JS: Restrict this-argument passing in API graphs

asgerf · asgerf · commit 4d3319024174 · 2025-10-06T11:42:36.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -1324,7 +1324,9 @@ module API {
       exists(DataFlow::TypeTracker t, StepSummary summary, DataFlow::SourceNode prev |
         prev = trackUseNode(nd, promisified, boundArgs, prop, t) and
         StepSummary::step(prev, res, summary) and
-        result = t.append(summary)
+        result = t.append(summary) and
+        // Block argument-passing into 'this'
+        not (summary = CallStep() and res instanceof DataFlow::ThisNode)
       )
     }
 
@@ -1381,7 +1383,9 @@ module API {
       exists(DataFlow::TypeBackTracker t, StepSummary summary, DataFlow::Node next |
         next = trackDefNode(nd, t) and
         StepSummary::step(prev, next, summary) and
-        result = t.prepend(summary)
+        result = t.prepend(summary) and
+        // Block argument-passing steps from 'this' back to a receiver
+        not (summary = CallStep() and prev instanceof DataFlow::ThisNode)
       )
     }
 
diff --git a/javascript/ql/test/ApiGraphs/explicit-this/VerifyAssertions.expected b/javascript/ql/test/ApiGraphs/explicit-this/VerifyAssertions.expected
@@ -0,0 +1 @@
+| tst.js:4:17:4:119 | /** use ... rn() */ | use moduleImport("something").getMember("exports").getMember("one") has no outgoing edge labelled getMember("two"); it has no outgoing edges at all. |

Original file line number	Diff line number	Diff line change
`@@ -1324,7 +1324,9 @@ module API {`
`1324`	`1324`	`exists(DataFlow::TypeTracker t, StepSummary summary, DataFlow::SourceNode prev \|`
`1325`	`1325`	`prev = trackUseNode(nd, promisified, boundArgs, prop, t) and`
`1326`	`1326`	`StepSummary::step(prev, res, summary) and`
`1327`		`- result = t.append(summary)`
	`1327`	`+ result = t.append(summary) and`
	`1328`	`+ // Block argument-passing into 'this'`
	`1329`	`+ not (summary = CallStep() and res instanceof DataFlow::ThisNode)`
`1328`	`1330`	`)`
`1329`	`1331`	`}`
`1330`	`1332`
`@@ -1381,7 +1383,9 @@ module API {`
`1381`	`1383`	`exists(DataFlow::TypeBackTracker t, StepSummary summary, DataFlow::Node next \|`
`1382`	`1384`	`next = trackDefNode(nd, t) and`
`1383`	`1385`	`StepSummary::step(prev, next, summary) and`
`1384`		`- result = t.prepend(summary)`
	`1386`	`+ result = t.prepend(summary) and`
	`1387`	`+ // Block argument-passing steps from 'this' back to a receiver`
	`1388`	`+ not (summary = CallStep() and prev instanceof DataFlow::ThisNode)`
`1385`	`1389`	`)`
`1386`	`1390`	`}`
`1387`	`1391`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| tst.js:4:17:4:119 \| /** use ... rn() */ \| use moduleImport("something").getMember("exports").getMember("one") has no outgoing edge labelled getMember("two"); it has no outgoing edges at all. \|`