JS: Include summary steps in type tracking

2026-04-24 08:15:14 +02:00 · 2024-11-19 22:18:01 +01:00
parent 440cbb7f0a
commit 2f0c80a98b
2 changed files with 26 additions and 4 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -1,6 +1,7 @@
 import javascript
 private import semmle.javascript.dataflow.TypeTracking
 private import semmle.javascript.internal.CachedStages
+private import sharedlib.SummaryTypeTracker as SummaryTypeTracker
 private import FlowSteps

 cached
@@ -46,6 +47,12 @@ private module Cached {
      LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
        SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
        or
+        exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+          SummaryTypeTracker::basicLoadStoreStep(_, _, loadContent, storeContent) and
+          fromProp = loadContent.asPropertyName() and
+          toProp = storeContent.asPropertyName()
+        )
+        or
        summarizedLoadStoreStep(_, _, fromProp, toProp)
      } or
      WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
@@ -205,6 +212,21 @@ private module Cached {
      succ = getACallbackSource(parameter).getParameter(i) and
      summary = ReturnStep()
    )
+    or
+    SummaryTypeTracker::levelStepNoCall(pred, succ) and summary = LevelStep()
+    or
+    exists(DataFlow::ContentSet content |
+      SummaryTypeTracker::basicLoadStep(pred, succ, content) and
+      summary = LoadStep(content.asPropertyName())
+      or
+      SummaryTypeTracker::basicStoreStep(pred, succ, content) and
+      summary = StoreStep(content.asPropertyName())
+    )
+    or
+    exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+      SummaryTypeTracker::basicLoadStoreStep(pred, succ, loadContent, storeContent) and
+      summary = LoadStoreStep(loadContent.asPropertyName(), storeContent.asPropertyName())
+    )
  }
 }

--- a/javascript/ql/test/library-tests/TypeTracking2/summaries.js
+++ b/javascript/ql/test/library-tests/TypeTracking2/summaries.js
@@ -6,7 +6,7 @@ function m0() {
 function m1() {
  const fn = mkSummary("Argument[0]", "ReturnValue");
  const obj = source("m1.1");
-  sink(fn(obj)); // $ MISSING: track=m1.1
+  sink(fn(obj)); // $ track=m1.1
  sink(fn(obj.p));
  sink(fn(obj).p);
  sink(fn({ p: obj }));
@@ -19,7 +19,7 @@ function m2() {
  sink(fn(obj));
  sink(fn(obj.p));
  sink(fn(obj).p);
-  sink(fn({ p: obj })); // $ MISSING: track=m2.1
+  sink(fn({ p: obj })); // $ track=m2.1
  sink(fn({ p: obj }).q);
 }

@@ -28,7 +28,7 @@ function m3() {
  const obj = source("m3.1");
  sink(fn(obj));
  sink(fn(obj.p));
-  sink(fn(obj).p); // $ MISSING: track=m3.1
+  sink(fn(obj).p); // $ track=m3.1
  sink(fn({ p: obj }));
  sink(fn({ p: obj }).q);
 }
@@ -41,5 +41,5 @@ function m4() {
  sink(fn(obj.p));
  sink(fn(obj).p);
  sink(fn({ p: obj }));
-  sink(fn({ p: obj }).q); // $ MISSING: track=m4.1
+  sink(fn({ p: obj }).q); // $ track=m4.1
 }