only use .getALocalSource in copyPropertyStep

javascript/ql/src/semmle/javascript/Promises.qll

@@ -142,7 +142,7 @@ private module ExceptionalPromiseFlow {
       this = promise
     }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = rejectField() and
       (
         pred = promise.getRejectParameter().getACall().getArgument(0) or
@@ -185,14 +185,14 @@ private module ExceptionalPromiseFlow {
       succ = getCallback(1).getParameter(0)
     }
     
-    override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate copyProperty(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       not exists(this.getArgument(1)) and
       prop = rejectField() and
       pred = getReceiver() and
       succ = this
     }
     
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = rejectField() and
       pred = getCallback([0..1]).getExceptionalReturn() and
       succ = this
@@ -213,7 +213,7 @@ private module ExceptionalPromiseFlow {
       succ = getCallback(0).getParameter(0)
     }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = rejectField() and
       pred = getCallback([0..1]).getExceptionalReturn() and
       succ = this
@@ -228,7 +228,7 @@ private module ExceptionalPromiseFlow {
       this.getMethodName() = "finally"
     }
 
-    override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate copyProperty(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = rejectField() and
       pred = getReceiver() and
       succ = this

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -225,9 +225,11 @@ abstract class Configuration extends string {
   }
 
   /**
-   * Holds if the `pred` should be stored in the object `succ` under the property `prop`. 
+   * Holds if the `pred` should be stored in the object `succ` under the property `prop`.
+   *
+   * `succ` is a DataFlow::SourceNode, as this is assumed by the `isAdditionalCopyPropertyStep` predicate.
    */
-  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 
   /**
    * Holds if the property `prop` of the object `pred` should be loaded into `succ`. 
@@ -237,7 +239,7 @@ abstract class Configuration extends string {
   /**
    * Holds if the property `prop` should be copied from the object `pred` to the object `succ`. 
    */
-  predicate isAdditionalCopyPropertyStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate isAdditionalCopyPropertyStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 }
 
 /**
@@ -468,9 +470,11 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
 
   /**
    * Holds if the `pred` should be stored in the object `succ` under the property `prop`.
+   *
+   * `succ` is a DataFlow::SourceNode, as this is assumed by the `copyProperty` predicate.
    */
   cached
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 
   /**
    * Holds if the property `prop` of the object `pred` should be loaded into `succ`.
@@ -482,7 +486,7 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
    * Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
    */
   cached
-  predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate copyProperty(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 }
 
 /**
@@ -808,26 +812,25 @@ private predicate reachesReturn(
 }
 
 private predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop, DataFlow::Configuration cfg) { 
-  exists(DataFlow::Node obj | pred = obj.getALocalSource() or pred = obj | 
-    any(AdditionalFlowStep s).load(obj, succ, prop)
-    or
-    cfg.isAdditionalLoadStep(obj, succ, prop)
-  )
+  any(AdditionalFlowStep s).load(pred, succ, prop)
+  or
+  cfg.isAdditionalLoadStep(pred, succ, prop)
 }
 
-private predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop, DataFlow::Configuration cfg) { 
-  exists(DataFlow::Node obj | pred = obj.getALocalSource() or pred = obj | 
-    any(AdditionalFlowStep s).store(obj, succ, prop)
-    or
-    cfg.isAdditionalStoreStep(obj, succ, prop)
-  )
+private predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop, DataFlow::Configuration cfg) {
+  any(AdditionalFlowStep s).store(pred, succ, prop)
+  or
+  cfg.isAdditionalStoreStep(pred, succ, prop)
 }
 
-private predicate isAdditionalCopyPropertyStep(DataFlow::Node pred, DataFlow::Node succ, string prop, DataFlow::Configuration cfg) {
-  exists(DataFlow::Node obj | pred = obj.getALocalSource() or pred = obj | 
-    any(AdditionalFlowStep s).copyProperty(obj, succ, prop)
+private predicate isAdditionalCopyPropertyStep(DataFlow::SourceNode pred, DataFlow::Node succ, string prop, DataFlow::Configuration cfg) {
+  exists(DataFlow::Node predNode, DataFlow::SourceNode succNode |
+    pred = predNode.getALocalSource() and
+    succ.getALocalSource() = succNode
+  |
+    any(AdditionalFlowStep s).copyProperty(predNode, succNode, prop)
     or
-    cfg.isAdditionalCopyPropertyStep(obj, succ, prop)
+    cfg.isAdditionalCopyPropertyStep(predNode, succNode, prop)
   )
 }
 

javascript/ql/test/library-tests/Promises/flow.js

@@ -56,4 +56,17 @@
 	var p9 = p8.then(() => {});
 	var p10 = p9.finally(() => {});
 	p10.catch((x) => sink(x)); // NOT OK!
+
+	var p11 = new Promise((resolve, reject) => reject(source));
+	var p12 = p11.then(() => {});
+	p12.catch(x => sink(x)); // NOT OK!
+
+	async function throws() {
+		await new Promise((resolve, reject) => reject(source));
+	}
+	try {
+		throws();
+	} catch(e) {
+		sink(e); // NOT OK!
+	}
 })();

javascript/ql/test/library-tests/Promises/tests.expected

@@ -31,6 +31,8 @@ test_PromiseDefinition_getExecutor
 | flow.js:42:2:42:49 | new Pro ... ource)) | flow.js:42:14:42:48 | (resolv ... source) |
 | flow.js:48:2:48:36 | new Pro ... urce }) | flow.js:48:14:48:35 | () => { ... ource } |
 | flow.js:55:11:55:58 | new Pro ... ource)) | flow.js:55:23:55:57 | (resolv ... source) |
+| flow.js:60:12:60:59 | new Pro ... ource)) | flow.js:60:24:60:58 | (resolv ... source) |
+| flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:21:65:55 | (resolv ... source) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:24:15:5 | functio ... ;\\n    } |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:29:5:3 | functio ... e);\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:30:17:3 | (res, r ... e);\\n  } |
@@ -49,6 +51,8 @@ test_PromiseDefinition
 | flow.js:42:2:42:49 | new Pro ... ource)) |
 | flow.js:48:2:48:36 | new Pro ... urce }) |
 | flow.js:55:11:55:58 | new Pro ... ource)) |
+| flow.js:60:12:60:59 | new Pro ... ource)) |
+| flow.js:65:9:65:56 | new Pro ... ource)) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) |
@@ -60,6 +64,7 @@ test_PromiseDefinition_getAResolveHandler
 | flow.js:40:2:40:49 | new Pro ... ource)) | flow.js:40:56:40:64 | () => { } |
 | flow.js:42:2:42:49 | new Pro ... ource)) | flow.js:42:56:42:64 | () => { } |
 | flow.js:55:11:55:58 | new Pro ... ource)) | flow.js:56:19:56:26 | () => {} |
+| flow.js:60:12:60:59 | new Pro ... ource)) | flow.js:61:21:61:28 | () => {} |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:6:16:8:3 | functio ... al;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:18:17:20:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
@@ -75,6 +80,8 @@ test_PromiseDefinition_getRejectParameter
 | flow.js:40:2:40:49 | new Pro ... ource)) | flow.js:40:24:40:29 | reject |
 | flow.js:42:2:42:49 | new Pro ... ource)) | flow.js:42:24:42:29 | reject |
 | flow.js:55:11:55:58 | new Pro ... ource)) | flow.js:55:33:55:38 | reject |
+| flow.js:60:12:60:59 | new Pro ... ource)) | flow.js:60:34:60:39 | reject |
+| flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:31:65:36 | reject |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:43:11:48 | reject |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:48:3:53 | reject |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:36:10:38 | rej |
@@ -90,6 +97,8 @@ test_PromiseDefinition_getResolveParameter
 | flow.js:40:2:40:49 | new Pro ... ource)) | flow.js:40:15:40:21 | resolve |
 | flow.js:42:2:42:49 | new Pro ... ource)) | flow.js:42:15:42:21 | resolve |
 | flow.js:55:11:55:58 | new Pro ... ource)) | flow.js:55:24:55:30 | resolve |
+| flow.js:60:12:60:59 | new Pro ... ource)) | flow.js:60:25:60:31 | resolve |
+| flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:22:65:28 | resolve |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:34:11:40 | resolve |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:39:3:45 | resolve |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:31:10:33 | res |
@@ -115,4 +124,6 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:48:54:48:54 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:53:39:53:39 | v |
 | flow.js:2:15:2:22 | "source" | flow.js:58:24:58:24 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:62:22:62:22 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:70:8:70:8 | e |
 | interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |