JavaScript: Functions flowing through arrays

[goloveychuk]

Taint analysis seems to not work for arrays:

const fs = require('fs')


function readFileHelper(p) { 
  fs.readFile(p) // <- detected
}

function readFileHelper2(p) { 
  fs.readFile(p) // <- not detected
}


const reads = [
  readFileHelper2
]

const v = process.argv[2];


readFileHelper(v) // work
const res = reads.map(d => d(v)); // not working
for (let d of reads) {
  d(v);   // not working
}
reads[0](v);   // not working
[readFileHelper2].map(d => d(v));  // not working

import javascript

class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
  CommandLineFileNameConfiguration() { this = "CommandLineFileNameConfiguration" }

  override predicate isSource(DataFlow::Node source) {
    DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyRead() = source
  }

  override predicate isSink(DataFlow::Node sink) {
    DataFlow::moduleMember("fs", "readFile").getACall().getArgument(0) = sink
  }
}

from CommandLineFileNameConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select source, sink

It found readFileHelper but not readFileHelper2.

There is related issue #5177

Pinging gently @erik-krogh

[asgerf]

Thanks for the report.

It is a known limitation currently that we can not resolve function calls to their target when the function can been passed through an array. Flow through arrays work in many other cases. Since this is specifically about functions flowing through array I took the liberty of renaming the issue so it's easier for us to track the underlying issue.

While we can't immediately resolve this issue, it is definitely something we will keep an eye on.