Merge pull request #466 from xiemaisi/js/more-data-flow-predicates

Approved by asger-semmle

javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql

@@ -22,10 +22,9 @@ private predicate isBoundInMethod(MethodDeclaration method) {
     or
     exists (string name |
       name = method.getName() |
-      exists (DataFlow::Node rhs, DataFlow::MethodCallNode bind |
+      exists (DataFlow::MethodCallNode bind |
         // this.<methodName> = <expr>.bind(...)
-        thiz.hasPropertyWrite(name, rhs) and
-        bind.flowsTo(rhs) and
+        bind = thiz.getAPropertySource(name) and
         bind.getMethodName() = "bind"
       )
       or

javascript/ql/src/semmle/javascript/AMD.qll

@@ -83,6 +83,11 @@ class AMDModuleDefinition extends CallExpr {
     )
   }
 
+  /** Gets a source node whose value becomes the definition of this module. */
+  DataFlow::SourceNode getAModuleSource() {
+    result.flowsToExpr(getModuleExpr())
+  }
+
   /**
    * Holds if `p` is the parameter corresponding to dependency `dep`.
    */

javascript/ql/src/semmle/javascript/dataflow/Sources.qll

@@ -178,6 +178,13 @@ abstract class SourceNode extends DataFlow::Node {
   DataFlow::NewNode getAnInstantiation() {
     result = getAnInvocation()
   }
+
+  /**
+   * Gets a source node whose value is stored in property `prop` of this node.
+   */
+  DataFlow::SourceNode getAPropertySource(string prop) {
+    result.flowsTo(getAPropertyWrite(prop).getRhs())
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll

@@ -439,9 +439,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
     result = getMember("link")
     or
     // { link: { pre: function preLink() { ... }, post: function postLink() { ... } } }
-    exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-      pwn = getMember("link").getAPropertyWrite(kind) and
-      result.flowsTo(pwn.getRhs())
+    (
+      (kind = "pre" or kind = "post") and
+      result = getMember("link").getAPropertySource(kind)
     )
     or
     // { compile: function() { ... return link; } }
@@ -453,9 +453,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
       result = compileReturnSrc
       or
       // link = { pre: function preLink() { ... }, post: function postLink() { ... } }
-      exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-        pwn = compileReturnSrc.getAPropertyWrite(kind) and
-        result.flowsTo(pwn.getRhs())
+      (
+        (kind = "pre" or kind = "post") and
+        result = compileReturnSrc.getAPropertySource(kind)
       )
     )
   }

javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll

@@ -718,11 +718,10 @@ class ProviderRecipeDefinition extends RecipeDefinition {
     method set to your factory function is automatically created
     under the hood.  */
 
-    exists(DataFlow::ThisNode thiz, DataFlow::Node rhs, InjectableFunction f |
+    exists(DataFlow::ThisNode thiz, InjectableFunction f |
       f = getAFactoryFunction() and
       thiz.getBinder().getFunction() = f.asFunction() and
-      thiz.hasPropertyWrite("$get", rhs) and
-      result.flowsTo(rhs)
+      result = thiz.getAPropertySource("$get")
     )
   }
 

javascript/ql/test/library-tests/AMD/AMDModuleExpr.expected

@@ -1,4 +1,4 @@
-| a.js:1:1:3:2 | define( ... 2 };\\n}) | a.js:2:12:2:22 | { foo: 42 } |
-| dir/b.js:1:1:3:2 | define( ... : 42\\n}) | dir/b.js:1:8:3:1 | {\\n    bar: 42\\n} |
-| tst.js:1:1:6:2 | define( ...   };\\n}) | tst.js:2:12:5:5 | {\\n      ... r\\n    } |
-| umd.js:4:9:4:43 | define( ... actory) | umd.js:10:12:13:5 | {\\n      ... r\\n    } |
+| a.js:1:1:3:2 | define( ... 2 };\\n}) | a.js:2:12:2:22 | { foo: 42 } | a.js:2:12:2:22 | { foo: 42 } |
+| dir/b.js:1:1:3:2 | define( ... : 42\\n}) | dir/b.js:1:8:3:1 | {\\n    bar: 42\\n} | dir/b.js:1:8:3:1 | {\\n    bar: 42\\n} |
+| tst.js:1:1:6:2 | define( ...   };\\n}) | tst.js:2:12:5:5 | {\\n      ... r\\n    } | tst.js:2:12:5:5 | {\\n      ... r\\n    } |
+| umd.js:4:9:4:43 | define( ... actory) | umd.js:10:12:13:5 | {\\n      ... r\\n    } | umd.js:10:12:13:5 | {\\n      ... r\\n    } |

javascript/ql/test/library-tests/AMD/AMDModuleExpr.ql

@@ -1,4 +1,4 @@
 import javascript
 
 from AMDModuleDefinition d
-select d, d.getModuleExpr()
+select d, d.getModuleExpr(), d.getAModuleSource()

javascript/ql/test/library-tests/PropWrite/getAPropertySource.expected

@@ -0,0 +1,4 @@
+| tst.js:2:11:10:1 | {\\n    x ...     }\\n} | f | tst.js:7:6:9:5 | () {\\n   ... ;\\n    } |
+| tst.js:2:11:10:1 | {\\n    x ...     }\\n} | func | tst.js:4:11:6:5 | functio ... ;\\n    } |
+| tst.js:12:1:19:1 | class C ... ;\\n  }\\n} | func | tst.js:13:14:15:3 | (x) {\\n  ... x);\\n  } |
+| tst.js:24:8:24:57 | <div on ... }</div> | onClick | tst.js:24:22:24:26 | click |

javascript/ql/test/library-tests/PropWrite/getAPropertySource.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from DataFlow::SourceNode nd, string prop
+select nd, prop, nd.getAPropertySource(prop)