Merge branch 'js/summarised-tt-store-steps' into js/vea-hacking

javascript/BUILD.bazel

@@ -1,6 +1,6 @@
-load("@//:dist.bzl", "dist")
+load("@semmle_code//:dist.bzl", "dist")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
-load("@//buildutils-internal:zipmerge.bzl", "zipmerge")
+load("@semmle_code//buildutils-internal:zipmerge.bzl", "zipmerge")
 
 package(default_visibility = ["//visibility:public"])
 
@@ -30,7 +30,7 @@ dist(
         "//javascript/downgrades",
         "//javascript/externs",
         "//javascript/extractor:tools-extractor",
-        "@//language-packs/javascript:resources",
+        "@semmle_code//language-packs/javascript:resources",
     ],
     prefix = "javascript",
 )

javascript/downgrades/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@//:dist.bzl", "pack_zip")
+load("@semmle_code//:dist.bzl", "pack_zip")
 
 pack_zip(
     name = "downgrades",

javascript/externs/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@//:dist.bzl", "pack_zip")
+load("@semmle_code//:dist.bzl", "pack_zip")
 
 pack_zip(
     name = "externs",

javascript/extractor/BUILD.bazel

@@ -1,21 +1,21 @@
-load("@//:common.bzl", "codeql_fat_jar", "codeql_java_project")
+load("@semmle_code//:common.bzl", "codeql_fat_jar", "codeql_java_project")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
 
 java_library(
     name = "deps",
     visibility = [":__subpackages__"],
     exports = [
-        "@//extractor:html",
-        "@//extractor:yaml",
-        "@//resources/lib/java:commons-compress",
-        "@//resources/lib/java:gson",
-        "@//resources/lib/java:jericho-html",
-        "@//resources/lib/java:slf4j-api",
-        "@//resources/lib/java:snakeyaml",
-        "@//third_party:jackson",
-        "@//third_party:logback",
-        "@//util-java7",
-        "@//util-java8",
+        "@semmle_code//extractor:html",
+        "@semmle_code//extractor:yaml",
+        "@semmle_code//resources/lib/java:commons-compress",
+        "@semmle_code//resources/lib/java:gson",
+        "@semmle_code//resources/lib/java:jericho-html",
+        "@semmle_code//resources/lib/java:slf4j-api",
+        "@semmle_code//resources/lib/java:snakeyaml",
+        "@semmle_code//third_party:jackson",
+        "@semmle_code//third_party:logback",
+        "@semmle_code//util-java7",
+        "@semmle_code//util-java8",
     ],
 )
 
@@ -26,30 +26,23 @@ codeql_java_project(
     ],
 )
 
-pkg_files(
-    name = "javascript-extractor-resources",
-    srcs = glob(["resources/**"]),
-    strip_prefix = "resources",
-)
-
 codeql_fat_jar(
     name = "extractor-javascript",
     srcs = [
         ":extractor",
-        "@//extractor:html",
-        "@//extractor:xml-trap-writer",
-        "@//extractor:yaml",
-        "@//resources/lib/java:commons-compress",
-        "@//resources/lib/java:gson",
-        "@//resources/lib/java:jericho-html",
-        "@//resources/lib/java:slf4j-api",
-        "@//resources/lib/java:snakeyaml",
-        "@//third_party:jackson",
-        "@//third_party:logback",
-        "@//util-java7",
-        "@//util-java8",
+        "@semmle_code//extractor:html",
+        "@semmle_code//extractor:xml-trap-writer",
+        "@semmle_code//extractor:yaml",
+        "@semmle_code//resources/lib/java:commons-compress",
+        "@semmle_code//resources/lib/java:gson",
+        "@semmle_code//resources/lib/java:jericho-html",
+        "@semmle_code//resources/lib/java:slf4j-api",
+        "@semmle_code//resources/lib/java:snakeyaml",
+        "@semmle_code//third_party:jackson",
+        "@semmle_code//third_party:logback",
+        "@semmle_code//util-java7",
+        "@semmle_code//util-java8",
     ],
-    files = [":javascript-extractor-resources"],
     main_class = "com.semmle.js.extractor.Main",
 )
 

javascript/extractor/lib/typescript/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@//:common.bzl", "on_windows")
+load("@semmle_code//:common.bzl", "on_windows")
 
 # Builds a zip file of the compiled typscript-parser-wrapper and its dependencies.
 genrule(

javascript/extractor/test/com/semmle/js/extractor/test/BUILD.bazel

@@ -7,15 +7,15 @@ java_test(
         "//javascript/extractor/tests",
         "@nodejs//:node_bin",
     ],
-    test_class = "com.semmle.js.extractor.test.AllTests",
-    deps = [
-        "//javascript/extractor",
-        "//javascript/extractor:deps",
-        "@//resources/lib/java/DO_NOT_DISTRIBUTE:junit",
-        "@bazel_tools//tools/java/runfiles",
-    ],
     env = {
         "NODE_BIN": "$(rlocationpath @nodejs//:node_bin)",
         "TS_WRAPPER_ZIP": "$(rlocationpath //javascript/extractor/lib/typescript)",
     },
+    test_class = "com.semmle.js.extractor.test.AllTests",
+    deps = [
+        "//javascript/extractor",
+        "//javascript/extractor:deps",
+        "@bazel_tools//tools/java/runfiles",
+        "@semmle_code//resources/lib/java/DO_NOT_DISTRIBUTE:junit",
+    ],
 )

javascript/extractor/tests/project-layout

@@ -1 +1 @@
-**/ql/javascript/extractor/tests/*/input//
+**/*ql*/javascript/extractor/tests/*/input//

javascript/ql/lib/IDEContextual.qll

@@ -3,6 +3,7 @@
  */
 
 import semmle.files.FileSystem
+private import codeql.util.FileSystem
 
 /**
  * Returns the `File` matching the given source file name as encoded by the VS
@@ -10,13 +11,5 @@ import semmle.files.FileSystem
  */
 cached
 File getFileBySourceArchiveName(string name) {
-  // The name provided for a file in the source archive by the VS Code extension
-  // has some differences from the absolute path in the database:
-  // 1. colons are replaced by underscores
-  // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" ->
-  //    "/C_/foo/bar"
-  // 3. double slashes in UNC prefixes are replaced with a single slash
-  // We can handle 2 and 3 together by unconditionally adding a leading slash
-  // before replacing double slashes.
-  name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
+  result = IdeContextual<File>::getFileBySourceArchiveName(name)
 }

javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll

@@ -45,6 +45,8 @@ private module Cached {
       CopyStep(PropertyName prop) or
       LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
         SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
+        or
+        summarizedLoadStoreStep(_, _, fromProp, toProp)
       } or
       WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
   }
@@ -69,6 +71,26 @@ private module Cached {
     AccessPath::isAssignedInUniqueFile(global)
   }
 
+  bindingset[fun]
+  pragma[inline_late]
+  private DataFlow::PropRead getStoredPropRead(DataFlow::FunctionNode fun, string storeProp) {
+    result = fun.getAReturn().getALocalSource().getAPropertySource(storeProp)
+  }
+
+  /**
+   * Holds if `loadProp` of `parameter` is stored in the `storeProp` property of the return value of `fun`.
+   */
+  pragma[nomagic]
+  private predicate summarizedLoadStoreStep(
+    DataFlow::ParameterNode param, DataFlow::FunctionNode fun, string loadProp, string storeProp
+  ) {
+    exists(DataFlow::PropRead read |
+      read = getStoredPropRead(fun, storeProp) and
+      read.getBase().getALocalSource() = param and
+      read.getPropertyName() = loadProp
+    )
+  }
+
   /**
    * INTERNAL: Use `TypeBackTracker.smallstep()` instead.
    */
@@ -156,6 +178,14 @@ private module Cached {
         exists(string prop |
           param.getAPropertyRead(prop).flowsTo(fun.getAReturn()) and
           summary = LoadStep(prop)
+          or
+          fun.getAReturn().getALocalSource().getAPropertySource(prop) = param and
+          summary = StoreStep(prop)
+        )
+        or
+        exists(string loadProp, string storeProp |
+          summarizedLoadStoreStep(param, fun, loadProp, storeProp) and
+          summary = LoadStoreStep(loadProp, storeProp)
         )
       ) and
       if param = fun.getAParameter()

javascript/ql/test/library-tests/TypeTracking/summarize.js

@@ -0,0 +1,33 @@
+import 'dummy';
+
+function identity(x) {
+    return x;
+}
+function load(x) {
+    return x.loadProp;
+}
+function store(x) {
+    return { storeProp: x };
+}
+function loadStore(x) {
+    return { storeProp: x.loadProp };
+}
+
+identity({});
+load({});
+store({});
+loadStore({});
+
+const obj = {}; // name: obj
+
+let x = identity(obj);
+x; // track: obj
+
+x = load({ loadProp: obj });
+x; // track: obj
+
+x = store(obj);
+x.storeProp; // track: obj
+
+x = loadStore({ loadProp: obj });
+x.storeProp; // track: obj

javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected

@@ -10,7 +10,7 @@
 | highlight.js:19:56:19:61 | [^\\]]+ | Strings starting with '[' and with many repetitions of '.[' can start matching anywhere after the start of the preceeding (\\.\|\\.\\/\|\\/)?(""\|"[^"]+"\|''\|'[^']+'\|\\[\\]\|\\[[^\\]]+\\]\|[^\\s!"#%&'()*+,.\\/;<=>@\\[\\\\\\]^`{\|}~]+)((\\.\|\\/)(""\|"[^"]+"\|''\|'[^']+'\|\\[\\]\|\\[[^\\]]+\\]\|[^\\s!"#%&'()*+,.\\/;<=>@\\[\\\\\\]^`{\|}~]+))* |
 | highlight.js:22:12:22:82 | ((decltype\\(auto\\)\|(?:[a-zA-Z_]\\w*::)?[a-zA-Z_]\\w*(?:<.*?>)?)[\\*&\\s]+)+ | Strings with many repetitions of 'A\\t' can start matching anywhere after the start of the preceeding .*? |
 | highlight.js:22:43:22:45 | \\w* | Strings starting with 'A' and with many repetitions of 'A' can start matching anywhere after the start of the preceeding .*? |
-| highlight.js:22:66:22:68 | .*? | Strings starting with 'A<' and with many repetitions of 'A<' can start matching anywhere after the start of the preceeding \\w* |
+| highlight.js:22:66:22:68 | .*? | Strings starting with 'A<' and with many repetitions of 'a<' can start matching anywhere after the start of the preceeding \\w* |
 | highlight.js:22:73:22:80 | [\\*&\\s]+ | Strings starting with 'A' and with many repetitions of '\\tA\\t' can start matching anywhere after the start of the preceeding .*? |
 | highlight.js:23:13:23:82 | ((decltype\\(auto\\)\|([a-zA-Z_]\\w*::)?[a-zA-Z_]\\w*(<[^<>]+>)?)[\\*&\\s]+)+ | Strings with many repetitions of 'A\\t' can start matching anywhere after the start of the preceeding ((decltype\\(auto\\)\|([a-zA-Z_]\\w*::)?[a-zA-Z_]\\w*(<[^<>]+>)?)[\\*&\\s]+)+([a-zA-Z_]\\w*::)?[a-zA-Z]\\w*\\s*\\( |
 | highlight.js:23:42:23:44 | \\w* | Strings starting with 'A' and with many repetitions of 'A' can start matching anywhere after the start of the preceeding ((decltype\\(auto\\)\|([a-zA-Z_]\\w*::)?[a-zA-Z_]\\w*(<[^<>]+>)?)[\\*&\\s]+)+([a-zA-Z_]\\w*::)?[a-zA-Z]\\w*\\s*\\( |
@@ -279,7 +279,7 @@
 | regexplib/misc.js:117:25:117:26 | .+ | Strings starting with '(a}' and with many repetitions of 'a)' can start matching anywhere after the start of the preceeding .+ |
 | regexplib/misc.js:119:20:119:22 | \\w+ | Strings with many repetitions of '0' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
 | regexplib/misc.js:119:52:119:57 | [^\\)]* | Strings starting with '0=(' and with many repetitions of '0<((' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
-| regexplib/misc.js:123:36:123:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[Aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
+| regexplib/misc.js:123:36:123:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
 | regexplib/misc.js:126:15:126:20 | [a-z]+ | Strings starting with 'a' and with many repetitions of 'aa' can start matching anywhere after the start of the preceeding [a-z]+ |
 | regexplib/misc.js:141:15:141:19 | [^;]+ | Strings starting with '{\\\\f\\\\' and with many repetitions of '{\\\\f\\\\:' can start matching anywhere after the start of the preceeding (\\{\\\\f\\d*)\\\\([^;]+;) |
 | regexplib/misc.js:144:52:144:70 | [a-z0-9\\/\\.\\?\\=\\&]* | Strings starting with '".htm' and with many repetitions of '.asp' can start matching anywhere after the start of the preceeding [a-z0-9\\/\\.\\?\\=\\&]* |
@@ -334,7 +334,7 @@
 | regexplib/strings.js:54:20:54:22 | \\w+ | Strings with many repetitions of '0' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
 | regexplib/strings.js:54:52:54:57 | [^\\)]* | Strings starting with '0=(' and with many repetitions of '0<((' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
 | regexplib/strings.js:56:52:56:53 | .+ | Strings starting with 'AUX.' and with many repetitions of '.' can start matching anywhere after the start of the preceeding .* |
-| regexplib/strings.js:57:36:57:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[Aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
+| regexplib/strings.js:57:36:57:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
 | regexplib/strings.js:64:3:64:5 | \\w+ | Strings with many repetitions of '0' can start matching anywhere after the start of the preceeding (\\w+)\\s+\\1 |
 | regexplib/strings.js:70:6:70:17 | [a-zA-Z,\\s]+ | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding \\s* |
 | regexplib/strings.js:70:18:70:20 | \\s* | Strings starting with '\\t' and with many repetitions of '\\t' can start matching anywhere after the start of the preceeding \\s* |
@@ -345,7 +345,7 @@
 | regexplib/strings.js:74:2:74:3 | .* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding .*[Pp]re[Ss\\$]cr[iI1]pt.* |
 | regexplib/strings.js:75:2:75:3 | .* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding .*[Vv][Ii1]agr.* |
 | regexplib/strings.js:76:2:76:3 | .* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding .*[Oo0][Ee][Mm].* |
-| regexplib/strings.js:81:36:81:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[Aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
+| regexplib/strings.js:81:36:81:38 | .*? | Strings starting with '?se[A' and with many repetitions of '?se[aa' can start matching anywhere after the start of the preceeding (?s)(?:\\e\\[(?:(\\d+);?)*([A-Za-z])(.*?))(?=\\e\\[\|\\z) |
 | regexplib/strings.js:82:20:82:22 | \\w+ | Strings with many repetitions of '0' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
 | regexplib/strings.js:82:52:82:57 | [^\\)]* | Strings starting with '0=(' and with many repetitions of '0<((' can start matching anywhere after the start of the preceeding (NOT)?(\\s*\\(*)\\s*(\\w+)\\s*(=\|<>\|<\|>\|LIKE\|IN)\\s*(\\(([^\\)]*)\\)\|'([^']*)'\|(-?\\d*\\.?\\d+))(\\s*\\)*\\s*)(AND\|OR)? |
 | regexplib/strings.js:88:3:88:12 | [^\\.\\?\\!]* | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding ([^\\.\\?\\!]*)[\\.\\?\\!] |