Merge pull request #11775 from atorralba/atorralba/all/omittable-exists

All: Remove omittable exists variables
2026-05-05 05:35:13 +02:00 · 2023-01-10 16:07:06 +01:00
parent 6623e5fbf3 5c388c554c
commit 72a11e737d
253 changed files with 1713 additions and 2060 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
@@ -55,8 +55,8 @@ private module FunctionNames {
  private string getApproximateNameForFunction(Function function) {
    count(DataFlow::CallNode call, int index | functionUsedAsArgumentToCall(function, call, index)) =
      1 and
-    exists(DataFlow::CallNode call, int index, string basePart |
-      functionUsedAsArgumentToCall(function, call, index) and
+    exists(DataFlow::CallNode call, string basePart |
+      functionUsedAsArgumentToCall(function, call, _) and
      (
        if count(getReceiverName(call)) = 1
        then basePart = getReceiverName(call) + "."
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataTraining.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataTraining.qll
@@ -30,7 +30,7 @@ predicate tokenFeatures(DataFlow::Node endpoint, string featureName, string feat
    or
    // Performance note: this creates a Cartesian product between `endpoint` and `featureName`.
    featureName = EndpointFeatures::getASupportedFeatureName() and
-    not exists(string value | EndpointFeatures::tokenFeatures(endpoint, featureName, value)) and
+    not EndpointFeatures::tokenFeatures(endpoint, featureName, _) and
    featureValue = ""
  )
 }
--- a/javascript/ql/lib/semmle/javascript/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/DOM.qll
@@ -467,7 +467,8 @@ module DOM {
    // One step inlined in the beginning.
    exists(DataFlow::TypeTracker t2 |
      result =
-        any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource().track(t2, t)
+        any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource().track(t2, t) and
+      t2.start()
    )
    or
    exists(DataFlow::TypeTracker t2 | result = nonFirstLocationType(t2).track(t2, t))
--- a/javascript/ql/lib/semmle/javascript/DefUse.qll
+++ b/javascript/ql/lib/semmle/javascript/DefUse.qll
@@ -302,7 +302,7 @@ deprecated private int nextDefAfter(BasicBlock bb, Variable v, int i, VarDef d)
 * DEPRECATED: Use the `SSA.qll` library instead.
 */
 deprecated predicate localDefinitionOverwrites(LocalVariable v, VarDef earlier, VarDef later) {
-  exists(BasicBlock bb, int i, int next | next = nextDefAfter(bb, v, i, earlier) |
+  exists(BasicBlock bb, int next | next = nextDefAfter(bb, v, _, earlier) |
    bb.defAt(next, v, later)
    or
    exists(BasicBlock succ | succ = bb.getASuccessor() |
--- a/javascript/ql/lib/semmle/javascript/Expr.qll
+++ b/javascript/ql/lib/semmle/javascript/Expr.qll
@@ -571,7 +571,7 @@ class ObjectExpr extends @obj_expr, Expr {
  Property getProperty(int i) { properties(result, this, i, _, _) }

  /** Gets a property in this object literal. */
-  Property getAProperty() { exists(int i | result = this.getProperty(i)) }
+  Property getAProperty() { result = this.getProperty(_) }

  /** Gets the number of properties in this object literal. */
  int getNumProperty() { result = count(this.getAProperty()) }
--- a/javascript/ql/lib/semmle/javascript/Functions.qll
+++ b/javascript/ql/lib/semmle/javascript/Functions.qll
@@ -47,7 +47,7 @@ class Function extends @function, Parameterized, TypeParameterized, StmtContaine
  }

  /** Gets a parameter of this function. */
-  override Parameter getAParameter() { exists(int idx | result = this.getParameter(idx)) }
+  override Parameter getAParameter() { result = this.getParameter(_) }

  /** Gets the parameter named `name` of this function, if any. */
  SimpleParameter getParameterByName(string name) {
--- a/javascript/ql/lib/semmle/javascript/NodeJS.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeJS.qll
@@ -316,7 +316,7 @@ class Require extends CallExpr, Import {
  override Module resolveImportedPath() {
    moduleInFile(result, this.load(min(int prio | moduleInFile(_, this.load(prio)))))
    or
-    not exists(Module mod | moduleInFile(mod, this.load(_))) and
+    not moduleInFile(_, this.load(_)) and
    result = Import.super.resolveImportedPath()
  }

--- a/javascript/ql/lib/semmle/javascript/Routing.qll
+++ b/javascript/ql/lib/semmle/javascript/Routing.qll
@@ -723,7 +723,7 @@ module Routing {
    isInstalledAt(result, router, node)
    or
    result = getMostRecentRouteSetupAt(router, node.getAPredecessor()) and
-    not exists(RouteSetup setup | isInstalledAt(setup, router, node))
+    not isInstalledAt(_, router, node)
  }

  /**
@@ -977,8 +977,8 @@ module Routing {
   * Holds if `pred -> succ` is a data-flow step between access paths on request input objects.
   */
  private predicate middlewareDataFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(Node writer, Node reader, int n, string path |
-      potentialAccessPathStep(writer, pred, reader, succ, n, path) and
+    exists(Node writer, Node reader |
+      potentialAccessPathStep(writer, pred, reader, succ, _, _) and
      pragma[only_bind_out](reader).isGuardedByNode(pragma[only_bind_out](writer))
    )
    or
--- a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
@@ -1155,9 +1155,9 @@ private predicate parameterPropRead(
  DataFlow::Node arg, string prop, DataFlow::Node succ, DataFlow::Configuration cfg,
  PathSummary summary
 ) {
-  exists(Function f, DataFlow::Node read, DataFlow::Node invk, DataFlow::Node parm |
+  exists(Function f, DataFlow::Node read |
    reachesReturn(f, read, cfg, summary) and
-    parameterPropReadStep(parm, read, prop, cfg, arg, invk, f, succ)
+    parameterPropReadStep(_, read, prop, cfg, arg, _, f, succ)
  )
 }

@@ -1764,11 +1764,8 @@ private PathNode getASuccessor(PathNode nd) {
  result = initialMidNode(nd)
  or
  // mid node to mid node
-  exists(
-    Configuration cfg, DataFlow::Node predNd, PathSummary summary, DataFlow::Node succNd,
-    PathSummary newSummary
-  |
-    midNodeStep(nd, predNd, cfg, summary, succNd, newSummary) and
+  exists(Configuration cfg, PathSummary summary, DataFlow::Node succNd, PathSummary newSummary |
+    midNodeStep(nd, _, cfg, summary, succNd, newSummary) and
    result = MkMidNode(succNd, id(cfg), summary.append(newSummary))
  )
  or
--- a/javascript/ql/lib/semmle/javascript/dataflow/Portals.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Portals.qll
@@ -196,18 +196,14 @@ private module NpmPackagePortal {

  /** Holds if `imp` is an import of package `pkgName`. */
  predicate imports(DataFlow::SourceNode imp, string pkgName) {
-    exists(NpmPackage pkg |
-      imp = getAModuleImport(pkg, pkgName) and
-      pkgName.regexpMatch("[^./].*")
-    )
+    imp = getAModuleImport(_, pkgName) and
+    pkgName.regexpMatch("[^./].*")
  }

  /** Holds if `imp` imports `member` from package `pkgName`. */
  predicate imports(DataFlow::SourceNode imp, string pkgName, string member) {
-    exists(NpmPackage pkg |
-      imp = getAModuleMemberImport(pkg, pkgName, member) and
-      pkgName.regexpMatch("[^./].*")
-    )
+    imp = getAModuleMemberImport(_, pkgName, member) and
+    pkgName.regexpMatch("[^./].*")
  }

  /** Gets the main module of package `pkgName`. */
@@ -404,7 +400,7 @@ private module InstancePortal {
   * right-hand side of that definition.
   */
  predicate instanceMemberDef(Portal base, string name, DataFlow::Node rhs, boolean escapes) {
-    exists(AbstractInstance i, DataFlow::SourceNode ctor | isInstance(base, ctor, i, escapes) |
+    exists(DataFlow::SourceNode ctor | isInstance(base, ctor, _, escapes) |
      // ES2015 instance method
      exists(MemberDefinition mem |
        mem = ctor.getAstNode().(ClassDefinition).getAMember() and
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -611,9 +611,9 @@ module TaintTracking {
        )
        or
        // String.fromCharCode and String.fromCodePoint
-        exists(int i, DataFlow::MethodCallNode mcn |
+        exists(DataFlow::MethodCallNode mcn |
          mcn = succ and
-          pred = mcn.getArgument(i) and
+          pred = mcn.getAnArgument() and
          mcn.getMethodName() = ["fromCharCode", "fromCodePoint"]
        )
        or
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/AnalyzedParameters.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/AnalyzedParameters.qll
@@ -6,7 +6,7 @@ private import VariableTypeInference
 */
 pragma[nomagic]
 predicate isAnalyzedParameter(Parameter p) {
-  exists(FunctionWithAnalyzedParameters f, int parmIdx | p = f.getParameter(parmIdx) |
+  exists(FunctionWithAnalyzedParameters f | p = f.getAParameter() |
    // we cannot track flow into rest parameters
    not p.isRestParameter()
  )
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
@@ -82,9 +82,9 @@ private predicate relevantExport(ES2015Module m, string x) {
    x = id.getASpecifier().getImportedName()
  )
  or
-  exists(ReExportDeclaration rexp, string y |
+  exists(ReExportDeclaration rexp |
    rexp.getReExportedModule() = m and
-    reExportsAs(rexp, x, y)
+    reExportsAs(rexp, x, _)
  )
 }

--- a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -620,9 +620,7 @@ module Http {
            create.getArgument(0).asExpr() instanceof NullLiteral
          )
        ) and
-        exists(RouteHandlerCandidate candidate |
-          getAPossiblyDecoratedHandler(candidate).flowsTo(this.getAPropertyWrite().getRhs())
-        )
+        getAPossiblyDecoratedHandler(_).flowsTo(this.getAPropertyWrite().getRhs())
      }

      override DataFlow::SourceNode getRouteHandler(DataFlow::SourceNode access) {
--- a/javascript/ql/lib/semmle/javascript/frameworks/Handlebars.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Handlebars.qll
@@ -130,17 +130,14 @@ private module HandlebarsTaintSteps {
   * ```
   */
  private predicate isHandlebarsArgStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(
-      string helperName, DataFlow::CallNode templatingCall, DataFlow::CallNode compileCall,
-      DataFlow::FunctionNode func
-    |
+    exists(string helperName, DataFlow::CallNode templatingCall, DataFlow::CallNode compileCall |
      templatingCall = compiledTemplate(compileCall).getACall() and
      exists(string templateText, string paramName, int argIdx |
        compileCall.getArgument(0).mayHaveStringValue(templateText)
      |
        pred = templatingCall.getArgument(0).getALocalSource().getAPropertyWrite(paramName).getRhs() and
        isTemplateHelperCallArg(templateText, helperName, argIdx, paramName) and
-        succ = getRegisteredHelperParam(helperName, func, argIdx)
+        succ = getRegisteredHelperParam(helperName, _, argIdx)
      )
    )
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/PkgCloud.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/PkgCloud.qll
@@ -35,8 +35,8 @@ module PkgCloud {
    string kind;

    Credentials() {
-      exists(string propertyName, DataFlow::InvokeNode invk, int i |
-        takesConfigurationObject(invk, i) and
+      exists(string propertyName, DataFlow::InvokeNode invk |
+        takesConfigurationObject(invk, _) and
        this = invk.getOptionArgument(0, propertyName)
      |
        /*
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -173,10 +173,8 @@ where
    // don't flag replacements of certain characters with whitespace
    not whitelistedRemoval(repl)
    or
-    exists(DataFlow::RegExpLiteralNode rel |
-      isBackslashEscape(repl, rel) and
-      not allBackslashesEscaped(repl) and
-      msg = "This does not escape backslash characters in the input."
-    )
+    isBackslashEscape(repl, _) and
+    not allBackslashesEscaped(repl) and
+    msg = "This does not escape backslash characters in the input."
  )
 select repl.getCalleeNode(), msg
--- a/javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql
+++ b/javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql
@@ -14,8 +14,6 @@ import CandidateTracking
 from Http::RouteSetupCandidate setup
 where
  not setup instanceof Http::RouteSetup and
-  exists(Http::RouteHandlerCandidate rh |
-    track(rh, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
-  )
+  track(_, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
 select setup,
  "A `RouteSetupCandidate` that did not get promoted to `RouteSetup`, and it is using at least one `RouteHandlerCandidate`."
--- a/javascript/ql/test/library-tests/DataFlow/tests.ql
+++ b/javascript/ql/test/library-tests/DataFlow/tests.ql
@@ -2,7 +2,7 @@ import javascript
 import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps

 query predicate argumentPassing(DataFlow::Node invk, DataFlow::Node arg, DataFlow::SourceNode parm) {
-  exists(Function f | FlowSteps::argumentPassing(invk, arg, f, parm))
+  FlowSteps::argumentPassing(invk, arg, _, parm)
 }

 query predicate basicBlock(DataFlow::Node node, BasicBlock bb) { node.getBasicBlock() = bb }
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -218,6 +218,16 @@ nodes
 | typed.ts:28:24:28:34 | redirectUri |
 | typed.ts:29:33:29:43 | redirectUri |
 | typed.ts:29:33:29:43 | redirectUri |
+| typed.ts:47:25:47:34 | loc.search |
+| typed.ts:47:25:47:34 | loc.search |
+| typed.ts:48:26:48:36 | loc2.search |
+| typed.ts:48:26:48:36 | loc2.search |
+| typed.ts:51:24:51:34 | redirectUri |
+| typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri |
+| typed.ts:56:33:56:43 | redirectUri |
+| typed.ts:56:33:56:43 | redirectUri |
 edges
 | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
 | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
@@ -412,6 +422,14 @@ edges
 | typed.ts:25:25:25:34 | loc.search | typed.ts:28:24:28:34 | redirectUri |
 | typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
 | typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
+| typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
+| typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
+| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
+| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
+| typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
 #select
 | electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection depends on a $@. | electron.js:4:12:4:22 | window.name | user-provided value |
 | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection depends on a $@. | react.js:10:60:10:81 | documen ... on.hash | user-provided value |
@@ -475,3 +493,5 @@ edges
 | tst.js:26:22:26:82 | new Reg ... ref)[1] | tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:82 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:26:62:26:78 | win.location.href | user-provided value |
 | typed.ts:8:33:8:43 | redirectUri | typed.ts:4:22:4:36 | location.search | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:4:22:4:36 | location.search | user-provided value |
 | typed.ts:29:33:29:43 | redirectUri | typed.ts:25:25:25:34 | loc.search | typed.ts:29:33:29:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:25:25:25:34 | loc.search | user-provided value |
+| typed.ts:52:33:52:43 | redirectUri | typed.ts:47:25:47:34 | loc.search | typed.ts:52:33:52:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:47:25:47:34 | loc.search | user-provided value |
+| typed.ts:56:33:56:43 | redirectUri | typed.ts:48:26:48:36 | loc2.search | typed.ts:56:33:56:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:48:26:48:36 | loc2.search | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/typed.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/typed.ts
@@ -28,4 +28,31 @@ export class MyTrackingComponent {
    private doRedirect(redirectUri: string) {
        window.location.replace(redirectUri);
    }
+}
+
+export class WeirdTracking {
+    componentDidMount() {
+        const { location }: { location: Location } = (this as any).props; // location source
+
+        var container = {
+            loc: location
+        };
+        var secondLoc = container.loc; // type-tracking step 1 - not the source
+        
+        this.myIndirectRedirect(secondLoc); 
+    }
+
+    private myIndirectRedirect(loc) { // type-tracking step 2 - also not the source
+        const loc2 : Location = (loc as any).componentDidMount;
+        this.doRedirect(loc.search);
+        this.doRedirect2(loc2.search);
+    }
+
+    private doRedirect(redirectUri: string) {
+        window.location.replace(redirectUri); // NOT OK - and correctly flagged
+    }
+
+    private doRedirect2(redirectUri: string) {
+        window.location.replace(redirectUri); // NOT OK - and correctly flagged
+    }
 }
--- a/javascript/ql/test/tutorials/Introducing
+++ b/javascript/ql/test/tutorials/Introducing
@@ -20,9 +20,7 @@ class PasswordTracker extends DataFlow::Configuration {
 }

 query predicate test_query17(DataFlow::Node sink, string res) {
-  exists(PasswordTracker pt, DataFlow::Node source, Variable v |
-    pt.hasFlow(source, sink) and pt.passwordVarAssign(v, sink)
-  |
+  exists(PasswordTracker pt, Variable v | pt.hasFlow(_, sink) and pt.passwordVarAssign(v, sink) |
    res = "Password variable " + v.toString() + " is assigned a constant string."
  )
 }