From d6578e10c822e0839f7c09eaa12d8916c2772ae7 Mon Sep 17 00:00:00 2001
From: Asger F <asger@semmle.com>
Date: Fri, 16 Aug 2019 13:33:27 +0100
Subject: [PATCH] JS: Handle constructor calls to avoid regression

---
 .../dataflow/internal/FlowSteps.qll           | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
index 9385fc5dba8..4d37dbb1775 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -119,12 +119,23 @@ private module CachedSteps {
   predicate calls(DataFlow::InvokeNode invk, Function f) {
     f = invk.getACallee(0)
     or
-    exists(DataFlow::ClassNode cls, string name |
-      callResolvesToMember(invk, cls, name) and
-      f = cls.getInstanceMethod(name).getFunction()
+    exists(DataFlow::ClassNode cls |
+      // Call to class member
+      exists(string name |
+        callResolvesToMember(invk, cls, name) and
+        f = cls.getInstanceMethod(name).getFunction()
+        or
+        invk = cls.getAClassReference().getAMethodCall(name) and
+        f = cls.getStaticMethod(name).getFunction()
+      )
       or
-      invk = cls.getAClassReference().getAMethodCall(name) and
-      f = cls.getStaticMethod(name).getFunction()
+      // Call to constructor
+      invk = cls.getAClassReference().getAnInvocation() and
+      f = cls.getConstructor().getFunction()
+      or
+      // Super call to constructor
+      invk.asExpr().(SuperCall).getBinder() = cls.getConstructor().getFunction() and
+      f = cls.getADirectSuperClass().getConstructor().getFunction()
     )
     or
     // Call from `foo.bar.baz()` to `foo.bar.baz = function()`