fa3ae7be3982346b2a5f Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Thu, 1 Nov 2018 21:24:16 -0400 Subject: [PATCH 3/3] JavaScript: Tweak `storeStep` predicate. --- .../semmle/javascript/dataflow/Configuration.qll | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index 56743f25b3ec..08df334973f6 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -600,20 +600,28 @@ private predicate flowThroughCall(DataFlow::Node input, DataFlow::Node invk, * Holds if `pred` may flow into property `prop` of `succ` under configuration `cfg` * along a path summarized by `summary`. */ -private predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop, +pragma[nomagic] +private predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop, DataFlow::Configuration cfg, PathSummary summary) { basicStoreStep(pred, succ, prop) and summary = PathSummary::level() or - exists (Function f, DataFlow::Node mid, DataFlow::SourceNode base | + exists (Function f, DataFlow::Node mid, DataFlow::Node base | // `f` stores its parameter `pred` in property `prop` of a value that it returns, // and `succ` is an invocation of `f` reachableFromInput(f, succ, pred, mid, cfg, summary) and - base.hasPropertyWrite(prop, mid) and - base.flowsToExpr(f.getAReturnedExpr()) + returnedPropWrite(f, base, prop, mid) ) } +/** + * Holds if `f` may return `base`, which has a write of property `prop` with right-hand side `rhs`. + */ +predicate returnedPropWrite(Function f, DataFlow::SourceNode base, string prop, DataFlow::Node rhs) { + base.hasPropertyWrite(prop, rhs) and + base.flowsToExpr(f.getAReturnedExpr()) +} + /** * Holds if `rhs` is the right-hand side of a write to property `prop`, and `nd` is reachable * from the base of that write under configuration `cfg` (possibly through callees) along a