From 38ef07ce732f2a09d1e2d5a565646db2dc8d8867 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 6 Feb 2020 10:29:05 +0000
Subject: [PATCH] JS: Fix join ordering

---
 .../src/Security/CWE-400/PrototypePollutionUtility.ql | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
index 376e2e16f564..978fb78b11e5 100644
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -48,6 +48,13 @@ abstract class EnumeratedPropName extends DataFlow::Node {
    */
   abstract DataFlow::Node getSourceObject();
 
+  /**
+   * Gets a source node that refers to the object whose properties are being enumerated.
+   */
+  DataFlow::SourceNode getASourceObjectRef() {
+    result = AccessPath::getAnAliasedSourceNode(getSourceObject())
+  }
+
   /**
    * Gets a property read that accesses the corresponding property value in the source object.
    *
@@ -56,7 +63,7 @@ abstract class EnumeratedPropName extends DataFlow::Node {
   SourceNode getASourceProp() {
     exists(Node base, Node key |
       dynamicPropReadStep(base, key, result) and
-      AccessPath::getAnAliasedSourceNode(getSourceObject()).flowsTo(base) and
+      getASourceObjectRef().flowsTo(base) and
       key.getImmediatePredecessor*() = this
     )
   }
@@ -117,7 +124,7 @@ class EntriesEnumeratedPropName extends EnumeratedPropName {
  * Holds if the properties of `node` are enumerated locally.
  */
 predicate arePropertiesEnumerated(DataFlow::SourceNode node) {
-  node = AccessPath::getAnAliasedSourceNode(any(EnumeratedPropName name).getSourceObject())
+  node = any(EnumeratedPropName name).getASourceObjectRef()
 }
 
 /**