JS: Simplify config in PrototypePollutingFunction.ql.

github · Jan 31, 2025 · 18590e9 · 18590e9
1 parent dd0a07e
commit 18590e9
Showing 1 changed file with 13 additions and 19 deletions.
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -251,25 +251,19 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {
     node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
   }
 
-  predicate isAdditionalFlowStep(
-    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
-  ) {
-    exists(state1) and
-    state2 = state1 and
-    (
-      // Step through `p -> x[p]`
-      exists(DataFlow::PropRead read |
-        node1 = read.getPropertyNameExpr().flow() and
-        not read.(DynamicPropRead).hasDominatingAssignment() and
-        node2 = read
-      )
-      or
-      // Step through `x -> x[p]`
-      exists(DynamicPropRead read |
-        not read.hasDominatingAssignment() and
-        node1 = read.getBase() and
-        node2 = read
-      )
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Step through `p -> x[p]`
+    exists(DataFlow::PropRead read |
+      node1 = read.getPropertyNameExpr().flow() and
+      not read.(DynamicPropRead).hasDominatingAssignment() and
+      node2 = read
+    )
+    or
+    // Step through `x -> x[p]`
+    exists(DynamicPropRead read |
+      not read.hasDominatingAssignment() and
+      node1 = read.getBase() and
+      node2 = read
     )
   }