add a step for referencing instance/static methods on classes

2026-04-27 17:55:19 +02:00 · 2021-01-28 13:34:36 +01:00
parent 518bfa4d41
commit 49b1bfc41b
3 changed files with 26 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -54,27 +54,34 @@ module CallGraph {
    PreCallGraphStep::step(any(DataFlow::Node n | function.flowsTo(n)), result)
    or
    imprecision = 0 and
+    result = callgraphStep(function, t)
+  }
+
+  /**
+   * Gets a reference to `function` type-tracked by `t`.
+   * Only considers callgraph specific steps.
+   */
+  cached
+  DataFlow::SourceNode callgraphStep(DataFlow::FunctionNode function, DataFlow::TypeTracker t) {
    exists(DataFlow::ClassNode cls |
      exists(string name |
        function = cls.getInstanceMethod(name) and
-        cls.getAnInstanceMemberAccess(name, t.continue()).flowsTo(result)
+        cls.getAnInstanceMemberAccess(name, t.continue()) = result
        or
        function = cls.getStaticMethod(name) and
-        cls.getAClassReference(t.continue()).getAPropertyRead(name).flowsTo(result)
+        cls.getAClassReference(t.continue()).getAPropertyRead(name) = result
      )
      or
      function = cls.getConstructor() and
-      cls.getAClassReference(t.continue()).flowsTo(result)
+      cls.getAClassReference(t.continue()) = result
    )
    or
-    imprecision = 0 and
    exists(DataFlow::FunctionNode outer |
      result = getAFunctionReference(outer, 0, t.continue()).getAnInvocation() and
      locallyReturnedFunction(outer, function)
    )
  }

-  cached
  private predicate locallyReturnedFunction(
    DataFlow::FunctionNode outer, DataFlow::FunctionNode inner
  ) {
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -5,6 +5,7 @@
 import javascript
 private import semmle.javascript.DynamicPropertyAccess
 private import semmle.javascript.dataflow.internal.StepSummary
+private import semmle.javascript.dataflow.internal.CallGraphs

 module HTTP {
  /**
@@ -299,6 +300,9 @@ module HTTP {
    exists(DataFlow::PartialInvokeNode call |
      succ = call.getBoundFunction(any(DataFlow::Node n | pred.flowsTo(n)), 0)
    )
+    or
+    // references to class methods
+    succ = CallGraph::callgraphStep(pred, DataFlow::TypeTracker::end())
  }

  /**