Merge pull request #115 from esben-semmle/js/composed-function-taint

JS: model composed functions
2026-04-29 10:45:15 +02:00 · 2018-08-31 08:14:18 +01:00
parent 7e18426fde dc72788746
commit 69ca103e06
6 changed files with 211 additions and 0 deletions
--- a/javascript/ql/test/library-tests/frameworks/ComposedFunctions/compose.expected
+++ b/javascript/ql/test/library-tests/frameworks/ComposedFunctions/compose.expected
@@ -0,0 +1,13 @@
+| tst.js:10:10:10:15 | source |
+| tst.js:15:10:15:13 | f1() |
+| tst.js:20:10:20:23 | compose1(f2)() |
+| tst.js:28:10:28:27 | compose1(f3, f4)() |
+| tst.js:33:10:33:28 | compose1(o.f, f5)() |
+| tst.js:41:10:41:27 | compose1(f6, f7)() |
+| tst.js:49:10:49:33 | compose ... source) |
+| tst.js:61:10:61:40 | compose ... source) |
+| tst.js:66:10:66:30 | compose ... source) |
+| tst.js:89:10:89:31 | f18(und ... source) |
+| tst.js:94:10:94:24 | compose2(f19)() |
+| tst.js:99:10:99:24 | compose3(f20)() |
+| tst.js:104:10:104:24 | compose4(f21)() |
--- a/javascript/ql/test/library-tests/frameworks/ComposedFunctions/compose.ql
+++ b/javascript/ql/test/library-tests/frameworks/ComposedFunctions/compose.ql
@@ -0,0 +1,22 @@
+import javascript
+
+class ExampleConfiguration extends TaintTracking::Configuration {
+
+  ExampleConfiguration() { this = "ExampleConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists (CallExpr callExpr |
+      callExpr.getCalleeName() = "SINK" and
+      DataFlow::valueNode(callExpr.getArgument(0)) = sink
+    )
+  }
+
+}
+
+from ExampleConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
+where cfg.hasFlow(source, sink)
+select sink
--- a/javascript/ql/test/library-tests/frameworks/ComposedFunctions/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/ComposedFunctions/tst.js
@@ -0,0 +1,106 @@
+import compose1 from 'just-compose';
+import compose2 from 'compose-function';
+import compose3 from 'lodash.flow';
+import _ from 'lodash';
+var compose4 = _.flow;
+
+(function(){
+    var source = SOURCE();
+
+    SINK(source);
+
+    function f1(){
+        return source;
+    }
+    SINK(f1());
+
+    function f2(){
+        return source;
+    }
+    SINK(compose1(f2)());
+
+    function f3(){
+
+    }
+    function f4(){
+        return source;
+    }
+    SINK(compose1(f3, f4)());
+
+    function f5(){
+        return source;
+    }
+    SINK(compose1(o.f, f5)());
+
+    function f6(){
+        return source;
+    }
+    function f7(x){
+        return x;
+    }
+    SINK(compose1(f6, f7)());
+
+    function f8(x){
+        return x;
+    }
+    function f9(x){
+        return x;
+    }
+    SINK(compose1(f8, f9)(source));
+
+
+    function f10(x){
+        return x;
+    }
+    function f11(x){
+        return x;
+    }
+    function f12(x){
+        return x;
+    }
+    SINK(compose1(f10, f11, f12)(source));
+
+    function f13(x){
+        return x + 'foo' ;
+    }
+    SINK(compose1(f13)(source));
+
+    function f14(){
+        return undefined;
+    }
+    SINK(f14()); // NO FLOW
+
+    function f15(){
+        return source;
+    }
+    function f16(){
+        return undefined;
+    }
+    SINK(compose1(f15, f16)()); // NO FLOW
+
+    function f17(x, y){
+        return y;
+    }
+    SINK(f17(source)); // NO FLOW
+
+    function f18(x, y){
+        return y;
+    }
+    SINK(f18(undefined, source));
+
+    function f19(){
+        return source;
+    }
+    SINK(compose2(f19)());
+
+    function f20(){
+        return source;
+    }
+    SINK(compose3(f20)());
+
+    function f21(){
+        return source;
+    }
+    SINK(compose4(f21)());
+
+})();