Merge remote-tracking branch 'upstream/master' into typeAheadSink

2025-12-20 18:56:32 +01:00 · 2019-11-27 15:19:06 +01:00
parent bafd57d7d5 a2827e9503
commit 34e44e89fd
65 changed files with 780 additions and 269 deletions
--- a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
+++ b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -68,7 +68,7 @@ predicate benignContext(Expr e) {
  any(InvokeExpr invoke).getCallee() = e
  or
  // arguments to Promise.resolve (and promise library variants) are benign. 
-  e = any(ResolvedPromiseDefinition promise).getValue().asExpr()
+  e = any(PromiseCreationCall promise).getValue().asExpr()
 }

 predicate oneshotClosure(DataFlow::CallNode call) {
@@ -198,7 +198,7 @@ module Deferred {
  /**
   * A resolved promise created by a `new Deferred().resolve()` call.
   */
-  class ResolvedDeferredPromiseDefinition extends ResolvedPromiseDefinition {
+  class ResolvedDeferredPromiseDefinition extends PromiseCreationCall {
    ResolvedDeferredPromiseDefinition() {
      this = any(DeferredPromiseDefinition def).ref().getAMethodCall("resolve")
    }
--- a/javascript/ql/src/semmle/javascript/Modules.qll
+++ b/javascript/ql/src/semmle/javascript/Modules.qll
@@ -83,9 +83,13 @@ abstract class Module extends TopLevel {
        result = c.(Folder).getJavaScriptFile("index")
      )
      or
-      // handle the case where the import path is missing an extension
+      // handle the case where the import path is missing the extension
      exists(Folder f | f = path.resolveUpTo(path.getNumComponent() - 1) |
        result = f.getJavaScriptFile(path.getBaseName())
+        or
+        // If a js file was not found look for a file that compiles to js
+        not exists(f.getJavaScriptFile(path.getBaseName())) and
+        result = f.getJavaScriptFile(path.getStem())
      )
    )
  }
--- a/javascript/ql/src/semmle/javascript/Paths.qll
+++ b/javascript/ql/src/semmle/javascript/Paths.qll
@@ -205,6 +205,9 @@ abstract class PathExpr extends PathExprBase {
  /** Gets the base name of the folder or file this path refers to. */
  string getBaseName() { result = getValue().(PathString).getBaseName() }

+  /** Gets the stem, that is, base name without extension, of the folder or file this path refers to. */
+  string getStem() { result = getValue().(PathString).getStem() }
+
  /**
   * Gets the file or folder that the first `n` components of this path refer to
   * when resolved relative to the root folder of the given `priority`.
--- a/javascript/ql/src/semmle/javascript/Promises.qll
+++ b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -30,6 +30,22 @@ module Bluebird {

    override DataFlow::Node getValue() { result = getArgument(0) }
  }
+  
+  /**
+   * An aggregated promise produced either by `Promise.all`, `Promise.race` or `Promise.map`. 
+   */
+  class AggregateBluebirdPromiseDefinition extends PromiseCreationCall {
+    AggregateBluebirdPromiseDefinition() {
+      exists(string m | m = "all" or m = "race" or m = "map" | 
+        this = bluebird().getAMemberCall(m)
+      )
+    }
+
+    override DataFlow::Node getValue() {
+      result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+    }
+  }
+  
 }

 /**
--- a/javascript/ql/src/semmle/javascript/StandardLibrary.qll
+++ b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -152,15 +152,20 @@ private class ES2015PromiseDefinition extends PromiseDefinition, DataFlow::NewNo
 }

 /**
- * A promise that is resolved with the given value.
+ * A promise that is created and resolved with one or more value.
 */
-abstract class ResolvedPromiseDefinition extends DataFlow::CallNode {
+abstract class PromiseCreationCall extends DataFlow::CallNode {
  /**
   * Gets the value this promise is resolved with.
   */
  abstract DataFlow::Node getValue();
 }

+/**
+ * A promise that is created using a `.resolve()` call. 
+ */
+abstract class ResolvedPromiseDefinition extends PromiseCreationCall {}
+
 /**
 * A resolved promise created by the standard ECMAScript 2015 `Promise.resolve` function.
 */
@@ -172,6 +177,21 @@ class ResolvedES2015PromiseDefinition extends ResolvedPromiseDefinition {
  override DataFlow::Node getValue() { result = getArgument(0) }
 }

+/**
+ * An aggregated promise produced either by `Promise.all` or `Promise.race`. 
+ */
+class AggregateES2015PromiseDefinition extends PromiseCreationCall {
+  AggregateES2015PromiseDefinition() {
+    exists(string m | m = "all" or m = "race" | 
+      this = DataFlow::globalVarRef("Promise").getAMemberCall(m)
+    )
+  }
+
+  override DataFlow::Node getValue() {
+    result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+  }
+}
+
 /**
 * A data flow edge from a promise reaction to the corresponding handler.
 */
@@ -197,7 +217,7 @@ predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
  pred = succ.(PromiseDefinition).getResolveParameter().getACall().getArgument(0)
  or
  // from `x` to `Promise.resolve(x)`
-  pred = succ.(ResolvedPromiseDefinition).getValue()
+  pred = succ.(PromiseCreationCall).getValue()
  or
  exists(DataFlow::MethodCallNode thn, DataFlow::FunctionNode cb |
    thn.getMethodName() = "then" and cb = thn.getCallback(0)
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -840,16 +840,18 @@ module DataFlow {
   * An array element pattern viewed as a property read; for instance, in
   * `var [ x, y ] = arr`, `x` is a read of property 0 of `arr` and similar
   * for `y`.
-   *
-   * Note: We currently do not expose the array index as the property name,
-   * instead treating it as a read of an unknown property.
   */
  private class ElementPatternAsPropRead extends PropRead, ElementPatternNode {
    override Node getBase() { result = TDestructuringPatternNode(pattern) }

    override Expr getPropertyNameExpr() { none() }

-    override string getPropertyName() { none() }
+    override string getPropertyName() {
+      exists (int i |
+        elt = pattern.getElement(i) and
+        result = i.toString()
+      )
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -211,7 +211,7 @@ private class WindowNameAccess extends RemoteFlowSource {
    this = DataFlow::globalObjectRef().getAPropertyRead("name")
    or
    // Reference to `name` on a container that does not assign to it.
-    this.accessesGlobal("name") and
+    this.asExpr().(GlobalVarAccess).getName() = "name" and
    not exists(VarDef def |
      def.getAVariable().(GlobalVariable).getName() = "name" and
      def.getContainer() = this.asExpr().getContainer()
--- a/javascript/ql/test/library-tests/Modules/import-ts-with-js-extension.ts
+++ b/javascript/ql/test/library-tests/Modules/import-ts-with-js-extension.ts
@@ -0,0 +1,3 @@
+import { foo } from "./f.js";
+
+foo();
--- a/javascript/ql/test/library-tests/Modules/tests.expected
+++ b/javascript/ql/test/library-tests/Modules/tests.expected
@@ -6,6 +6,7 @@ test_ImportSpecifiers
 | f.ts:1:8:1:8 | g | f.ts:1:8:1:8 | g |
 | g.ts:1:9:1:11 | foo | g.ts:1:9:1:11 | foo |
 | import-in-mjs.mjs:1:8:1:24 | exported_from_mjs | import-in-mjs.mjs:1:8:1:24 | exported_from_mjs |
+| import-ts-with-js-extension.ts:1:10:1:12 | foo | import-ts-with-js-extension.ts:1:10:1:12 | foo |
 | m/c.js:1:8:1:13 | * as b | m/c.js:1:13:1:13 | b |
 | tst.html:5:10:5:10 | f | tst.html:5:10:5:10 | f |
 | unresolved.js:1:8:1:8 | f | unresolved.js:1:8:1:8 | f |
@@ -43,6 +44,7 @@ test_getImportedName
 | f.ts:1:8:1:8 | g | default |
 | g.ts:1:9:1:11 | foo | foo |
 | import-in-mjs.mjs:1:8:1:24 | exported_from_mjs | default |
+| import-ts-with-js-extension.ts:1:10:1:12 | foo | foo |
 | tst.html:5:10:5:10 | f | default |
 | unresolved.js:1:8:1:8 | f | default |
 test_ExportDeclarations
@@ -65,6 +67,7 @@ test_getAnImportedModule
 | es2015_require.js | d.js |
 | f.ts | e.js |
 | g.ts | f.ts |
+| import-ts-with-js-extension.ts | f.ts |
 | m/c.js | b.js |
 test_getSourceNode
 | a.js:1:1:3:1 | export  ... n 23;\\n} | default | a.js:1:16:3:1 | functio ... n 23;\\n} |
@@ -87,6 +90,7 @@ test_Imports
 | f.ts:1:1:1:19 | import g from './e' | f.ts:1:15:1:19 | './e' | 1 |
 | g.ts:1:1:1:23 | import  ... m './f' | g.ts:1:19:1:23 | './f' | 1 |
 | import-in-mjs.mjs:1:1:1:46 | import  ... n-mjs'; | import-in-mjs.mjs:1:31:1:45 | 'export-in-mjs' | 1 |
+| import-ts-with-js-extension.ts:1:1:1:29 | import  ... /f.js"; | import-ts-with-js-extension.ts:1:21:1:28 | "./f.js" | 1 |
 | m/c.js:1:1:1:26 | import  ... '../b'; | m/c.js:1:20:1:25 | '../b' | 1 |
 | tst.html:5:3:5:20 | import f from 'a'; | tst.html:5:17:5:19 | 'a' | 1 |
 | unresolved.js:1:1:1:18 | import f from 'a'; | unresolved.js:1:15:1:17 | 'a' | 1 |
@@ -94,6 +98,7 @@ test_NamedImportSpecifier
 | d.js:1:10:1:21 | default as g |
 | d.js:1:24:1:29 | x as y |
 | g.ts:1:9:1:11 | foo |
+| import-ts-with-js-extension.ts:1:10:1:12 | foo |
 test_GlobalVariableRef
 | a.js:5:31:5:31 | o |
 | exports.js:3:9:3:15 | exports |
--- a/javascript/ql/test/library-tests/Promises/ResolvedPromiseDefinition.qll
+++ b/javascript/ql/test/library-tests/Promises/ResolvedPromiseDefinition.qll
@@ -1,7 +1,7 @@
 import javascript

 query predicate test_ResolvedPromiseDefinition(
-  ResolvedPromiseDefinition resolved, DataFlow::Node res
+  PromiseCreationCall resolved, DataFlow::Node res
 ) {
  res = resolved.getValue()
 }
--- a/javascript/ql/test/library-tests/PropWrite/tests.expected
+++ b/javascript/ql/test/library-tests/PropWrite/tests.expected
@@ -10,6 +10,9 @@ test_getAPropertyRead
 | tst.js:34:6:34:12 | vvv.ppp | tst.js:34:6:34:16 | vvv.ppp.qqq |
 | tst.js:44:3:44:9 | console | tst.js:44:3:44:13 | console.log |
 | tst.js:44:15:44:17 | obj | tst.js:44:15:44:20 | obj[p] |
+| tst.js:46:17:46:21 | array | tst.js:47:10:47:10 | x |
+| tst.js:46:17:46:21 | array | tst.js:47:13:47:13 | y |
+| tst.js:46:17:46:21 | array | tst.js:47:16:47:16 | z |
 test_getAPropertyReference
 | classes.ts:3:21:3:20 | this | classes.ts:4:3:4:24 | instanc ...  foo(); |
 | classes.ts:8:3:8:2 | this | classes.ts:8:15:8:35 | public  ... erField |
@@ -50,6 +53,9 @@ test_getAPropertyReference
 | tst.js:41:12:41:30 | ["a", ...arr3, "d"] | tst.js:41:27:41:29 | "d" |
 | tst.js:44:3:44:9 | console | tst.js:44:3:44:13 | console.log |
 | tst.js:44:15:44:17 | obj | tst.js:44:15:44:20 | obj[p] |
+| tst.js:46:17:46:21 | array | tst.js:47:10:47:10 | x |
+| tst.js:46:17:46:21 | array | tst.js:47:13:47:13 | y |
+| tst.js:46:17:46:21 | array | tst.js:47:16:47:16 | z |
 test_getAPropertySource
 | classes.ts:3:21:3:20 | this | instanceField | classes.ts:4:19:4:23 | foo() |
 | classes.ts:8:3:8:2 | this | parameterField | classes.ts:8:22:8:35 | parameterField |
@@ -92,6 +98,9 @@ test_getAPropertyRead2
 | tst.js:34:6:34:8 | vvv | ppp | tst.js:34:6:34:12 | vvv.ppp |
 | tst.js:34:6:34:12 | vvv.ppp | qqq | tst.js:34:6:34:16 | vvv.ppp.qqq |
 | tst.js:44:3:44:9 | console | log | tst.js:44:3:44:13 | console.log |
+| tst.js:46:17:46:21 | array | 0 | tst.js:47:10:47:10 | x |
+| tst.js:46:17:46:21 | array | 1 | tst.js:47:13:47:13 | y |
+| tst.js:46:17:46:21 | array | 2 | tst.js:47:16:47:16 | z |
 test_getAPropertyReference2
 | classes.ts:3:21:3:20 | this | instanceField | classes.ts:4:3:4:24 | instanc ...  foo(); |
 | classes.ts:8:3:8:2 | this | parameterField | classes.ts:8:15:8:35 | public  ... erField |
@@ -116,6 +125,9 @@ test_getAPropertyReference2
 | tst.js:34:6:34:8 | vvv | ppp | tst.js:34:6:34:12 | vvv.ppp |
 | tst.js:34:6:34:12 | vvv.ppp | qqq | tst.js:34:6:34:16 | vvv.ppp.qqq |
 | tst.js:44:3:44:9 | console | log | tst.js:44:3:44:13 | console.log |
+| tst.js:46:17:46:21 | array | 0 | tst.js:47:10:47:10 | x |
+| tst.js:46:17:46:21 | array | 1 | tst.js:47:13:47:13 | y |
+| tst.js:46:17:46:21 | array | 2 | tst.js:47:16:47:16 | z |
 test_hasPropertyWrite
 | classes.ts:3:21:3:20 | this | instanceField | classes.ts:4:19:4:23 | foo() |
 | classes.ts:8:3:8:2 | this | parameterField | classes.ts:8:22:8:35 | parameterField |
--- a/javascript/ql/test/library-tests/PropWrite/tst.js
+++ b/javascript/ql/test/library-tests/PropWrite/tst.js
@@ -42,3 +42,8 @@ var arr1 = ["a", "b", "c"],

 for (var p in obj)
  console.log(obj[p]);
+
+  function test(array) {
+    let [x, y, z] = array;
+  }
+  
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -309,12 +309,10 @@ nodes
 | tst.js:277:22:277:29 | location |
 | tst.js:277:22:277:29 | location |
 | tst.js:282:9:282:29 | tainted |
-| tst.js:282:9:282:29 | tainted |
 | tst.js:282:19:282:29 | window.name |
 | tst.js:282:19:282:29 | window.name |
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
-| tst.js:285:59:285:65 | tainted |
 | tst.js:297:35:297:42 | location |
 | tst.js:297:35:297:42 | location |
 | tst.js:297:35:297:42 | location |
@@ -610,11 +608,8 @@ edges
 | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location |
 | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
 | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
-| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
-| tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
-| tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted |
 | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -709,9 +704,7 @@ edges
 | tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | tst.js:257:7:257:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:257:7:257:10 | name | user-provided value |
 | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:261:11:261:21 | window.name | user-provided value |
 | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:277:22:277:29 | location | user-provided value |
-| tst.js:285:59:285:65 | tainted | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:9:282:29 | tainted | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
-| tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:59:285:65 | tainted | user-provided value |
 | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:297:35:297:42 | location | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
+++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -88,6 +88,8 @@
 	}
 	
 	new Deferred().resolve(onlySideEffects()); // OK
+	
+	Promise.all([onlySideEffects(), onlySideEffects()])
 })();

 +function() {
@@ -104,4 +106,4 @@ class Bar extends Foo {
 	constructor() {
 		console.log(super()); // OK.
 	}
-}
+}