Merge pull request #466 from xiemaisi/js/more-data-flow-predicates

Approved by asger-semmle

javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql

@@ -22,10 +22,9 @@ private predicate isBoundInMethod(MethodDeclaration method) {
     or
     exists (string name |
       name = method.getName() |
-      exists (DataFlow::Node rhs, DataFlow::MethodCallNode bind |
+      exists (DataFlow::MethodCallNode bind |
         // this.<methodName> = <expr>.bind(...)
-        thiz.hasPropertyWrite(name, rhs) and
-        bind.flowsTo(rhs) and
+        bind = thiz.getAPropertySource(name) and
         bind.getMethodName() = "bind"
       )
       or

javascript/ql/src/semmle/javascript/AMD.qll

@@ -83,6 +83,11 @@ class AMDModuleDefinition extends CallExpr {
     )
   }
 
+  /** Gets a source node whose value becomes the definition of this module. */
+  DataFlow::SourceNode getAModuleSource() {
+    result.flowsToExpr(getModuleExpr())
+  }
+
   /**
    * Holds if `p` is the parameter corresponding to dependency `dep`.
    */

javascript/ql/src/semmle/javascript/dataflow/Sources.qll

@@ -178,6 +178,13 @@ abstract class SourceNode extends DataFlow::Node {
   DataFlow::NewNode getAnInstantiation() {
     result = getAnInvocation()
   }
+
+  /**
+   * Gets a source node whose value is stored in property `prop` of this node.
+   */
+  DataFlow::SourceNode getAPropertySource(string prop) {
+    result.flowsTo(getAPropertyWrite(prop).getRhs())
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll

@@ -439,9 +439,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
     result = getMember("link")
     or
     // { link: { pre: function preLink() { ... }, post: function postLink() { ... } } }
-    exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-      pwn = getMember("link").getAPropertyWrite(kind) and
-      result.flowsTo(pwn.getRhs())
+    (
+      (kind = "pre" or kind = "post") and
+      result = getMember("link").getAPropertySource(kind)
     )
     or
     // { compile: function() { ... return link; } }
@@ -453,9 +453,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
       result = compileReturnSrc
       or
       // link = { pre: function preLink() { ... }, post: function postLink() { ... } }
-      exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-        pwn = compileReturnSrc.getAPropertyWrite(kind) and
-        result.flowsTo(pwn.getRhs())
+      (
+        (kind = "pre" or kind = "post") and
+        result = compileReturnSrc.getAPropertySource(kind)
       )
     )
   }

javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll

@@ -718,11 +718,10 @@ class ProviderRecipeDefinition extends RecipeDefinition {
     method set to your factory function is automatically created
     under the hood.  */
 
-    exists(DataFlow::ThisNode thiz, DataFlow::Node rhs, InjectableFunction f |
+    exists(DataFlow::ThisNode thiz, InjectableFunction f |
       f = getAFactoryFunction() and
       thiz.getBinder().getFunction() = f.asFunction() and
-      thiz.hasPropertyWrite("$get", rhs) and
-      result.flowsTo(rhs)
+      result = thiz.getAPropertySource("$get")
     )
   }