Merge pull request #10985 from asgerf/js/reaches-return-escape

erik-krogh · web-flow · commit 52cd200ca0d1 · 2022-10-26T10:52:11.000+02:00
JS: Do not track returned values out of the enclosing function
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
@@ -1197,7 +1197,8 @@ private predicate reachesReturn(
   exists(DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary |
     flowStep(read, cfg, mid, oldSummary) and
     reachesReturn(f, mid, cfg, newSummary) and
-    summary = oldSummary.append(newSummary)
+    summary = oldSummary.append(newSummary) and
+    pragma[only_bind_out](summary).isLevel()
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1197,7 +1197,8 @@ private predicate reachesReturn(`
`1197`	`1197`	`exists(DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary \|`
`1198`	`1198`	`flowStep(read, cfg, mid, oldSummary) and`
`1199`	`1199`	`reachesReturn(f, mid, cfg, newSummary) and`
`1200`		`- summary = oldSummary.append(newSummary)`
	`1200`	`+ summary = oldSummary.append(newSummary) and`
	`1201`	`+ pragma[only_bind_out](summary).isLevel()`
`1201`	`1202`	`)`
`1202`	`1203`	`}`
`1203`	`1204`