JS: Detect property enumeration through for-own

2020-02-05 12:19:26 +00:00 · 2020-02-05 12:19:26 +00:00 · 34a9dce33d
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@ -120,6 +120,30 @@ class EntriesEnumeratedPropName extends EnumeratedPropName {
  }
 }

+/**
+ * Property enumeration through the `for-own` package.
+ */
+class ForOwnEnumeratedPropName extends EnumeratedPropName {
+  CallNode call;
+  FunctionNode callback;
+
+  ForOwnEnumeratedPropName() {
+    call = moduleImport("for-own").getACall() and
+    callback = call.getCallback(1) and
+    this = callback.getParameter(1)
+  }
+
+  override Node getSourceObject() {
+    result = call.getArgument(0)
+  }
+
+  override SourceNode getASourceProp() {
+    result = super.getASourceProp()
+    or
+    result = callback.getParameter(0)
+  }
+}
+
 /**
 * Holds if the properties of `node` are enumerated locally.
 */