JS: Type track spanner model

2025-12-20 10:46:30 +01:00 · 2020-05-15 17:18:48 +01:00
parent d225715828
commit 5249e84359
4 changed files with 77 additions and 22 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -439,25 +439,79 @@ private module Spanner {
    result = DataFlow::moduleMember("@google-cloud/spanner", "Spanner")
  }

-  /**
-   * Gets a node that refers to an instance of the `Database` class.
-   */
+  /** Gets a data flow node referring to the result of `Spanner()` or `new Spanner()`. */
+  private DataFlow::SourceNode spannerNew(DataFlow::TypeTracker t) {
+    t.start() and
+    result = spanner().getAnInvocation()
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = spannerNew(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a data flow node referring to the result of `Spanner()` or `new Spanner()`. */
+  DataFlow::SourceNode spannerNew() {
+    result = spannerNew(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a data flow node referring to the result of `.instance()`. */
+  private DataFlow::SourceNode instance(DataFlow::TypeTracker t) {
+    t.start() and
+    result = spannerNew().getAMethodCall("instance")
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = instance(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a data flow node referring to the result of `.instance()`. */
+  DataFlow::SourceNode instance() {
+    result = instance(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a node that refers to an instance of the `Database` class. */
+  private DataFlow::SourceNode database(DataFlow::TypeTracker t) {
+    t.start() and
+    result = instance().getAMethodCall("database")
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = database(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a node that refers to an instance of the `Database` class. */
  DataFlow::SourceNode database() {
-    result = spanner().getAnInvocation().getAMethodCall("instance").getAMethodCall("database")
+    result = database(DataFlow::TypeTracker::end())
  }

-  /**
-   * Gets a node that refers to an instance of the `v1.SpannerClient` class.
-   */
-  DataFlow::SourceNode v1SpannerClient() {
+  /** Gets a node that refers to an instance of the `v1.SpannerClient` class. */
+  private DataFlow::SourceNode v1SpannerClient(DataFlow::TypeTracker t) {
+    t.start() and
    result = spanner().getAPropertyRead("v1").getAPropertyRead("SpannerClient").getAnInstantiation()
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = v1SpannerClient(t2).track(t2, t)
+    )
  }

-  /**
-   * Gets a node that refers to a transaction object.
-   */
+  /** Gets a node that refers to an instance of the `v1.SpannerClient` class. */
+  DataFlow::SourceNode v1SpannerClient() {
+    result = v1SpannerClient(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a node that refers to a transaction object. */
+  private DataFlow::SourceNode transaction(DataFlow::TypeTracker t) {
+    t.start() and
+    result = database().getAMethodCall("runTransaction").getABoundCallbackParameter(0, 1)
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = transaction(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a node that refers to a transaction object. */
  DataFlow::SourceNode transaction() {
-    result = database().getAMethodCall("runTransaction").getCallback(0).getParameter(1)
+    result = transaction(DataFlow::TypeTracker::end())
  }

  /**
@@ -481,9 +535,7 @@ private module Spanner {
   */
  class DatabaseRunCall extends SqlExecution {
    DatabaseRunCall() {
-      exists(string run | run = "run" or run = "runPartitionedUpdate" or run = "runStream" |
-        this = database().getAMethodCall(run)
-      )
+      this = database().getAMethodCall(["run", "runPartitionedUpdate", "runStream"])
    }
  }

@@ -492,9 +544,7 @@ private module Spanner {
   */
  class TransactionRunCall extends SqlExecution {
    TransactionRunCall() {
-      exists(string run | run = "run" or run = "runStream" or run = "runUpdate" |
-        this = transaction().getAMethodCall(run)
-      )
+      this = transaction().getAMethodCall(["run", "runStream", "runUpdate"])
    }
  }

@@ -503,9 +553,7 @@ private module Spanner {
   */
  class ExecuteSqlCall extends SqlExecution {
    ExecuteSqlCall() {
-      exists(string exec | exec = "executeSql" or exec = "executeStreamingSql" |
-        this = v1SpannerClient().getAMethodCall(exec)
-      )
+      this = v1SpannerClient().getAMethodCall(["executeSql", "executeStreamingSql"])
    }

    override DataFlow::Node getAQueryArgument() {
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -39,5 +39,6 @@
 | spanner.js:18:16:18:25 | "SQL code" |
 | spanner.js:19:16:19:34 | { sql: "SQL code" } |
 | spanner.js:19:23:19:32 | "SQL code" |
+| spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
--- a/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
@@ -17,4 +17,6 @@ db.runTransaction((err, tx) => {
  tx.runStream({ sql: "SQL code" });
  tx.runUpdate("SQL code");
  tx.runUpdate({ sql: "SQL code" });
-});
+});
+
+exports.instance = instance;
--- a/javascript/ql/test/library-tests/frameworks/SQL/spannerImport.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/spannerImport.js
@@ -0,0 +1,4 @@
+const { instance } = require('./spanner');
+const db = instance.database('db');
+
+db.run("SQL code", (err, rows) => {});