hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4494 from erik-krogh/callLimit

Browse Source 
Approved by asgerf
This commit is contained in:
CodeQL CI
2020-10-19 11:03:25 -07:00
committed by GitHub
parent 5d9f54e797 8cf21e3b2b
commit 502faa7d1c
6 changed files with 96 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
change-notes/1.26/analysis-javascript.md
View File

@@ -8,7 +8,9 @@
- [@angular/*](https://www.npmjs.com/package/@angular/core)
- [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
- [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
- [debounce](https://www.npmjs.com/package/debounce)
- [bluebird](https://www.npmjs.com/package/bluebird)
- [call-limit](https://www.npmjs.com/package/call-limit)
- [express](https://www.npmjs.com/package/express)
- [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
- [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
@@ -18,11 +20,15 @@
- [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
- [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
- [json3](https://www.npmjs.com/package/json3)
- [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
- [lodash](https://www.npmjs.com/package/lodash)
- [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
- [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
- [needle](https://www.npmjs.com/package/needle)
- [object-inspect](https://www.npmjs.com/package/object-inspect)
- [pretty-format](https://www.npmjs.com/package/pretty-format)
- [stringify-object](https://www.npmjs.com/package/stringify-object)
- [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
- [underscore](https://www.npmjs.com/package/underscore)
* Analyzing files with the ".cjs" extension is now supported.

40
javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
View File

@@ -1379,6 +1379,46 @@ module PartialInvokeNode {
}
}
/**
* A partial call that behaves like a throttle call, like `require("call-limit")(fs, limit)` or `_.memoize`.
* Seen as a partial invocation that binds no arguments.
*/
private class ThrottleLikePartialCall extends PartialInvokeNode::Range, DataFlow::CallNode {
int callbackIndex;
ThrottleLikePartialCall() {
callbackIndex = 0 and
(
this = LodashUnderscore::member(["throttle", "debounce", "once", "memoize"]).getACall()
or
this = DataFlow::moduleImport(["call-limit", "debounce"]).getACall()
)
or
callbackIndex = 1 and
(
this = LodashUnderscore::member(["after", "before"]).getACall()
or
// not jQuery: https://github.com/cowboy/jquery-throttle-debounce
this = DataFlow::globalVarRef("$").getAMemberCall(["throttle", "debounce"])
)
or
callbackIndex = -1 and
this = DataFlow::moduleMember("throttle-debounce", ["debounce", "throttle"]).getACall()
}
override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) {
(
callbackIndex >= 0 and
callback = getArgument(callbackIndex)
or
callbackIndex = -1 and
callback = getLastArgument()
) and
boundArgs = 0 and
result = this
}
}
/**
* A partial call through `ramda.partial`.
*/

8
javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected
View File

@@ -32,10 +32,18 @@
| partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
| partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

8
javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected
View File

@@ -33,10 +33,18 @@
| partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
| partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

8
javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
View File

@@ -38,10 +38,18 @@
| partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
| partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
| promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
| promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
| promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

26
javascript/ql/test/library-tests/InterProceduralFlow/partial.js
View File

@@ -28,3 +28,29 @@ function f4(x, y) {
let sink2 = y;
}
R.partial(f4, [source1])(source2);
const limit = require('call-limit')
function f5(x, y) {
let sink1 = x;
let sink2 = y;
}
const limited = limit(f5, 5)
limited(source1, source2);
function f6(x, y) {
let sink1 = x;
let sink2 = y;
}
_.throttle(f6, 100)(source1, source2);
function f7(x, y) {
let sink1 = x;
let sink2 = y;
}
_.after(3, f7)(source1, source2);
function f8(x, y) {
let sink1 = x;
let sink2 = y;
}
require("throttle-debounce").debounce(1000, false, f8)(source1, source2);