-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathInvalidPrototype.ql
More file actions
40 lines (37 loc) · 1.27 KB
/
InvalidPrototype.ql
File metadata and controls
40 lines (37 loc) · 1.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
/**
* @name Invalid prototype value
* @description An attempt to use a value that is not an object or 'null' as a
* prototype will either be ignored or result in a runtime error.
* @kind problem
* @problem.severity error
* @id js/invalid-prototype-value
* @tags quality
* reliability
* correctness
* language-features
* external/cwe/cwe-704
* @precision high
*/
import javascript
private import semmle.javascript.dataflow.InferredTypes
/**
* Holds if the value of `e` is used as a prototype object.
*/
predicate isProto(DataFlow::AnalyzedNode e) {
// `o.__proto__ = e`, `{ __proto__: e }`, ...
e = any(DataFlow::PropWrite pwn | pwn.getPropertyName() = "__proto__").getRhs()
or
// Object.create(e)
e = DataFlow::globalVarRef("Object").getAMemberCall("create").getArgument(0)
or
// Object.setPrototypeOf(o, e)
e = DataFlow::globalVarRef("Object").getAMemberCall("setPrototypeOf").getArgument(1)
or
// e.isPrototypeOf(o)
any(MethodCallExpr mce).calls(e.asExpr(), "isPrototypeOf")
}
from DataFlow::AnalyzedNode proto
where
isProto(proto) and
forex(InferredType tp | tp = proto.getAType() | tp instanceof PrimitiveType and tp != TTNull())
select proto, "Values of type " + proto.ppTypes() + " cannot be used as prototypes."