hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-28 05:42:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into henrymercer/semmle-code-noop-merge

Browse Source
This commit is contained in:
Henry Mercer
2022-05-30 20:14:22 +01:00
parent 013b4c8768 6a6a63e1aa
commit 76375f8d73
187 changed files with 5302 additions and 746 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/go-tests.yml vendored
View File

@@ -4,6 +4,7 @@ on:
paths:
- "go/**"
- .github/workflows/go-tests.yml
- codeql-workspace.yml
jobs:
test-linux:

2
.github/workflows/js-ml-tests.yml vendored
View File

@@ -5,6 +5,7 @@ on:
paths:
- "javascript/ql/experimental/adaptivethreatmodeling/**"
- .github/workflows/js-ml-tests.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"
@@ -12,6 +13,7 @@ on:
paths:
- "javascript/ql/experimental/adaptivethreatmodeling/**"
- .github/workflows/js-ml-tests.yml
- codeql-workspace.yml
workflow_dispatch:
defaults:

2
.github/workflows/ql-for-ql-tests.yml vendored
View File

@@ -5,10 +5,12 @@ on:
branches: [main]
paths:
- "ql/**"
- codeql-workspace.yml
pull_request:
branches: [main]
paths:
- "ql/**"
- codeql-workspace.yml
env:
CARGO_TERM_COLOR: always

2
.github/workflows/ruby-build.yml vendored
View File

@@ -5,6 +5,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"
@@ -12,6 +13,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"

2
.github/workflows/ruby-qltest.yml vendored
View File

@@ -5,6 +5,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-qltest.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"
@@ -12,6 +13,7 @@ on:
paths:
- "ruby/**"
- .github/workflows/ruby-qltest.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"

1
.github/workflows/swift-qltest.yml vendored
View File

@@ -5,6 +5,7 @@ on:
paths:
- "swift/**"
- .github/workflows/swift-qltest.yml
- codeql-workspace.yml
branches:
- main
defaults:

6
config/identical-files.json
View File

@@ -525,7 +525,8 @@
"csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
"java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll",
"python/ql/lib/semmle/python/frameworks/data/internal/AccessPathSyntax.qll"
],
"IncompleteUrlSubstringSanitization": [
"javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
@@ -543,7 +544,8 @@
],
"ApiGraphModels": [
"javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
"ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
"python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
],
"TaintedFormatStringQuery Ruby/JS": [
"javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",

23
csharp/documentation/library-coverage/coverage.csv
View File

@@ -1,10 +1,27 @@
package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
Dapper,55,,,,,,55,,,,
JsonToItemsTaskFactory,,,7,,,,,,,7,
Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
Microsoft.CSharp,,,24,,,,,,,24,
Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
Microsoft.Extensions.Primitives,,,54,,,,,,,54,
Microsoft.VisualBasic,,,4,,,,,,,,4
Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
Microsoft.Extensions.Http,,,10,,,,,,,10,
Microsoft.Extensions.Logging,,,37,,,,,,,37,
Microsoft.Extensions.Options,,,8,,,,,,,8,
Microsoft.Extensions.Primitives,,,63,,,,,,,63,
Microsoft.Interop,,,27,,,,,,,27,
Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
Microsoft.VisualBasic,,,9,,,,,,,5,4
Microsoft.Win32,,,8,,,,,,,8,
MySql.Data.MySqlClient,48,,,,,,48,,,,
Newtonsoft.Json,,,91,,,,,,,73,18
ServiceStack,194,,7,27,,75,92,,,7,
System,28,3,2336,,4,,23,1,3,611,1725
System,28,3,12038,,4,,23,1,3,10096,1942
1 package sink source summary sink:code sink:html sink:remote sink:sql sink:xss source:local summary:taint summary:value
2 Dapper 55 55
3 JsonToItemsTaskFactory 7 7
4 Microsoft.ApplicationBlocks.Data 28 28
5 Microsoft.CSharp 24 24
6 Microsoft.EntityFrameworkCore 6 6
7 Microsoft.Extensions.Primitives Microsoft.Extensions.Caching.Distributed 54 15 54 15
8 Microsoft.VisualBasic Microsoft.Extensions.Caching.Memory 4 46 45 4 1
9 Microsoft.Extensions.Configuration 83 80 3
10 Microsoft.Extensions.DependencyInjection 62 62
11 Microsoft.Extensions.DependencyModel 12 12
12 Microsoft.Extensions.FileProviders 15 15
13 Microsoft.Extensions.FileSystemGlobbing 15 13 2
14 Microsoft.Extensions.Hosting 17 16 1
15 Microsoft.Extensions.Http 10 10
16 Microsoft.Extensions.Logging 37 37
17 Microsoft.Extensions.Options 8 8
18 Microsoft.Extensions.Primitives 63 63
19 Microsoft.Interop 27 27
20 Microsoft.NET.Build.Tasks 1 1
21 Microsoft.NETCore.Platforms.BuildTasks 4 4
22 Microsoft.VisualBasic 9 5 4
23 Microsoft.Win32 8 8
24 MySql.Data.MySqlClient 48 48
25 Newtonsoft.Json 91 73 18
26 ServiceStack 194 7 27 75 92 7
27 System 28 3 2336 12038 4 23 1 3 611 10096 1725 1942

6
csharp/documentation/library-coverage/coverage.rst
View File

@@ -8,7 +8,7 @@ C# framework & library support
Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
`ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
System,"``System.*``, ``System``",3,2336,28,5
Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,137,
Totals,,3,2492,359,5
System,"``System.*``, ``System``",3,12038,28,5
Others,"``Dapper``, ``JsonToItemsTaskFactory``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NETCore.Platforms.BuildTasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,554,137,
Totals,,3,12599,359,5

4
docs/codeql/support/reusables/versions-compilers.rst
View File

@@ -20,10 +20,10 @@
Java,"Java 7 to 18 [4]_","javac (OpenJDK and Oracle JDK),
Eclipse compiler for Java (ECJ) [5]_",``.java``
JavaScript,ECMAScript 2021 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [6]_"
JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [6]_"
Python,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10",Not applicable,``.py``
Ruby [7]_,"up to 3.0.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
TypeScript [8]_,"2.6-4.6",Standard TypeScript compiler,"``.ts``, ``.tsx``"
TypeScript [8]_,"2.6-4.7",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
.. container:: footnote-group

22
java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
View File

@@ -491,11 +491,17 @@ open class KotlinFileExtractor(
private fun extractValueParameter(vp: IrValueParameter, parent: Label<out DbCallable>, idx: Int, typeSubstitution: TypeSubstitution?, parentSourceDeclaration: Label<out DbCallable>, classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?, extractTypeAccess: Boolean, locOverride: Label<DbLocation>? = null): TypeResults {
with("value parameter", vp) {
val location = locOverride ?: getLocation(vp, classTypeArgsIncludingOuterClasses)
val maybeErasedType = (vp.parent as? IrFunction)?.let {
if (overridesCollectionsMethodWithAlteredParameterTypes(it))
eraseCollectionsMethodParameterType(vp.type, it.name.asString(), idx)
else
null
} ?: vp.type
val id = useValueParameter(vp, parent)
if (extractTypeAccess) {
extractTypeAccessRecursive(typeSubstitution?.let { it(vp.type, TypeContext.OTHER, pluginContext) } ?: vp.type, location, id, -1)
extractTypeAccessRecursive(typeSubstitution?.let { it(maybeErasedType, TypeContext.OTHER, pluginContext) } ?: maybeErasedType, location, id, -1)
}
return extractValueParameter(id, vp.type, vp.name.asString(), location, parent, idx, typeSubstitution, useValueParameter(vp, parentSourceDeclaration), vp.isVararg)
return extractValueParameter(id, maybeErasedType, vp.name.asString(), location, parent, idx, typeSubstitution, useValueParameter(vp, parentSourceDeclaration), vp.isVararg)
}
}
@@ -524,7 +530,8 @@ open class KotlinFileExtractor(
pluginContext.irBuiltIns.unitType,
extensionReceiverParameter = null,
functionTypeParameters = listOf(),
classTypeArgsIncludingOuterClasses = listOf()
classTypeArgsIncludingOuterClasses = listOf(),
overridesCollectionsMethod = false
)
val clinitId = tw.getLabelFor<DbMethod>(clinitLabel)
val returnType = useType(pluginContext.irBuiltIns.unitType, TypeContext.RETURN)
@@ -759,7 +766,8 @@ open class KotlinFileExtractor(
with("field", f) {
DeclarationStackAdjuster(f).use {
declarationStack.push(f)
return extractField(useField(f), f.name.asString(), f.type, parentId, tw.getLocation(f), f.visibility, f, isExternalDeclaration(f), f.isFinal)
val fNameSuffix = getExtensionReceiverType(f)?.let { it.classFqName?.asString()?.replace(".", "$$") } ?: ""
return extractField(useField(f), "${f.name.asString()}$fNameSuffix", f.type, parentId, tw.getLocation(f), f.visibility, f, isExternalDeclaration(f), f.isFinal)
}
}
}
@@ -1394,12 +1402,6 @@ open class KotlinFileExtractor(
result
}
val javaLangObject by lazy {
val result = pluginContext.referenceClass(FqName("java.lang.Object"))?.owner
result?.let { extractExternalClassLater(it) }
result
}
val objectCloneMethod by lazy {
val result = javaLangObject?.declarations?.find {
it is IrFunction && it.name.asString() == "clone"

104
java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt
View File

@@ -10,12 +10,14 @@ import org.jetbrains.kotlin.backend.jvm.ir.getJvmNameFromAnnotation
import org.jetbrains.kotlin.backend.jvm.ir.propertyIfAccessor
import org.jetbrains.kotlin.builtins.StandardNames
import org.jetbrains.kotlin.descriptors.*
import org.jetbrains.kotlin.ir.ObsoleteDescriptorBasedAPI
import org.jetbrains.kotlin.ir.declarations.*
import org.jetbrains.kotlin.ir.expressions.*
import org.jetbrains.kotlin.ir.symbols.*
import org.jetbrains.kotlin.ir.types.*
import org.jetbrains.kotlin.ir.types.impl.*
import org.jetbrains.kotlin.ir.util.*
import org.jetbrains.kotlin.load.java.BuiltinMethodsWithSpecialGenericSignature
import org.jetbrains.kotlin.load.java.JvmAbi
import org.jetbrains.kotlin.name.FqName
import org.jetbrains.kotlin.name.Name
@@ -32,6 +34,17 @@ open class KotlinUsesExtractor(
val pluginContext: IrPluginContext,
val globalExtensionState: KotlinExtractorGlobalState
) {
val javaLangObject by lazy {
val result = pluginContext.referenceClass(FqName("java.lang.Object"))?.owner
result?.let { extractExternalClassLater(it) }
result
}
val javaLangObjectType by lazy {
javaLangObject?.typeWith()
}
fun usePackage(pkg: String): Label<out DbPackage> {
return extractPackage(pkg)
}
@@ -790,6 +803,52 @@ open class KotlinUsesExtractor(
else -> null
}
val javaUtilCollection by lazy {
val result = pluginContext.referenceClass(FqName("java.util.Collection"))?.owner
result?.let { extractExternalClassLater(it) }
result
}
val wildcardCollectionType by lazy {
javaUtilCollection?.let {
it.symbol.typeWithArguments(listOf(IrStarProjectionImpl))
}
}
private fun makeCovariant(t: IrTypeArgument) =
t.typeOrNull?.let { makeTypeProjection(it, Variance.OUT_VARIANCE) } ?: t
private fun makeArgumentsCovariant(t: IrType) = (t as? IrSimpleType)?.let {
t.toBuilder().also { b -> b.arguments = b.arguments.map(this::makeCovariant) }.buildSimpleType()
} ?: t
fun eraseCollectionsMethodParameterType(t: IrType, collectionsMethodName: String, paramIdx: Int) =
when(collectionsMethodName) {
"contains", "remove", "containsKey", "containsValue", "get", "indexOf", "lastIndexOf" -> javaLangObjectType
"getOrDefault" -> if (paramIdx == 0) javaLangObjectType else null
"containsAll", "removeAll", "retainAll" -> wildcardCollectionType
// Kotlin defines these like addAll(Collection<E>); Java uses addAll(Collection<? extends E>)
"putAll", "addAll" -> makeArgumentsCovariant(t)
else -> null
} ?: t
private fun overridesFunctionDefinedOn(f: IrFunction, packageName: String, className: String) =
(f as? IrSimpleFunction)?.let {
it.overriddenSymbols.any { overridden ->
overridden.owner.parentClassOrNull?.let { defnClass ->
defnClass.name.asString() == className &&
defnClass.packageFqName?.asString() == packageName
} ?: false
}
} ?: false
@OptIn(ObsoleteDescriptorBasedAPI::class)
fun overridesCollectionsMethodWithAlteredParameterTypes(f: IrFunction) =
BuiltinMethodsWithSpecialGenericSignature.getOverriddenBuiltinFunctionWithErasedValueParametersInJava(f.descriptor) != null ||
(f.name.asString() == "putAll" && overridesFunctionDefinedOn(f, "kotlin.collections", "MutableMap")) ||
(f.name.asString() == "addAll" && overridesFunctionDefinedOn(f, "kotlin.collections", "MutableCollection")) ||
(f.name.asString() == "addAll" && overridesFunctionDefinedOn(f, "kotlin.collections", "MutableList"))
/*
* This is the normal getFunctionLabel function to use. If you want
* to refer to the function in its source class then
@@ -811,8 +870,19 @@ open class KotlinUsesExtractor(
* `java.lang.Throwable`, which isn't what we want. So we have to
* allow it to be passed in.
*/
@OptIn(ObsoleteDescriptorBasedAPI::class)
fun getFunctionLabel(f: IrFunction, maybeParentId: Label<out DbElement>?, classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?) =
getFunctionLabel(f.parent, maybeParentId, getFunctionShortName(f).nameInDB, f.valueParameters, f.returnType, f.extensionReceiverParameter, getFunctionTypeParameters(f), classTypeArgsIncludingOuterClasses)
getFunctionLabel(
f.parent,
maybeParentId,
getFunctionShortName(f).nameInDB,
f.valueParameters,
f.returnType,
f.extensionReceiverParameter,
getFunctionTypeParameters(f),
classTypeArgsIncludingOuterClasses,
overridesCollectionsMethodWithAlteredParameterTypes(f)
)
/*
* This function actually generates the label for a function.
@@ -838,6 +908,9 @@ open class KotlinUsesExtractor(
functionTypeParameters: List<IrTypeParameter>,
// The type arguments of enclosing classes of the function.
classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?,
// If true, this method implements a Java Collections interface (Collection, Map or List) and may need
// parameter erasure to match the way this class will appear to an external consumer of the .class file.
overridesCollectionsMethod: Boolean,
// The prefix used in the label. "callable", unless a property label is created, then it's "property".
prefix: String = "callable"
): String {
@@ -856,14 +929,19 @@ open class KotlinUsesExtractor(
enclosingClass?.let { notNullClass -> makeTypeGenericSubstitutionMap(notNullClass, notNullArgs) }
}
}
val getIdForFunctionLabel = { it: IrValueParameter ->
// Mimic the Java extractor's behaviour: functions with type parameters are named for their erased types;
val getIdForFunctionLabel = { it: IndexedValue<IrValueParameter> ->
// Kotlin rewrites certain Java collections types adding additional generic constraints-- for example,
// Collection.remove(Object) because Collection.remove(Collection::E) in the Kotlin universe.
// If this has happened, erase the type again to get the correct Java signature.
val maybeAmendedForCollections = if (overridesCollectionsMethod) eraseCollectionsMethodParameterType(it.value.type, name, it.index) else it.value.type
// Now substitute any class type parameters in:
val maybeSubbed = maybeAmendedForCollections.substituteTypeAndArguments(substitutionMap, TypeContext.OTHER, pluginContext)
// Finally, mimic the Java extractor's behaviour by naming functions with type parameters for their erased types;
// those without type parameters are named for the generic type.
val maybeSubbed = it.type.substituteTypeAndArguments(substitutionMap, TypeContext.OTHER, pluginContext)
val maybeErased = if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
"{${useType(maybeErased).javaResult.id}}"
}
val paramTypeIds = allParams.joinToString(separator = ",", transform = getIdForFunctionLabel)
val paramTypeIds = allParams.withIndex().joinToString(separator = ",", transform = getIdForFunctionLabel)
val labelReturnType =
if (name == "<init>")
pluginContext.irBuiltIns.unitType
@@ -1269,6 +1347,7 @@ open class KotlinUsesExtractor(
fun useValueParameter(vp: IrValueParameter, parent: Label<out DbCallable>?): Label<out DbParam> =
tw.getLabelFor(getValueParameterLabel(vp, parent))
fun isDirectlyExposedCompanionObjectField(f: IrField) =
f.hasAnnotation(FqName("kotlin.jvm.JvmField")) ||
f.correspondingPropertySymbol?.owner?.let {
@@ -1283,9 +1362,20 @@ open class KotlinUsesExtractor(
null
} ?: f.parent
// Gets a field's corresponding property's extension receiver type, if any
fun getExtensionReceiverType(f: IrField) =
f.correspondingPropertySymbol?.owner?.let {
(it.getter ?: it.setter)?.extensionReceiverParameter?.type
}
fun getFieldLabel(f: IrField): String {
val parentId = useDeclarationParent(getFieldParent(f), false)
return "@\"field;{$parentId};${f.name.asString()}\""
// Distinguish backing fields of properties based on their extension receiver type;
// otherwise two extension properties declared in the same enclosing context will get
// clashing trap labels. These are always private, so we can just make up a label without
// worrying about their names as seen from Java.
val extensionPropertyDiscriminator = getExtensionReceiverType(f)?.let { "extension;${useType(it)}" } ?: ""
return "@\"field;{$parentId};${extensionPropertyDiscriminator}${f.name.asString()}\""
}
fun useField(f: IrField): Label<out DbField> =
@@ -1313,7 +1403,7 @@ open class KotlinUsesExtractor(
val returnType = getter?.returnType ?: setter?.valueParameters?.singleOrNull()?.type ?: pluginContext.irBuiltIns.unitType
val typeParams = getFunctionTypeParameters(func)
getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext, typeParams, classTypeArgsIncludingOuterClasses, "property")
getFunctionLabel(p.parent, parentId, p.name.asString(), listOf(), returnType, ext, typeParams, classTypeArgsIncludingOuterClasses, overridesCollectionsMethod = false, prefix = "property")
}
}

2
java/ql/src/utils/model-generator/CaptureSinkModels.ql
View File

@@ -1,7 +1,9 @@
/**
* @name Capture sink models.
* @description Finds public methods that act as sinks as they flow into a a known sink.
* @kind diagnostic
* @id java/utils/model-generator/sink-models
* @tags model-generator
*/
private import internal.CaptureModels

4
java/ql/src/utils/model-generator/CaptureSourceModels.ql
View File

@@ -1,7 +1,9 @@
/**
* @name Capture source models.
* @description Finds APIs that act as sources as they expose already known sources.
* @id java/utils/model-generator/sink-models
* @kind diagnostic
* @id java/utils/model-generator/source-models
* @tags model-generator
*/
private import internal.CaptureModels

2
java/ql/src/utils/model-generator/CaptureSummaryModels.ql
View File

@@ -1,7 +1,9 @@
/**
* @name Capture summary models.
* @description Finds applicable summary models to be used by other queries.
* @kind diagnostic
* @id java/utils/model-generator/summary-models
* @tags model-generator
*/
private import internal.CaptureModels

9
java/ql/test/kotlin/library-tests/clashing-extension-fields/test.expected Normal file
View File

@@ -0,0 +1,9 @@
| |
| <clinit> |
| A |
| B |
| get |
| getX |
| invoke |
| x$delegatepackagename$$subpackagename$$A |
| x$delegatepackagename$$subpackagename$$B |

7
java/ql/test/kotlin/library-tests/clashing-extension-fields/test.kt Normal file
View File

@@ -0,0 +1,7 @@
package packagename.subpackagename
public class A { }
public class B { }
val A.x : String by lazy { "HelloA" }
val B.x : String by lazy { "HelloB" }

5
java/ql/test/kotlin/library-tests/clashing-extension-fields/test.ql Normal file
View File

@@ -0,0 +1,5 @@
import java
from Class c
where c.fromSource()
select c.getAMember().toString()

6
java/ql/test/kotlin/library-tests/exprs/PrintAst.expected
View File

@@ -31,7 +31,7 @@ delegatedProperties.kt:
# 87| 0: [MethodAccess] getValue(...)
# 87| -2: [TypeAccess] Integer
# 87| -1: [TypeAccess] PropertyReferenceDelegatesKt
# 87| 0: [VarAccess] DelegatedPropertiesKt.extDelegated$delegate
# 87| 0: [VarAccess] DelegatedPropertiesKt.extDelegated$delegateMyClass
# 87| -1: [TypeAccess] DelegatedPropertiesKt
# 1| 1: [ExtensionReceiverAccess] this
# 87| 2: [PropertyRefExpr] ...::...
@@ -80,7 +80,7 @@ delegatedProperties.kt:
# 87| 0: [MethodAccess] setValue(...)
# 87| -2: [TypeAccess] Integer
# 87| -1: [TypeAccess] PropertyReferenceDelegatesKt
# 87| 0: [VarAccess] DelegatedPropertiesKt.extDelegated$delegate
# 87| 0: [VarAccess] DelegatedPropertiesKt.extDelegated$delegateMyClass
# 87| -1: [TypeAccess] DelegatedPropertiesKt
# 1| 1: [ExtensionReceiverAccess] this
# 87| 2: [PropertyRefExpr] ...::...
@@ -118,7 +118,7 @@ delegatedProperties.kt:
# 87| 0: [TypeAccess] MyClass
# 87| 1: [TypeAccess] Integer
# 87| 3: [VarAccess] <set-?>
# 87| 5: [FieldDeclaration] KMutableProperty0<Integer> extDelegated$delegate;
# 87| 5: [FieldDeclaration] KMutableProperty0<Integer> extDelegated$delegateMyClass;
# 87| -1: [TypeAccess] KMutableProperty0<Integer>
# 87| 0: [TypeAccess] Integer
# 87| 0: [PropertyRefExpr] ...::...

2
java/ql/test/kotlin/library-tests/exprs/delegatedProperties.expected
View File

@@ -16,7 +16,7 @@ delegatedProperties
| delegatedProperties.kt:77:5:77:49 | delegatedToTopLevel | delegatedToTopLevel | non-local | delegatedProperties.kt:77:34:77:49 | delegatedToTopLevel$delegate | delegatedProperties.kt:77:37:77:49 | ...::... |
| delegatedProperties.kt:79:5:79:38 | max | max | non-local | delegatedProperties.kt:79:18:79:38 | max$delegate | delegatedProperties.kt:79:21:79:38 | ...::... |
| delegatedProperties.kt:82:9:82:54 | delegatedToMember3 | delegatedToMember3 | local | delegatedProperties.kt:82:37:82:54 | KMutableProperty0<Integer> delegatedToMember3$delegate | delegatedProperties.kt:82:40:82:54 | ...::... |
| delegatedProperties.kt:87:1:87:46 | extDelegated | extDelegated | non-local | delegatedProperties.kt:87:31:87:46 | extDelegated$delegate | delegatedProperties.kt:87:34:87:46 | ...::... |
| delegatedProperties.kt:87:1:87:46 | extDelegated | extDelegated | non-local | delegatedProperties.kt:87:31:87:46 | extDelegated$delegateMyClass | delegatedProperties.kt:87:34:87:46 | ...::... |
delegatedPropertyTypes
| delegatedProperties.kt:6:9:9:9 | prop1 | file://:0:0:0:0 | int | file://<external>/Lazy.class:0:0:0:0 | Lazy<Integer> |
| delegatedProperties.kt:19:9:19:51 | varResource1 | file://:0:0:0:0 | int | delegatedProperties.kt:45:1:51:1 | ResourceDelegate |

6
java/ql/test/kotlin/library-tests/exprs/exprs.expected
View File

@@ -830,9 +830,9 @@
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt | delegatedProperties.kt:87:31:87:46 | set | TypeAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt | delegatedProperties.kt:87:31:87:46 | set | TypeAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt | delegatedProperties.kt:87:31:87:46 | setExtDelegated | TypeAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegate | delegatedProperties.kt:0:0:0:0 | <clinit> | VarAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegate | delegatedProperties.kt:87:31:87:46 | getExtDelegated | VarAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegate | delegatedProperties.kt:87:31:87:46 | setExtDelegated | VarAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegateMyClass | delegatedProperties.kt:0:0:0:0 | <clinit> | VarAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegateMyClass | delegatedProperties.kt:87:31:87:46 | getExtDelegated | VarAccess |
| delegatedProperties.kt:87:31:87:46 | DelegatedPropertiesKt.extDelegated$delegateMyClass | delegatedProperties.kt:87:31:87:46 | setExtDelegated | VarAccess |
| delegatedProperties.kt:87:31:87:46 | Integer | delegatedProperties.kt:87:31:87:46 | getExtDelegated | TypeAccess |
| delegatedProperties.kt:87:31:87:46 | Integer | delegatedProperties.kt:87:31:87:46 | setExtDelegated | TypeAccess |
| delegatedProperties.kt:87:31:87:46 | Integer | file://:0:0:0:0 | <none> | TypeAccess |

28
java/ql/test/kotlin/library-tests/java-kotlin-collection-type-generic-methods/Test.java Normal file
View File

@@ -0,0 +1,28 @@
import java.util.Map;
import java.util.AbstractMap;
import java.util.Collection;
import java.util.AbstractCollection;
import java.util.List;
import java.util.AbstractList;
public class Test {
public static void test(
Map<String, String> p1,
AbstractMap<String, String> p2,
Collection<String> p3,
AbstractCollection<String> p4,
List<String> p5,
AbstractList<String> p6) {
// Use a method of each to ensure method prototypes are extracted:
p1.remove("Hello");
p2.remove("Hello");
p3.remove("Hello");
p4.remove("Hello");
p5.remove("Hello");
p6.remove("Hello");
}
}

412
java/ql/test/kotlin/library-tests/java-kotlin-collection-type-generic-methods/test.expected Normal file
View File

@@ -0,0 +1,412 @@
methodWithDuplicate
#select
| AbstractCollection | add | E |
| AbstractCollection | addAll | Collection<? extends E> |
| AbstractCollection | contains | Object |
| AbstractCollection | containsAll | Collection<?> |
| AbstractCollection | remove | Object |
| AbstractCollection | removeAll | Collection<?> |
| AbstractCollection | retainAll | Collection<?> |
| AbstractCollection | toArray | T[] |
| AbstractCollection<E> | add | E |
| AbstractCollection<E> | addAll | Collection<? extends E> |
| AbstractCollection<E> | contains | Object |
| AbstractCollection<E> | containsAll | Collection<?> |
| AbstractCollection<E> | remove | Object |
| AbstractCollection<E> | removeAll | Collection<?> |
| AbstractCollection<E> | retainAll | Collection<?> |
| AbstractCollection<E> | toArray | T[] |
| AbstractCollection<String> | add | String |
| AbstractCollection<String> | addAll | Collection<? extends String> |
| AbstractCollection<String> | contains | Object |
| AbstractCollection<String> | containsAll | Collection<?> |
| AbstractCollection<String> | remove | Object |
| AbstractCollection<String> | removeAll | Collection<?> |
| AbstractCollection<String> | retainAll | Collection<?> |
| AbstractCollection<String> | toArray | T[] |
| AbstractList | add | E |
| AbstractList | add | int |
| AbstractList | addAll | Collection<? extends E> |
| AbstractList | addAll | int |
| AbstractList | equals | Object |
| AbstractList | get | int |
| AbstractList | indexOf | Object |
| AbstractList | lastIndexOf | Object |
| AbstractList | listIterator | int |
| AbstractList | removeAt | int |
| AbstractList | removeRange | int |
| AbstractList | set | E |
| AbstractList | set | int |
| AbstractList | subList | int |
| AbstractList | subListRangeCheck | int |
| AbstractList<E> | add | E |
| AbstractList<E> | add | int |
| AbstractList<E> | addAll | Collection<? extends E> |
| AbstractList<E> | addAll | int |
| AbstractList<E> | equals | Object |
| AbstractList<E> | get | int |
| AbstractList<E> | indexOf | Object |
| AbstractList<E> | lastIndexOf | Object |
| AbstractList<E> | listIterator | int |
| AbstractList<E> | removeAt | int |
| AbstractList<E> | removeRange | int |
| AbstractList<E> | set | E |
| AbstractList<E> | set | int |
| AbstractList<E> | subList | int |
| AbstractList<E> | subListRangeCheck | int |
| AbstractMap | containsEntry | Entry<?,?> |
| AbstractMap | containsKey | Object |
| AbstractMap | containsValue | Object |
| AbstractMap | equals | Object |
| AbstractMap | get | Object |
| AbstractMap | put | K |
| AbstractMap | put | V |
| AbstractMap | putAll | Map<? extends K,? extends V> |
| AbstractMap | remove | Object |
| AbstractMap<Identity,Entry<?>> | containsKey | Object |
| AbstractMap<Identity,Entry<?>> | containsValue | Object |
| AbstractMap<Identity,Entry<?>> | equals | Object |
| AbstractMap<Identity,Entry<?>> | get | Object |
| AbstractMap<Identity,Entry<?>> | put | Entry<?> |
| AbstractMap<Identity,Entry<?>> | put | Identity |
| AbstractMap<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
| AbstractMap<Identity,Entry<?>> | remove | Object |
| AbstractMap<K,V> | containsKey | Object |
| AbstractMap<K,V> | containsValue | Object |
| AbstractMap<K,V> | equals | Object |
| AbstractMap<K,V> | get | Object |
| AbstractMap<K,V> | put | K |
| AbstractMap<K,V> | put | V |
| AbstractMap<K,V> | putAll | Map<? extends K,? extends V> |
| AbstractMap<K,V> | remove | Object |
| AbstractMap<String,String> | containsEntry | Entry<?,?> |
| AbstractMap<String,String> | containsKey | Object |
| AbstractMap<String,String> | containsValue | Object |
| AbstractMap<String,String> | equals | Object |
| AbstractMap<String,String> | get | Object |
| AbstractMap<String,String> | put | String |
| AbstractMap<String,String> | putAll | Map<? extends String,? extends String> |
| AbstractMap<String,String> | remove | Object |
| AbstractMutableCollection | add | E |
| AbstractMutableList | add | E |
| AbstractMutableList | add | int |
| AbstractMutableList | removeAt | int |
| AbstractMutableList | set | E |
| AbstractMutableList | set | int |
| AbstractMutableMap | put | K |
| AbstractMutableMap | put | V |
| Collection | add | E |
| Collection | addAll | Collection<? extends E> |
| Collection | contains | Object |
| Collection | containsAll | Collection<?> |
| Collection | equals | Object |
| Collection | remove | Object |
| Collection | removeAll | Collection<?> |
| Collection | removeIf | Predicate<? super E> |
| Collection | retainAll | Collection<?> |
| Collection | toArray | IntFunction<T[]> |
| Collection | toArray | T[] |
| Collection<E> | add | E |
| Collection<E> | addAll | Collection<? extends E> |
| Collection<E> | contains | Object |
| Collection<E> | containsAll | Collection<?> |
| Collection<E> | remove | Object |
| Collection<E> | removeAll | Collection<?> |
| Collection<E> | removeIf | Predicate<? super E> |
| Collection<E> | retainAll | Collection<?> |
| Collection<E> | toArray | IntFunction<T[]> |
| Collection<E> | toArray | T[] |
| Collection<Entry<K,V>> | add | Entry<K,V> |
| Collection<Entry<K,V>> | addAll | Collection<? extends Entry<K,V>> |
| Collection<Entry<K,V>> | contains | Object |
| Collection<Entry<K,V>> | containsAll | Collection<?> |
| Collection<Entry<K,V>> | remove | Object |
| Collection<Entry<K,V>> | removeAll | Collection<?> |
| Collection<Entry<K,V>> | removeIf | Predicate<? super Entry<K,V>> |
| Collection<Entry<K,V>> | retainAll | Collection<?> |
| Collection<Entry<K,V>> | toArray | IntFunction<T[]> |
| Collection<Entry<K,V>> | toArray | T[] |
| Collection<K> | add | K |
| Collection<K> | addAll | Collection<? extends K> |
| Collection<K> | contains | Object |
| Collection<K> | containsAll | Collection<?> |
| Collection<K> | remove | Object |
| Collection<K> | removeAll | Collection<?> |
| Collection<K> | removeIf | Predicate<? super K> |
| Collection<K> | retainAll | Collection<?> |
| Collection<K> | toArray | IntFunction<T[]> |
| Collection<K> | toArray | T[] |
| Collection<String> | add | String |
| Collection<String> | addAll | Collection<? extends String> |
| Collection<String> | contains | Object |
| Collection<String> | containsAll | Collection<?> |
| Collection<String> | equals | Object |
| Collection<String> | remove | Object |
| Collection<String> | removeAll | Collection<?> |
| Collection<String> | removeIf | Predicate<? super String> |
| Collection<String> | retainAll | Collection<?> |
| Collection<String> | toArray | IntFunction<T[]> |
| Collection<String> | toArray | T[] |
| Collection<V> | add | V |
| Collection<V> | addAll | Collection<? extends V> |
| Collection<V> | contains | Object |
| Collection<V> | containsAll | Collection<?> |
| Collection<V> | remove | Object |
| Collection<V> | removeAll | Collection<?> |
| Collection<V> | removeIf | Predicate<? super V> |
| Collection<V> | retainAll | Collection<?> |
| Collection<V> | toArray | IntFunction<T[]> |
| Collection<V> | toArray | T[] |
| List | add | E |
| List | add | int |
| List | addAll | Collection<? extends E> |
| List | addAll | int |
| List | contains | Object |
| List | containsAll | Collection<?> |
| List | copyOf | Collection<? extends E> |
| List | equals | Object |
| List | get | int |
| List | indexOf | Object |
| List | lastIndexOf | Object |
| List | listIterator | int |
| List | of | E |
| List | of | E[] |
| List | remove | Object |
| List | remove | int |
| List | removeAll | Collection<?> |
| List | replaceAll | UnaryOperator<E> |
| List | retainAll | Collection<?> |
| List | set | E |
| List | set | int |
| List | sort | Comparator<? super E> |
| List | subList | int |
| List | toArray | T[] |
| List<E> | add | E |
| List<E> | add | int |
| List<E> | addAll | Collection<? extends E> |
| List<E> | addAll | int |
| List<E> | contains | Object |
| List<E> | containsAll | Collection<?> |
| List<E> | copyOf | Collection<? extends E> |
| List<E> | get | int |
| List<E> | indexOf | Object |
| List<E> | lastIndexOf | Object |
| List<E> | listIterator | int |
| List<E> | of | E |
| List<E> | of | E[] |
| List<E> | remove | Object |
| List<E> | remove | int |
| List<E> | removeAll | Collection<?> |
| List<E> | replaceAll | UnaryOperator<E> |
| List<E> | retainAll | Collection<?> |
| List<E> | set | E |
| List<E> | set | int |
| List<E> | sort | Comparator<? super E> |
| List<E> | subList | int |
| List<E> | toArray | T[] |
| List<String> | add | String |
| List<String> | add | int |
| List<String> | addAll | Collection<? extends String> |
| List<String> | addAll | int |
| List<String> | contains | Object |
| List<String> | containsAll | Collection<?> |
| List<String> | copyOf | Collection<? extends E> |
| List<String> | equals | Object |
| List<String> | get | int |
| List<String> | indexOf | Object |
| List<String> | lastIndexOf | Object |
| List<String> | listIterator | int |
| List<String> | of | E |
| List<String> | of | E[] |
| List<String> | remove | Object |
| List<String> | remove | int |
| List<String> | removeAll | Collection<?> |
| List<String> | replaceAll | UnaryOperator<String> |
| List<String> | retainAll | Collection<?> |
| List<String> | set | String |
| List<String> | set | int |
| List<String> | sort | Comparator<? super String> |
| List<String> | subList | int |
| List<String> | toArray | T[] |
| Map | compute | BiFunction<? super K,? super V,? extends V> |
| Map | compute | K |
| Map | computeIfAbsent | Function<? super K,? extends V> |
| Map | computeIfAbsent | K |
| Map | computeIfPresent | BiFunction<? super K,? super V,? extends V> |
| Map | computeIfPresent | K |
| Map | containsKey | Object |
| Map | containsValue | Object |
| Map | copyOf | Map<? extends K,? extends V> |
| Map | entry | K |
| Map | entry | V |
| Map | equals | Object |
| Map | forEach | BiConsumer<? super K,? super V> |
| Map | get | Object |
| Map | getOrDefault | Object |
| Map | getOrDefault | V |
| Map | merge | BiFunction<? super V,? super V,? extends V> |
| Map | merge | K |
| Map | merge | V |
| Map | of | K |
| Map | of | V |
| Map | ofEntries | Entry<? extends K,? extends V>[] |
| Map | put | K |
| Map | put | V |
| Map | putAll | Map<? extends K,? extends V> |
| Map | putIfAbsent | K |
| Map | putIfAbsent | V |
| Map | remove | Object |
| Map | replace | K |
| Map | replace | V |
| Map | replaceAll | BiFunction<? super K,? super V,? extends V> |
| Map<Identity,Entry<?>> | compute | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
| Map<Identity,Entry<?>> | compute | Identity |
| Map<Identity,Entry<?>> | computeIfAbsent | Function<? super Identity,? extends Entry<?>> |
| Map<Identity,Entry<?>> | computeIfAbsent | Identity |
| Map<Identity,Entry<?>> | computeIfPresent | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
| Map<Identity,Entry<?>> | computeIfPresent | Identity |
| Map<Identity,Entry<?>> | containsKey | Object |
| Map<Identity,Entry<?>> | containsValue | Object |
| Map<Identity,Entry<?>> | copyOf | Map<? extends K,? extends V> |
| Map<Identity,Entry<?>> | entry | K |
| Map<Identity,Entry<?>> | entry | V |
| Map<Identity,Entry<?>> | forEach | BiConsumer<? super Identity,? super Entry<?>> |
| Map<Identity,Entry<?>> | get | Object |
| Map<Identity,Entry<?>> | getOrDefault | Entry<?> |
| Map<Identity,Entry<?>> | getOrDefault | Object |
| Map<Identity,Entry<?>> | merge | BiFunction<? super Entry<?>,? super Entry<?>,? extends Entry<?>> |
| Map<Identity,Entry<?>> | merge | Entry<?> |
| Map<Identity,Entry<?>> | merge | Identity |
| Map<Identity,Entry<?>> | of | K |
| Map<Identity,Entry<?>> | of | V |
| Map<Identity,Entry<?>> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Identity,Entry<?>> | put | Entry<?> |
| Map<Identity,Entry<?>> | put | Identity |
| Map<Identity,Entry<?>> | putAll | Map<? extends Identity,? extends Entry<?>> |
| Map<Identity,Entry<?>> | putIfAbsent | Entry<?> |
| Map<Identity,Entry<?>> | putIfAbsent | Identity |
| Map<Identity,Entry<?>> | remove | Object |
| Map<Identity,Entry<?>> | replace | Entry<?> |
| Map<Identity,Entry<?>> | replace | Identity |
| Map<Identity,Entry<?>> | replaceAll | BiFunction<? super Identity,? super Entry<?>,? extends Entry<?>> |
| Map<K,V> | compute | BiFunction<? super K,? super V,? extends V> |
| Map<K,V> | compute | K |
| Map<K,V> | computeIfAbsent | Function<? super K,? extends V> |
| Map<K,V> | computeIfAbsent | K |
| Map<K,V> | computeIfPresent | BiFunction<? super K,? super V,? extends V> |
| Map<K,V> | computeIfPresent | K |
| Map<K,V> | containsKey | Object |
| Map<K,V> | containsValue | Object |
| Map<K,V> | copyOf | Map<? extends K,? extends V> |
| Map<K,V> | entry | K |
| Map<K,V> | entry | V |
| Map<K,V> | forEach | BiConsumer<? super K,? super V> |
| Map<K,V> | get | Object |
| Map<K,V> | getOrDefault | Object |
| Map<K,V> | getOrDefault | V |
| Map<K,V> | merge | BiFunction<? super V,? super V,? extends V> |
| Map<K,V> | merge | K |
| Map<K,V> | merge | V |
| Map<K,V> | of | K |
| Map<K,V> | of | V |
| Map<K,V> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<K,V> | put | K |
| Map<K,V> | put | V |
| Map<K,V> | putAll | Map<? extends K,? extends V> |
| Map<K,V> | putIfAbsent | K |
| Map<K,V> | putIfAbsent | V |
| Map<K,V> | remove | Object |
| Map<K,V> | replace | K |
| Map<K,V> | replace | V |
| Map<K,V> | replaceAll | BiFunction<? super K,? super V,? extends V> |
| Map<Object,Object> | compute | BiFunction<? super Object,? super Object,? extends Object> |
| Map<Object,Object> | compute | Object |
| Map<Object,Object> | computeIfAbsent | Function<? super Object,? extends Object> |
| Map<Object,Object> | computeIfAbsent | Object |
| Map<Object,Object> | computeIfPresent | BiFunction<? super Object,? super Object,? extends Object> |
| Map<Object,Object> | computeIfPresent | Object |
| Map<Object,Object> | containsKey | Object |
| Map<Object,Object> | containsValue | Object |
| Map<Object,Object> | copyOf | Map<? extends K,? extends V> |
| Map<Object,Object> | entry | K |
| Map<Object,Object> | entry | V |
| Map<Object,Object> | forEach | BiConsumer<? super Object,? super Object> |
| Map<Object,Object> | get | Object |
| Map<Object,Object> | getOrDefault | Object |
| Map<Object,Object> | merge | BiFunction<? super Object,? super Object,? extends Object> |
| Map<Object,Object> | merge | Object |
| Map<Object,Object> | of | K |
| Map<Object,Object> | of | V |
| Map<Object,Object> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<Object,Object> | put | Object |
| Map<Object,Object> | putAll | Map<? extends Object,? extends Object> |
| Map<Object,Object> | putIfAbsent | Object |
| Map<Object,Object> | remove | Object |
| Map<Object,Object> | replace | Object |
| Map<Object,Object> | replaceAll | BiFunction<? super Object,? super Object,? extends Object> |
| Map<String,String> | compute | BiFunction<? super String,? super String,? extends String> |
| Map<String,String> | compute | String |
| Map<String,String> | computeIfAbsent | Function<? super String,? extends String> |
| Map<String,String> | computeIfAbsent | String |
| Map<String,String> | computeIfPresent | BiFunction<? super String,? super String,? extends String> |
| Map<String,String> | computeIfPresent | String |
| Map<String,String> | containsKey | Object |
| Map<String,String> | containsValue | Object |
| Map<String,String> | copyOf | Map<? extends K,? extends V> |
| Map<String,String> | entry | K |
| Map<String,String> | entry | V |
| Map<String,String> | equals | Object |
| Map<String,String> | forEach | BiConsumer<? super String,? super String> |
| Map<String,String> | get | Object |
| Map<String,String> | getOrDefault | Object |
| Map<String,String> | getOrDefault | String |
| Map<String,String> | merge | BiFunction<? super String,? super String,? extends String> |
| Map<String,String> | merge | String |
| Map<String,String> | of | K |
| Map<String,String> | of | V |
| Map<String,String> | ofEntries | Entry<? extends K,? extends V>[] |
| Map<String,String> | put | String |
| Map<String,String> | putAll | Map<? extends String,? extends String> |
| Map<String,String> | putIfAbsent | String |
| Map<String,String> | remove | Object |
| Map<String,String> | replace | String |
| Map<String,String> | replaceAll | BiFunction<? super String,? super String,? extends String> |
| MutableCollection | add | E |
| MutableCollection | addAll | Collection |
| MutableCollection | remove | Object |
| MutableCollection | removeAll | Collection<?> |
| MutableCollection | removeIf | Predicate<? super E> |
| MutableCollection | retainAll | Collection<?> |
| MutableList | add | E |
| MutableList | add | int |
| MutableList | addAll | Collection<? extends E> |
| MutableList | addAll | Collection<E> |
| MutableList | addAll | int |
| MutableList | listIterator | int |
| MutableList | remove | Object |
| MutableList | removeAll | Collection<?> |
| MutableList | removeAt | int |
| MutableList | replaceAll | UnaryOperator<E> |
| MutableList | retainAll | Collection<?> |
| MutableList | set | E |
| MutableList | set | int |
| MutableList | sort | Comparator<? super E> |
| MutableList | subList | int |
| MutableMap | compute | BiFunction<? super K,? super V,? extends V> |
| MutableMap | compute | K |
| MutableMap | computeIfAbsent | Function<? super K,? extends V> |
| MutableMap | computeIfAbsent | K |
| MutableMap | computeIfPresent | BiFunction<? super K,? super V,? extends V> |
| MutableMap | computeIfPresent | K |
| MutableMap | merge | BiFunction<? super V,? super V,? extends V> |
| MutableMap | merge | K |
| MutableMap | merge | V |
| MutableMap | put | K |
| MutableMap | put | V |
| MutableMap | putAll | Map<? extends K,V> |
| MutableMap | putIfAbsent | K |
| MutableMap | putIfAbsent | V |
| MutableMap | remove | Object |
| MutableMap | replace | K |
| MutableMap | replace | V |
| MutableMap | replaceAll | BiFunction<? super K,? super V,? extends V> |

29
java/ql/test/kotlin/library-tests/java-kotlin-collection-type-generic-methods/test.kt Normal file
View File

@@ -0,0 +1,29 @@
fun test(
p1: Map<String, String>,
p2: AbstractMap<String, String>,
p3: Collection<String>,
p4: AbstractCollection<String>,
p5: List<String>,
p6: AbstractList<String>,
p7: MutableMap<String, String>,
p8: AbstractMutableMap<String, String>,
p9: MutableCollection<String>,
p10: AbstractMutableCollection<String>,
p11: MutableList<String>,
p12: AbstractMutableList<String>) {
// Use a method of each to ensure method prototypes are extracted:
p1.get("Hello");
p2.get("Hello");
p3.contains("Hello");
p4.contains("Hello");
p5.contains("Hello");
p6.contains("Hello");
p7.remove("Hello");
p8.remove("Hello");
p9.remove("Hello");
p10.remove("Hello");
p11.remove("Hello");
p12.remove("Hello");
}

28
java/ql/test/kotlin/library-tests/java-kotlin-collection-type-generic-methods/test.ql Normal file
View File

@@ -0,0 +1,28 @@
import java
RefType getARelevantCollectionType() {
result
.hasQualifiedName(["java.util", "kotlin.collections"],
["Abstract", ""] + ["Mutable", ""] + ["Collection", "List", "Map"])
}
class RelevantMethod extends Method {
RelevantMethod() { this.getDeclaringType().getSourceDeclaration() = getARelevantCollectionType() }
}
// Check for methods with suspicious twins -- probably another extraction of the same method outline which was given a different trap key.
// It so happens the collections methods of interest to this test don't use overloads with the same parameter count.
query predicate methodWithDuplicate(string methodName, string typeName) {
exists(RelevantMethod m, RelevantMethod dup |
dup.getName() = m.getName() and
not dup.getName() = ["of", "remove", "toArray"] and // These really do have overloads with the same parameter count, so it isn't trivial to tell if they are intentional overloads or inappropriate duplicates.
dup.getNumberOfParameters() = m.getNumberOfParameters() and
dup.getDeclaringType() = m.getDeclaringType() and
dup != m and
methodName = m.getName() and
typeName = m.getDeclaringType().getName()
)
}
from RelevantMethod m
select m.getDeclaringType().getName(), m.getName(), m.getAParamType().getName()

2
javascript/extractor/lib/typescript/package.json
View File

@@ -2,7 +2,7 @@
"name": "typescript-parser-wrapper",
"private": true,
"dependencies": {
"typescript": "4.6.2"
"typescript": "4.7.2"
},
"scripts": {
"build": "tsc --project tsconfig.json",

8
javascript/extractor/lib/typescript/yarn.lock
View File

@@ -6,7 +6,7 @@
version "12.7.11"
resolved node-12.7.11.tgz#be879b52031cfb5d295b047f5462d8ef1a716446
typescript@4.6.2:
version "4.6.2"
resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.6.2.tgz#fe12d2727b708f4eef40f51598b3398baa9611d4"
integrity sha512-HM/hFigTBHZhLXshn9sN37H085+hQGeJHJ/X7LpBWLID/fbc2acUMfU+lGD98X81sKP+pFa9f0DZmCwB9GnbAg==
typescript@4.7.2:
version "4.7.2"
resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.2.tgz#1f9aa2ceb9af87cca227813b4310fff0b51593c4"
integrity sha512-Mamb1iX2FDUpcTRzltPxgWMKy3fhg0TN378ylbktPGPK/99KbDtMQ4W1hwgsbPAsG3a0xKa1vmw4VKZQbkvz5A==

5
javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
View File

@@ -141,8 +141,9 @@ public class Fetcher {
entryPath = entryPath.subpath(1, entryPath.getNameCount());
String filename = entryPath.getFileName().toString();
if (!filename.endsWith(".d.ts") && !filename.equals("package.json")) {
continue; // Only extract .d.ts files and package.json
if (!filename.endsWith(".d.ts") && !filename.endsWith(".d.mts") && !filename.endsWith(".d.cts")
&& !filename.equals("package.json")) {
continue; // Only extract .d.ts, .d.mts, .d.cts files, and package.json
}
relativePaths.add(entryPath);
Path outputFile = destDir.resolve(entryPath);

2
javascript/extractor/src/com/semmle/js/extractor/FileExtractor.java
View File

@@ -203,7 +203,7 @@ public class FileExtractor {
}
},
TYPESCRIPT(".ts", ".tsx") {
TYPESCRIPT(".ts", ".tsx", ".mts", ".cts") {
@Override
protected boolean contains(File f, String lcExt, ExtractorConfig config) {
if (config.getTypeScriptMode() == TypeScriptMode.NONE) return false;

2
javascript/extractor/src/com/semmle/js/extractor/Main.java
View File

@@ -43,7 +43,7 @@ public class Main {
* A version identifier that should be updated every time the extractor changes in such a way that
* it may produce different tuples for the same file under the same {@link ExtractorConfig}.
*/
public static final String EXTRACTOR_VERSION = "2022-02-22";
public static final String EXTRACTOR_VERSION = "2022-05-24";
public static final Pattern NEWLINE = Pattern.compile("\n");

4
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
View File

@@ -144,9 +144,9 @@ private module AccessPaths {
not param = base.getReceiver()
|
result = param and
name = param.getAnImmediateUse().asExpr().(Parameter).getName()
name = param.asSource().asExpr().(Parameter).getName()
or
param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and
param.asSource().asExpr() instanceof DestructuringPattern and
result = param.getMember(name)
)
}

4
javascript/ql/lib/change-notes/2022-05-24-ecmascript-2022.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* All new ECMAScript 2022 features are now supported.

4
javascript/ql/lib/change-notes/2022-05-24-typescript-4-7.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: majorAnalysis
---
* Added support for TypeScript 4.7.

237
javascript/ql/lib/semmle/javascript/ApiGraphs.qll
View File

@@ -2,11 +2,7 @@
* Provides an implementation of _API graphs_, which are an abstract representation of the API
* surface used and/or defined by a code base.
*
* The nodes of the API graph represent definitions and uses of API components. The edges are
* directed and labeled; they specify how the components represented by nodes relate to each other.
* For example, if one of the nodes represents a definition of an API function, then there
* will be nodes corresponding to the function's parameters, which are connected to the function
* node by edges labeled `parameter <i>`.
* See `API::Node` for more in-depth documentation.
*/
import javascript
@@ -14,50 +10,159 @@ private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
private import internal.CachedStages
/**
* Provides classes and predicates for working with APIs defined or used in a database.
* Provides classes and predicates for working with the API boundary between the current
* codebase and external libraries.
*
* See `API::Node` for more in-depth documentation.
*/
module API {
/**
* An abstract representation of a definition or use of an API component such as a function
* exported by an npm package, a parameter of such a function, or its result.
* A node in the API graph, representing a value that has crossed the boundary between this
* codebase and an external library (or in general, any external codebase).
*
* ### Basic usage
*
* API graphs are typically used to identify "API calls", that is, calls to an external function
* whose implementation is not necessarily part of the current codebase.
*
* The most basic use of API graphs is typically as follows:
* 1. Start with `API::moduleImport` for the relevant library.
* 2. Follow up with a chain of accessors such as `getMember` describing how to get to the relevant API function.
* 3. Map the resulting API graph nodes to data-flow nodes, using `asSource` or `asSink`.
*
* For example, a simplified way to get arguments to `underscore.extend` would be
* ```ql
* API::moduleImport("underscore").getMember("extend").getParameter(0).asSink()
* ```
*
* The most commonly used accessors are `getMember`, `getParameter`, and `getReturn`.
*
* ### API graph nodes
*
* There are two kinds of nodes in the API graphs, distinguished by who is "holding" the value:
* - **Use-nodes** represent values held by the current codebase, which came from an external library.
* (The current codebase is "using" a value that came from the library).
* - **Def-nodes** represent values held by the external library, which came from this codebase.
* (The current codebase "defines" the value seen by the library).
*
* API graph nodes are associated with data-flow nodes in the current codebase.
* (Since external libraries are not part of the database, there is no way to associate with concrete
* data-flow nodes from the external library).
* - **Use-nodes** are associated with data-flow nodes where a value enters the current codebase,
* such as the return value of a call to an external function.
* - **Def-nodes** are associated with data-flow nodes where a value leaves the current codebase,
* such as an argument passed in a call to an external function.
*
*
* ### Access paths and edge labels
*
* Nodes in the API graph are associated with a set of access paths, describing a series of operations
* that may be performed to obtain that value.
*
* For example, the access path `API::moduleImport("lodash").getMember("extend")` represents the action of
* importing `lodash` and then accessing the member `extend` on the resulting object.
* It would be associated with an expression such as `require("lodash").extend`.
*
* Each edge in the graph is labelled by such an "operation". For an edge `A->B`, the type of the `A` node
* determines who is performing the operation, and the type of the `B` node determines who ends up holding
* the result:
* - An edge starting from a use-node describes what the current codebase is doing to a value that
* came from a library.
* - An edge starting from a def-node describes what the external library might do to a value that
* came from the current codebase.
* - An edge ending in a use-node means the result ends up in the current codebase (at its associated data-flow node).
* - An edge ending in a def-node means the result ends up in external code (its associated data-flow node is
* the place where it was "last seen" in the current codebase before flowing out)
*
* Because the implementation of the external library is not visible, it is not known exactly what operations
* it will perform on values that flow there. Instead, the edges starting from a def-node are operations that would
* lead to an observable effect within the current codebase; without knowing for certain if the library will actually perform
* those operations. (When constructing these edges, we assume the library is somewhat well-behaved).
*
* For example, given this snippet:
* ```js
* require('foo')(x => { doSomething(x) })
* ```
* A callback is passed to the external function `foo`. We can't know if `foo` will actually invoke this callback.
* But _if_ the library should decide to invoke the callback, then a value will flow into the current codebase via the `x` parameter.
* For that reason, an edge is generated representing the argument-passing operation that might be performed by `foo`.
* This edge is going from the def-node associated with the callback to the use-node associated with the parameter `x`.
*
* ### Thinking in operations versus code patterns
*
* Treating edges as "operations" helps avoid a pitfall in which library models become overly specific to certain code patterns.
* Consider the following two equivalent calls to `foo`:
* ```js
* const foo = require('foo');
*
* foo({
* myMethod(x) {...}
* });
*
* foo({
* get myMethod() {
* return function(x) {...}
* }
* });
* ```
* If `foo` calls `myMethod` on its first parameter, either of the `myMethod` implementations will be invoked.
* And indeed, the access path `API::moduleImport("foo").getParameter(0).getMember("myMethod").getParameter(0)` correctly
* identifies both `x` parameters.
*
* Observe how `getMember("myMethod")` behaves when the member is defined via a getter. When thinking in code patterns,
* it might seem obvious that `getMember` should have obtained a reference to the getter method itself.
* But when seeing it as an access to `myMethod` performed by the library, we can deduce that the relevant expression
* on the client side is actually the return-value of the getter.
*
* Although one may think of API graphs as a tool to find certain program elements in the codebase,
* it can lead to some situations where intuition does not match what works best in practice.
*/
class Node extends Impl::TApiNode {
/**
* Gets a data-flow node corresponding to a use of the API component represented by this node.
* Get a data-flow node where this value may flow after entering the current codebase.
*
* For example, `require('fs').readFileSync` is a use of the function `readFileSync` from the
* `fs` module, and `require('fs').readFileSync(file)` is a use of the return of that function.
*
* This includes indirect uses found via data flow, meaning that in
* `f(obj.foo); function f(x) {};` both `obj.foo` and `x` are uses of the `foo` member from `obj`.
*
* As another example, in the assignment `exports.plusOne = (x) => x+1` the two references to
* `x` are uses of the first parameter of `plusOne`.
* This is similar to `asSource()` but additionally includes nodes that are transitively reachable by data flow.
* See `asSource()` for examples.
*/
pragma[inline]
DataFlow::Node getAUse() {
exists(DataFlow::SourceNode src | Impl::use(this, src) |
Impl::trackUseNode(src).flowsTo(result)
)
DataFlow::Node getAValueReachableFromSource() {
Impl::trackUseNode(this.asSource()).flowsTo(result)
}
/**
* Gets an immediate use of the API component represented by this node.
* Get a data-flow node where this value enters the current codebase.
*
* For example, `require('fs').readFileSync` is a an immediate use of the `readFileSync` member
* from the `fs` module.
* For example:
* ```js
* // API::moduleImport("fs").asSource()
* require('fs');
*
* Unlike `getAUse()`, this predicate only gets the immediate references, not the indirect uses
* found via data flow. This means that in `const x = fs.readFile` only `fs.readFile` is a reference
* to the `readFile` member of `fs`, neither `x` nor any node that `x` flows to is a reference to
* this API component.
* // API::moduleImport("fs").getMember("readFile").asSource()
* require('fs').readFile;
*
* // API::moduleImport("fs").getMember("readFile").getReturn().asSource()
* require('fs').readFile();
*
* require('fs').readFile(
* filename,
* // 'y' matched by API::moduleImport("fs").getMember("readFile").getParameter(1).getParameter(0).asSource()
* y => {
* ...
* });
* ```
*/
DataFlow::SourceNode getAnImmediateUse() { Impl::use(this, result) }
DataFlow::SourceNode asSource() { Impl::use(this, result) }
/** DEPRECATED. This predicate has been renamed to `asSource`. */
deprecated DataFlow::SourceNode getAnImmediateUse() { result = this.asSource() }
/** DEPRECATED. This predicate has been renamed to `getAValueReachableFromSource`. */
deprecated DataFlow::Node getAUse() { result = this.getAValueReachableFromSource() }
/**
* Gets a call to the function represented by this API component.
*/
CallNode getACall() { result = this.getReturn().getAnImmediateUse() }
CallNode getACall() { result = this.getReturn().asSource() }
/**
* Gets a call to the function represented by this API component,
@@ -72,7 +177,7 @@ module API {
/**
* Gets a `new` call to the function represented by this API component.
*/
NewNode getAnInstantiation() { result = this.getInstance().getAnImmediateUse() }
NewNode getAnInstantiation() { result = this.getInstance().asSource() }
/**
* Gets an invocation (with our without `new`) to the function represented by this API component.
@@ -80,26 +185,38 @@ module API {
InvokeNode getAnInvocation() { result = this.getACall() or result = this.getAnInstantiation() }
/**
* Gets a data-flow node corresponding to the right-hand side of a definition of the API
* component represented by this node.
* Get a data-flow node where this value leaves the current codebase and flows into an
* external library (or in general, any external codebase).
*
* For example, in the assignment `exports.plusOne = (x) => x+1`, the function expression
* `(x) => x+1` is the right-hand side of the definition of the member `plusOne` of
* the enclosing module, and the expression `x+1` is the right-had side of the definition of
* its result.
* Concretely, this is either an argument passed to a call to external code,
* or the right-hand side of a property write on an object flowing into such a call.
*
* Note that for parameters, it is the arguments flowing into that parameter that count as
* right-hand sides of the definition, not the declaration of the parameter itself.
* Consequently, in `require('fs').readFileSync(file)`, `file` is the right-hand
* side of a definition of the first parameter of `readFileSync` from the `fs` module.
* For example:
* ```js
* // 'x' is matched by API::moduleImport("foo").getParameter(0).asSink()
* require('foo')(x);
*
* // 'x' is matched by API::moduleImport("foo").getParameter(0).getMember("prop").asSink()
* require('foo')({
* prop: x
* });
* ```
*/
DataFlow::Node getARhs() { Impl::rhs(this, result) }
DataFlow::Node asSink() { Impl::rhs(this, result) }
/**
* Gets a data-flow node that may interprocedurally flow to the right-hand side of a definition
* of the API component represented by this node.
* Get a data-flow node that transitively flows to an external library (or in general, any external codebase).
*
* This is similar to `asSink()` but additionally includes nodes that transitively reach a sink by data flow.
* See `asSink()` for examples.
*/
DataFlow::Node getAValueReachingRhs() { result = Impl::trackDefNode(this.getARhs()) }
DataFlow::Node getAValueReachingSink() { result = Impl::trackDefNode(this.asSink()) }
/** DEPRECATED. This predicate has been renamed to `asSink`. */
deprecated DataFlow::Node getARhs() { result = this.asSink() }
/** DEPRECATED. This predicate has been renamed to `getAValueReachingSink`. */
deprecated DataFlow::Node getAValueReachingRhs() { result = this.getAValueReachingSink() }
/**
* Gets a node representing member `m` of this API component.
@@ -334,7 +451,7 @@ module API {
* In other words, the value of a use of `that` may flow into the right-hand side of a
* definition of this node.
*/
predicate refersTo(Node that) { this.getARhs() = that.getAUse() }
predicate refersTo(Node that) { this.asSink() = that.getAValueReachableFromSource() }
/**
* Gets the data-flow node that gives rise to this node, if any.
@@ -445,11 +562,17 @@ module API {
bindingset[this]
EntryPoint() { any() }
/** Gets a data-flow node that uses this entry point. */
abstract DataFlow::SourceNode getAUse();
/** DEPRECATED. This predicate has been renamed to `getASource`. */
deprecated DataFlow::SourceNode getAUse() { none() }
/** Gets a data-flow node that defines this entry point. */
abstract DataFlow::Node getARhs();
/** DEPRECATED. This predicate has been renamed to `getASink`. */
deprecated DataFlow::SourceNode getARhs() { none() }
/** Gets a data-flow node where a value enters the current codebase through this entry-point. */
DataFlow::SourceNode getASource() { none() }
/** Gets a data-flow node where a value leaves the current codebase through this entry-point. */
DataFlow::Node getASink() { none() }
/** Gets an API-node for this entry point. */
API::Node getANode() { result = root().getASuccessor(Label::entryPoint(this)) }
@@ -567,7 +690,7 @@ module API {
base = MkRoot() and
exists(EntryPoint e |
lbl = Label::entryPoint(e) and
rhs = e.getARhs()
rhs = e.getASink()
)
or
exists(string m, string prop |
@@ -744,7 +867,7 @@ module API {
base = MkRoot() and
exists(EntryPoint e |
lbl = Label::entryPoint(e) and
ref = e.getAUse()
ref = e.getASource()
)
or
// property reads
@@ -1178,8 +1301,8 @@ module API {
API::Node callee;
InvokeNode() {
this = callee.getReturn().getAnImmediateUse() or
this = callee.getInstance().getAnImmediateUse() or
this = callee.getReturn().asSource() or
this = callee.getInstance().asSource() or
this = Impl::getAPromisifiedInvocation(callee, _, _)
}
@@ -1194,7 +1317,7 @@ module API {
* Gets an API node where a RHS of the node is the `i`th argument to this call.
*/
pragma[noinline]
private Node getAParameterCandidate(int i) { result.getARhs() = this.getArgument(i) }
private Node getAParameterCandidate(int i) { result.asSink() = this.getArgument(i) }
/** Gets the API node for a parameter of this invocation. */
Node getAParameter() { result = this.getParameter(_) }
@@ -1205,13 +1328,13 @@ module API {
/** Gets the API node for the return value of this call. */
Node getReturn() {
result = callee.getReturn() and
result.getAnImmediateUse() = this
result.asSource() = this
}
/** Gets the API node for the object constructed by this invocation. */
Node getInstance() {
result = callee.getInstance() and
result.getAnImmediateUse() = this
result.asSource() = this
}
}

6
javascript/ql/lib/semmle/javascript/Arrays.qll
View File

@@ -75,7 +75,7 @@ module ArrayTaintTracking {
succ.(DataFlow::SourceNode).getAMethodCall("splice") = call
or
// `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice"]) and
call.(DataFlow::MethodCallNode).calls(pred, ["pop", "shift", "slice", "splice", "at"]) and
succ = call
or
// `e = Array.from(x)`: if `x` is tainted, then so is `e`.
@@ -199,13 +199,13 @@ private module ArrayDataFlow {
}
/**
* A step for retrieving an element from an array using `.pop()` or `.shift()`.
* A step for retrieving an element from an array using `.pop()`, `.shift()`, or `.at()`.
* E.g. `array.pop()`.
*/
private class ArrayPopStep extends DataFlow::SharedFlowStep {
override predicate loadStep(DataFlow::Node obj, DataFlow::Node element, string prop) {
exists(DataFlow::MethodCallNode call |
call.getMethodName() = ["pop", "shift"] and
call.getMethodName() = ["pop", "shift", "at"] and
prop = arrayElement() and
obj = call.getReceiver() and
element = call

2
javascript/ql/lib/semmle/javascript/JsonParsers.qll
View File

@@ -29,7 +29,7 @@ private class PlainJsonParserCall extends JsonParserCall {
callee =
DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
"parse") or
callee = API::moduleImport("replicator").getInstance().getMember("decode").getAnImmediateUse() or
callee = API::moduleImport("replicator").getInstance().getMember("decode").asSource() or
callee = DataFlow::moduleImport("parse-json") or
callee = DataFlow::moduleImport("json-parse-better-errors") or
callee = DataFlow::moduleImport("json-safe-parse") or

4
javascript/ql/lib/semmle/javascript/JsonSchema.qll
View File

@@ -134,7 +134,7 @@ module JsonSchema {
.ref()
.getMember(["addSchema", "validate", "compile", "compileAsync"])
.getParameter(0)
.getARhs()
.asSink()
}
}
}
@@ -184,7 +184,7 @@ module JsonSchema {
override boolean getPolarity() { none() }
override DataFlow::Node getAValidationResultAccess(boolean polarity) {
result = this.getReturn().getMember("error").getAnImmediateUse() and
result = this.getReturn().getMember("error").asSource() and
polarity = false
}
}

2
javascript/ql/lib/semmle/javascript/JsonStringifiers.qll
View File

@@ -14,7 +14,7 @@ class JsonStringifyCall extends DataFlow::CallNode {
callee =
DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
"stringify") or
callee = API::moduleImport("replicator").getInstance().getMember("encode").getAnImmediateUse() or
callee = API::moduleImport("replicator").getInstance().getMember("encode").asSource() or
callee =
DataFlow::moduleImport([
"json-stringify-safe", "json-stable-stringify", "stringify-object",

8
javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
View File

@@ -229,10 +229,10 @@ module MembershipCandidate {
membersNode = inExpr.getRightOperand()
)
or
exists(MethodCallExpr hasOwn |
this = hasOwn.getArgument(0).flow() and
test = hasOwn and
hasOwn.calls(membersNode, "hasOwnProperty")
exists(HasOwnPropertyCall hasOwn |
this = hasOwn.getProperty() and
test = hasOwn.asExpr() and
membersNode = hasOwn.getObject().asExpr()
)
}

2
javascript/ql/lib/semmle/javascript/NodeJS.qll
View File

@@ -3,6 +3,7 @@
import javascript
private import NodeModuleResolutionImpl
private import semmle.javascript.DynamicPropertyAccess as DynamicPropertyAccess
private import semmle.javascript.internal.CachedStages
/**
* A Node.js module.
@@ -113,6 +114,7 @@ class NodeModule extends Module {
}
override DataFlow::Node getABulkExportedNode() {
Stages::Imports::ref() and
exists(DataFlow::PropWrite write |
write.getBase().asExpr() = this.getModuleVariable().getAnAccess() and
write.getPropertyName() = "exports" and

32
javascript/ql/lib/semmle/javascript/StandardLibrary.qll
View File

@@ -192,3 +192,35 @@ class StringSplitCall extends DataFlow::MethodCallNode {
bindingset[i]
DataFlow::Node getASubstringRead(int i) { result = this.getAPropertyRead(i.toString()) }
}
/**
* A call to `Object.prototype.hasOwnProperty`, `Object.hasOwn`, or a library that implements
* the same functionality.
*/
class HasOwnPropertyCall extends DataFlow::Node instanceof DataFlow::CallNode {
DataFlow::Node object;
DataFlow::Node property;
HasOwnPropertyCall() {
// Make sure we handle reflective calls since libraries love to do that.
super.getCalleeNode().getALocalSource().(DataFlow::PropRead).getPropertyName() =
"hasOwnProperty" and
object = super.getReceiver() and
property = super.getArgument(0)
or
this =
[
DataFlow::globalVarRef("Object").getAMemberCall("hasOwn"), //
DataFlow::moduleImport("has").getACall(), //
LodashUnderscore::member("has").getACall()
] and
object = super.getArgument(0) and
property = super.getArgument(1)
}
/** Gets the object whose property is being checked. */
DataFlow::Node getObject() { result = object }
/** Gets the property being checked. */
DataFlow::Node getProperty() { result = property }
}

2
javascript/ql/lib/semmle/javascript/TypeScript.qll
View File

@@ -1286,6 +1286,8 @@ class ExpressionWithTypeArguments extends @expression_with_type_arguments, Expr
override ControlFlowNode getFirstControlFlowNode() {
result = this.getExpression().getFirstControlFlowNode()
}
override string getAPrimaryQlClass() { result = "ExpressionWithTypeArguments" }
}
/**

16
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -1027,18 +1027,16 @@ module TaintTracking {
class WhitelistContainmentCallSanitizer extends AdditionalSanitizerGuardNode,
DataFlow::MethodCallNode {
WhitelistContainmentCallSanitizer() {
exists(string name |
name = "contains" or
name = "has" or
name = "hasOwnProperty"
|
this.getMethodName() = name
)
this.getMethodName() = ["contains", "has", "hasOwnProperty", "hasOwn"]
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = true and
e = this.getArgument(0).asExpr()
exists(int propertyIndex |
if this.getMethodName() = "hasOwn" then propertyIndex = 1 else propertyIndex = 0
|
outcome = true and
e = this.getArgument(propertyIndex).asExpr()
)
}
override predicate appliesTo(Configuration cfg) { any() }

2
javascript/ql/lib/semmle/javascript/frameworks/Babel.qll
View File

@@ -198,7 +198,7 @@ module Babel {
.getMember(["transform", "transformSync", "transformAsync"])
.getACall() and
pred = call.getArgument(0) and
succ = [call, call.getParameter(2).getParameter(0).getAnImmediateUse()]
succ = [call, call.getParameter(2).getParameter(0).asSource()]
)
}
}

2
javascript/ql/lib/semmle/javascript/frameworks/Cheerio.qll
View File

@@ -14,7 +14,7 @@ module Cheerio {
}
/** Gets a reference to the `cheerio` function, possibly with a loaded DOM. */
DataFlow::SourceNode cheerioRef() { result = cheerioApi().getAUse() }
DataFlow::SourceNode cheerioRef() { result = cheerioApi().getAValueReachableFromSource() }
/**
* A creation of `cheerio` object, a collection of virtual DOM elements

3
javascript/ql/lib/semmle/javascript/frameworks/ClassValidator.qll
View File

@@ -39,7 +39,8 @@ module ClassValidator {
/** Holds if the given field has a decorator that sanitizes its value for the purpose of taint tracking. */
predicate isFieldSanitizedByDecorator(FieldDefinition field) {
field.getADecorator().getExpression().flow() = sanitizingDecorator().getReturn().getAUse()
field.getADecorator().getExpression().flow() =
sanitizingDecorator().getReturn().getAValueReachableFromSource()
}
pragma[noinline]

10
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -265,7 +265,7 @@ module ClientRequest {
or
responseType = this.getResponseType() and
promise = false and
result = this.getReturn().getPromisedError().getMember("response").getAnImmediateUse()
result = this.getReturn().getPromisedError().getMember("response").asSource()
}
}
@@ -463,7 +463,7 @@ module ClientRequest {
*/
private API::Node netSocketInstantiation(DataFlow::NewNode socket) {
result = API::moduleImport("net").getMember("Socket").getInstance() and
socket = result.getAnImmediateUse()
socket = result.asSource()
}
/**
@@ -827,7 +827,7 @@ module ClientRequest {
class ApolloClientRequest extends ClientRequest::Range, API::InvokeNode {
ApolloClientRequest() { this = apolloUriCallee().getAnInvocation() }
override DataFlow::Node getUrl() { result = this.getParameter(0).getMember("uri").getARhs() }
override DataFlow::Node getUrl() { result = this.getParameter(0).getMember("uri").asSink() }
override DataFlow::Node getHost() { none() }
@@ -848,10 +848,10 @@ module ClientRequest {
override DataFlow::Node getUrl() { result = this.getArgument(0) }
override DataFlow::Node getHost() { result = this.getParameter(0).getMember("host").getARhs() }
override DataFlow::Node getHost() { result = this.getParameter(0).getMember("host").asSink() }
override DataFlow::Node getADataNode() {
result = form.getMember("append").getACall().getParameter(1).getARhs()
result = form.getMember("append").getACall().getParameter(1).asSink()
}
}
}

2
javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
View File

@@ -21,7 +21,7 @@ private class CredentialsFromModel extends CredentialsExpr {
string kind;
CredentialsFromModel() {
this = ModelOutput::getASinkNode("credentials[" + kind + "]").getARhs().asExpr()
this = ModelOutput::getASinkNode("credentials[" + kind + "]").asSink().asExpr()
}
override string getCredentialsKind() { result = kind }

12
javascript/ql/lib/semmle/javascript/frameworks/D3.qll
View File

@@ -9,9 +9,7 @@ module D3 {
private class D3GlobalEntry extends API::EntryPoint {
D3GlobalEntry() { this = "D3GlobalEntry" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("d3") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("d3") }
}
/** Gets an API node referring to the `d3` module. */
@@ -71,18 +69,18 @@ module D3 {
D3XssSink() {
exists(API::Node htmlArg |
htmlArg = d3Selection().getMember("html").getParameter(0) and
this = [htmlArg, htmlArg.getReturn()].getARhs()
this = [htmlArg, htmlArg.getReturn()].asSink()
)
}
}
private class D3DomValueSource extends DOM::DomValueSource::Range {
D3DomValueSource() {
this = d3Selection().getMember("each").getReceiver().getAnImmediateUse()
this = d3Selection().getMember("each").getReceiver().asSource()
or
this = d3Selection().getMember("node").getReturn().getAnImmediateUse()
this = d3Selection().getMember("node").getReturn().asSource()
or
this = d3Selection().getMember("nodes").getReturn().getUnknownMember().getAnImmediateUse()
this = d3Selection().getMember("nodes").getReturn().getUnknownMember().asSource()
}
}

4
javascript/ql/lib/semmle/javascript/frameworks/Electron.qll
View File

@@ -56,13 +56,13 @@ module Electron {
}
}
private API::Node browserObject() { result.getAnImmediateUse() instanceof NewBrowserObject }
private API::Node browserObject() { result.asSource() instanceof NewBrowserObject }
/**
* A data flow node whose value may originate from a browser object instantiation.
*/
private class BrowserObjectByFlow extends BrowserObject {
BrowserObjectByFlow() { browserObject().getAUse() = this }
BrowserObjectByFlow() { browserObject().getAValueReachableFromSource() = this }
}
/**

12
javascript/ql/lib/semmle/javascript/frameworks/Files.qll
View File

@@ -89,7 +89,7 @@ private API::Node globbyFileNameSource() {
* A file name or an array of file names from the `globby` library.
*/
private class GlobbyFileNameSource extends FileNameSource {
GlobbyFileNameSource() { this = globbyFileNameSource().getAnImmediateUse() }
GlobbyFileNameSource() { this = globbyFileNameSource().asSource() }
}
/** Gets a file name or an array of file names from the `fast-glob` library. */
@@ -116,7 +116,7 @@ private API::Node fastGlobFileName() {
* A file name or an array of file names from the `fast-glob` library.
*/
private class FastGlobFileNameSource extends FileNameSource {
FastGlobFileNameSource() { this = fastGlobFileName().getAnImmediateUse() }
FastGlobFileNameSource() { this = fastGlobFileName().asSource() }
}
/**
@@ -200,7 +200,7 @@ private class RecursiveReadDir extends FileSystemAccess, FileNameProducer, API::
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
override DataFlow::Node getAFileName() { result = this.trackFileSource().getAnImmediateUse() }
override DataFlow::Node getAFileName() { result = this.trackFileSource().asSource() }
private API::Node trackFileSource() {
result = this.getParameter([1 .. 2]).getParameter(1)
@@ -223,7 +223,7 @@ private module JsonFile {
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
override DataFlow::Node getADataNode() { result = this.trackRead().getAnImmediateUse() }
override DataFlow::Node getADataNode() { result = this.trackRead().asSource() }
private API::Node trackRead() {
this.getCalleeName() = "readFile" and
@@ -272,7 +272,7 @@ private class LoadJsonFile extends FileSystemReadAccess, API::CallNode {
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
override DataFlow::Node getADataNode() { result = this.trackRead().getAnImmediateUse() }
override DataFlow::Node getADataNode() { result = this.trackRead().asSource() }
private API::Node trackRead() {
this.getCalleeName() = "sync" and result = this.getReturn()
@@ -310,7 +310,7 @@ private class WalkDir extends FileNameProducer, FileSystemAccess, API::CallNode
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
override DataFlow::Node getAFileName() { result = this.trackFileSource().getAnImmediateUse() }
override DataFlow::Node getAFileName() { result = this.trackFileSource().asSource() }
private API::Node trackFileSource() {
not this.getCalleeName() = ["sync", "async"] and

6
javascript/ql/lib/semmle/javascript/frameworks/FormParsers.qll
View File

@@ -15,7 +15,7 @@ private class BusBoyRemoteFlow extends RemoteFlowSource {
.getMember("on")
.getParameter(1)
.getAParameter()
.getAnImmediateUse()
.asSource()
}
override string getSourceType() { result = "parsed user value from Busbuy" }
@@ -49,12 +49,12 @@ private class MultipartyRemoteFlow extends RemoteFlowSource {
MultipartyRemoteFlow() {
exists(API::Node form | form = API::moduleImport("multiparty").getMember("Form").getInstance() |
exists(API::CallNode parse | parse = form.getMember("parse").getACall() |
this = parse.getParameter(1).getAParameter().getAnImmediateUse()
this = parse.getParameter(1).getAParameter().asSource()
)
or
exists(API::CallNode on | on = form.getMember("on").getACall() |
on.getArgument(0).mayHaveStringValue(["part", "file", "field"]) and
this = on.getParameter(1).getAParameter().getAnImmediateUse()
this = on.getParameter(1).getAParameter().asSource()
)
)
}

10
javascript/ql/lib/semmle/javascript/frameworks/History.qll
View File

@@ -8,9 +8,7 @@ module History {
private class HistoryGlobalEntry extends API::EntryPoint {
HistoryGlobalEntry() { this = "HistoryLibrary" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("HistoryLibrary") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("HistoryLibrary") }
}
/**
@@ -40,11 +38,11 @@ module History {
HistoryLibraryRemoteFlow() {
exists(API::Node loc | loc = [getBrowserHistory(), getHashHistory()].getMember("location") |
this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
this = loc.getMember("hash").asSource() and kind.isFragment()
or
this = loc.getMember("pathname").getAnImmediateUse() and kind.isPath()
this = loc.getMember("pathname").asSource() and kind.isPath()
or
this = loc.getMember("search").getAnImmediateUse() and kind.isQuery()
this = loc.getMember("search").asSource() and kind.isQuery()
)
}

12
javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll
View File

@@ -19,10 +19,10 @@ private module HttpProxy {
.getACall()
}
override DataFlow::Node getUrl() { result = getParameter(0).getMember("target").getARhs() }
override DataFlow::Node getUrl() { result = getParameter(0).getMember("target").asSink() }
override DataFlow::Node getHost() {
result = getParameter(0).getMember("target").getMember("host").getARhs()
result = getParameter(0).getMember("target").getMember("host").asSink()
}
override DataFlow::Node getADataNode() { none() }
@@ -49,10 +49,10 @@ private module HttpProxy {
)
}
override DataFlow::Node getUrl() { result = getOptionsObject().getMember("target").getARhs() }
override DataFlow::Node getUrl() { result = getOptionsObject().getMember("target").asSink() }
override DataFlow::Node getHost() {
result = getOptionsObject().getMember("target").getMember("host").getARhs()
result = getOptionsObject().getMember("target").getMember("host").asSink()
}
override DataFlow::Node getADataNode() { none() }
@@ -78,8 +78,8 @@ private module HttpProxy {
ProxyListenerCallback() {
exists(API::CallNode call |
call = any(CreateServerCall server).getReturn().getMember(["on", "once"]).getACall() and
call.getParameter(0).getARhs().mayHaveStringValue(event) and
this = call.getParameter(1).getARhs().getAFunctionValue()
call.getParameter(0).asSink().mayHaveStringValue(event) and
this = call.getParameter(1).asSink().getAFunctionValue()
)
}

4
javascript/ql/lib/semmle/javascript/frameworks/Immutable.qll
View File

@@ -16,9 +16,7 @@ private module Immutable {
private class ImmutableGlobalEntry extends API::EntryPoint {
ImmutableGlobalEntry() { this = "ImmutableGlobalEntry" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("Immutable") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("Immutable") }
}
/**

2
javascript/ql/lib/semmle/javascript/frameworks/Knex.qll
View File

@@ -69,7 +69,7 @@ module Knex {
private class KnexDatabaseAwait extends DatabaseAccess, DataFlow::ValueNode {
KnexDatabaseAwait() {
exists(AwaitExpr enclosingAwait | this = enclosingAwait.flow() |
enclosingAwait.getOperand() = knexObject().getAUse().asExpr()
enclosingAwait.getOperand() = knexObject().getAValueReachableFromSource().asExpr()
)
}

4
javascript/ql/lib/semmle/javascript/frameworks/LdapJS.qll
View File

@@ -61,10 +61,10 @@ module LdapJS {
SearchFilter() {
options = ldapClient().getMember("search").getACall().getParameter(1) and
this = options.getARhs()
this = options.asSink()
}
override DataFlow::Node getInput() { result = options.getMember("filter").getARhs() }
override DataFlow::Node getInput() { result = options.getMember("filter").asSink() }
override DataFlow::Node getOutput() { result = this }
}

4
javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll
View File

@@ -12,7 +12,7 @@ private module LiveServer {
class ServerDefinition extends HTTP::Servers::StandardServerDefinition {
ServerDefinition() { this = DataFlow::moduleImport("live-server").asExpr() }
API::Node getImportNode() { result.getAnImmediateUse().asExpr() = this }
API::Node getImportNode() { result.asSource().asExpr() = this }
}
/**
@@ -41,7 +41,7 @@ private module LiveServer {
override DataFlow::SourceNode getARouteHandler() {
exists(DataFlow::SourceNode middleware |
middleware = call.getParameter(0).getMember("middleware").getAValueReachingRhs()
middleware = call.getParameter(0).getMember("middleware").getAValueReachingSink()
|
result = middleware.getAMemberCall(["push", "unshift"]).getArgument(0).getAFunctionValue()
or

6
javascript/ql/lib/semmle/javascript/frameworks/Logging.qll
View File

@@ -35,9 +35,7 @@ private module Console {
private class ConsoleGlobalEntry extends API::EntryPoint {
ConsoleGlobalEntry() { this = "ConsoleGlobalEntry" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("console") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("console") }
}
/**
@@ -352,7 +350,7 @@ private module Pino {
// `pino` is installed as the "log" property on the request object in `Express` and similar libraries.
// in `Hapi` the property is "logger".
exists(HTTP::RequestExpr req, API::Node reqNode |
reqNode.getAnImmediateUse() = req.flow().getALocalSource() and
reqNode.asSource() = req.flow().getALocalSource() and
result = reqNode.getMember(["log", "logger"])
)
}

4
javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
View File

@@ -163,14 +163,14 @@ module Markdown {
or
call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
|
call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
call.getParameter(0).getMember("html").asSink().mayHaveBooleanValue(true) and
result = call.getReturn()
)
or
exists(API::CallNode call |
call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
result = call.getReturn() and
not call.getParameter(0).getAValueReachingRhs() =
not call.getParameter(0).getAValueReachingSink() =
DataFlow::moduleImport("markdown-it-sanitizer")
)
}

20
javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
View File

@@ -140,11 +140,9 @@ module NestJS {
private class ValidationNodeEntry extends API::EntryPoint {
ValidationNodeEntry() { this = "ValidationNodeEntry" }
override DataFlow::SourceNode getAUse() {
override DataFlow::SourceNode getASource() {
result.(DataFlow::ClassNode).getName() = "ValidationPipe"
}
override DataFlow::Node getARhs() { none() }
}
/** Gets an API node referring to the constructor of `ValidationPipe` */
@@ -181,7 +179,7 @@ module NestJS {
predicate hasGlobalValidationPipe(Folder folder) {
exists(DataFlow::CallNode call |
call.getCalleeName() = "useGlobalPipes" and
call.getArgument(0) = validationPipe().getInstance().getAUse() and
call.getArgument(0) = validationPipe().getInstance().getAValueReachableFromSource() and
folder = call.getFile().getParentContainer()
)
or
@@ -193,7 +191,7 @@ module NestJS {
.getAMember()
.getMember("useFactory")
.getReturn()
.getARhs() = validationPipe().getInstance().getAUse() and
.asSink() = validationPipe().getInstance().getAValueReachableFromSource() and
folder = decorator.getFile().getParentContainer()
)
or
@@ -204,7 +202,7 @@ module NestJS {
* Holds if `param` is affected by a pipe that sanitizes inputs.
*/
private predicate hasSanitizingPipe(NestJSRequestInput param, boolean dependsOnType) {
param.getAPipe() = sanitizingPipe(dependsOnType).getAUse()
param.getAPipe() = sanitizingPipe(dependsOnType).getAValueReachableFromSource()
or
hasGlobalValidationPipe(param.getFile().getParentContainer()) and
dependsOnType = true
@@ -395,11 +393,11 @@ module NestJS {
/** Gets a parameter with this decorator applied. */
DataFlow::ParameterNode getADecoratedParameter() {
result.getADecorator() = getReturn().getReturn().getAUse()
result.getADecorator() = getReturn().getReturn().getAValueReachableFromSource()
}
/** Gets a value returned by the decorator's callback, which becomes the value of the decorated parameter. */
DataFlow::Node getResult() { result = getParameter(0).getReturn().getARhs() }
DataFlow::Node getResult() { result = getParameter(0).getReturn().asSink() }
}
/**
@@ -427,7 +425,7 @@ module NestJS {
private class ExpressRequestSource extends Express::RequestSource {
ExpressRequestSource() {
this.(DataFlow::ParameterNode).getADecorator() =
nestjs().getMember(["Req", "Request"]).getReturn().getAnImmediateUse()
nestjs().getMember(["Req", "Request"]).getReturn().asSource()
or
this =
executionContext()
@@ -435,7 +433,7 @@ module NestJS {
.getReturn()
.getMember("getRequest")
.getReturn()
.getAnImmediateUse()
.asSource()
}
/**
@@ -452,7 +450,7 @@ module NestJS {
private class ExpressResponseSource extends Express::ResponseSource {
ExpressResponseSource() {
this.(DataFlow::ParameterNode).getADecorator() =
nestjs().getMember(["Res", "Response"]).getReturn().getAnImmediateUse()
nestjs().getMember(["Res", "Response"]).getReturn().asSource()
}
/**

2
javascript/ql/lib/semmle/javascript/frameworks/Next.qll
View File

@@ -252,6 +252,6 @@ module NextJS {
.getParameter(0)
.getParameter(0)
.getMember("router")
.getAnImmediateUse()
.asSource()
}
}

12
javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
View File

@@ -20,7 +20,7 @@ deprecated module NoSQL = NoSql;
* Gets a value that has been assigned to the "$where" property of an object that flows to `queryArg`.
*/
private DataFlow::Node getADollarWhereProperty(API::Node queryArg) {
result = queryArg.getMember("$where").getARhs()
result = queryArg.getMember("$where").asSink()
}
/**
@@ -418,7 +418,7 @@ private module Mongoose {
param = f.getParameter(0).getParameter(1)
|
exists(DataFlow::MethodCallNode pred |
// limitation: look at the previous method call
// limitation: look at the previous method call
Query::MethodSignatures::returnsDocumentQuery(pred.getMethodName(), asArray) and
pred.getAMethodCall() = f.getACall()
)
@@ -501,7 +501,7 @@ private module Mongoose {
Credentials() {
exists(string prop |
this = createConnection().getParameter(3).getMember(prop).getARhs().asExpr()
this = createConnection().getParameter(3).getMember(prop).asSink().asExpr()
|
prop = "user" and kind = "user name"
or
@@ -518,7 +518,7 @@ private module Mongoose {
class MongoDBQueryPart extends NoSql::Query {
MongooseFunction f;
MongoDBQueryPart() { this = f.getQueryArgument().getARhs().asExpr() }
MongoDBQueryPart() { this = f.getQueryArgument().asSink().asExpr() }
override DataFlow::Node getACodeOperator() {
result = getADollarWhereProperty(f.getQueryArgument())
@@ -540,7 +540,7 @@ private module Mongoose {
override DataFlow::Node getAQueryArgument() {
// NB: the complete information is not easily accessible for deeply chained calls
f.getQueryArgument().getARhs() = result
f.getQueryArgument().asSink() = result
}
override DataFlow::Node getAResult() {
@@ -770,7 +770,7 @@ private module Redis {
RedisKeyArgument() {
exists(string method, int argIndex |
QuerySignatures::argumentIsAmbiguousKey(method, argIndex) and
this = redis().getMember(method).getParameter(argIndex).getARhs().asExpr()
this = redis().getMember(method).getParameter(argIndex).asSink().asExpr()
)
}
}

10
javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
View File

@@ -739,7 +739,7 @@ module NodeJSLib {
methodName = ["execFile", "execFileSync", "spawn", "spawnSync", "fork"]
) and
// all of the above methods take the command as their first argument
result = this.getParameter(0).getARhs()
result = this.getParameter(0).asSink()
}
override DataFlow::Node getACommandArgument() { result = this.getACommandArgument(_) }
@@ -751,7 +751,7 @@ module NodeJSLib {
override DataFlow::Node getArgumentList() {
methodName = ["execFile", "execFileSync", "fork", "spawn", "spawnSync"] and
// all of the above methods take the argument list as their second argument
result = this.getParameter(1).getARhs()
result = this.getParameter(1).asSink()
}
override predicate isSync() { methodName.matches("%Sync") }
@@ -759,7 +759,7 @@ module NodeJSLib {
override DataFlow::Node getOptionsArg() {
not result.getALocalSource() instanceof DataFlow::FunctionNode and // looks like callback
not result.getALocalSource() instanceof DataFlow::ArrayCreationNode and // looks like argumentlist
not result = this.getParameter(0).getARhs() and
not result = this.getParameter(0).asSink() and
// fork/spawn and all sync methos always has options as the last argument
if
methodName.matches("fork%") or
@@ -768,7 +768,7 @@ module NodeJSLib {
then result = this.getLastArgument()
else
// the rest (exec/execFile) has the options argument as their second last.
result = this.getParameter(this.getNumArgument() - 2).getARhs()
result = this.getParameter(this.getNumArgument() - 2).asSink()
}
}
@@ -1070,7 +1070,7 @@ module NodeJSLib {
*/
private class EventEmitterSubClass extends DataFlow::ClassNode {
EventEmitterSubClass() {
this.getASuperClassNode() = getAnEventEmitterImport().getAUse() or
this.getASuperClassNode() = getAnEventEmitterImport().getAValueReachableFromSource() or
this.getADirectSuperClass() instanceof EventEmitterSubClass
}
}

2
javascript/ql/lib/semmle/javascript/frameworks/Prettier.qll
View File

@@ -22,7 +22,7 @@ private module Prettier {
call = API::moduleImport("prettier").getMember("formatWithCursor").getACall()
|
pred = call.getArgument(0) and
succ = call.getReturn().getMember("formatted").getAnImmediateUse()
succ = call.getReturn().getMember("formatted").asSource()
)
}
}

2
javascript/ql/lib/semmle/javascript/frameworks/Puppeteer.qll
View File

@@ -86,7 +86,7 @@ module Puppeteer {
this = page().getMember(["addStyleTag", "addScriptTag"]).getACall()
}
override DataFlow::Node getUrl() { result = getParameter(0).getMember("url").getARhs() }
override DataFlow::Node getUrl() { result = getParameter(0).getMember("url").asSink() }
override DataFlow::Node getHost() { none() }

72
javascript/ql/lib/semmle/javascript/frameworks/Redux.qll
View File

@@ -58,10 +58,10 @@ module Redux {
*/
class StoreCreation extends DataFlow::SourceNode instanceof StoreCreation::Range {
/** Gets a reference to the store. */
DataFlow::SourceNode ref() { result = asApiNode().getAUse() }
DataFlow::SourceNode ref() { result = asApiNode().getAValueReachableFromSource() }
/** Gets an API node that refers to this store creation. */
API::Node asApiNode() { result.getAnImmediateUse() = this }
API::Node asApiNode() { result.asSource() = this }
/** Gets the data flow node holding the root reducer for this store. */
DataFlow::Node getReducerArg() { result = super.getReducerArg() }
@@ -94,7 +94,7 @@ module Redux {
}
override DataFlow::Node getReducerArg() {
result = getParameter(0).getMember("reducer").getARhs()
result = getParameter(0).getMember("reducer").asSink()
}
}
}
@@ -106,7 +106,7 @@ module Redux {
private API::Node rootState() {
result instanceof RootStateSource
or
stateStep(rootState().getAUse(), result.getAnImmediateUse())
stateStep(rootState().getAValueReachableFromSource(), result.asSource())
}
/**
@@ -120,7 +120,7 @@ module Redux {
accessPath = joinAccessPaths(base, prop)
)
or
stateStep(rootStateAccessPath(accessPath).getAUse(), result.getAnImmediateUse())
stateStep(rootStateAccessPath(accessPath).getAValueReachableFromSource(), result.asSource())
}
/**
@@ -193,7 +193,7 @@ module Redux {
CombineReducers() { this = combineReducers().getACall() }
override DataFlow::Node getStateHandlerArg(string prop) {
result = getParameter(0).getMember(prop).getARhs()
result = getParameter(0).getMember(prop).asSink()
}
}
@@ -207,7 +207,7 @@ module Redux {
*/
private class NestedCombineReducers extends DelegatingReducer, DataFlow::ObjectLiteralNode {
NestedCombineReducers() {
this = combineReducers().getParameter(0).getAMember+().getAValueReachingRhs()
this = combineReducers().getParameter(0).getAMember+().getAValueReachingSink()
}
override DataFlow::Node getStateHandlerArg(string prop) {
@@ -235,7 +235,7 @@ module Redux {
override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
exists(DataFlow::PropWrite write |
result = getParameter(0).getAMember().getARhs() and
result = getParameter(0).getAMember().asSink() and
write.getRhs() = result and
actionType = write.getPropertyNameExpr().flow()
)
@@ -374,7 +374,7 @@ module Redux {
CreateSliceReducer() {
call = API::moduleImport("@reduxjs/toolkit").getMember("createSlice").getACall() and
this = call.getReturn().getMember("reducer").getAnImmediateUse()
this = call.getReturn().getMember("reducer").asSource()
}
private API::Node getABuilderRef() {
@@ -385,14 +385,14 @@ module Redux {
override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
exists(string name |
result = call.getParameter(0).getMember("reducers").getMember(name).getARhs() and
actionType = call.getReturn().getMember("actions").getMember(name).getAnImmediateUse()
result = call.getParameter(0).getMember("reducers").getMember(name).asSink() and
actionType = call.getReturn().getMember("actions").getMember(name).asSource()
)
or
// Properties of 'extraReducers':
// { extraReducers: { [action]: reducer }}
exists(DataFlow::PropWrite write |
result = call.getParameter(0).getMember("extraReducers").getAMember().getARhs() and
result = call.getParameter(0).getMember("extraReducers").getAMember().asSink() and
write.getRhs() = result and
actionType = write.getPropertyNameExpr().flow()
)
@@ -444,8 +444,8 @@ module Redux {
or
// x -> bindActionCreators({ x, ... })
exists(BindActionCreatorsCall bind, string prop |
ref(t.continue()).flowsTo(bind.getParameter(0).getMember(prop).getARhs()) and
result = bind.getReturn().getMember(prop).getAnImmediateUse()
ref(t.continue()).flowsTo(bind.getParameter(0).getMember(prop).asSink()) and
result = bind.getReturn().getMember(prop).asSource()
)
or
// x -> combineActions(x, ...)
@@ -580,11 +580,11 @@ module Redux {
MultiAction() {
createActions = API::moduleImport("redux-actions").getMember("createActions").getACall() and
this = createActions.getReturn().getMember(name).getAnImmediateUse()
this = createActions.getReturn().getMember(name).asSource()
}
override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
result.flowsTo(createActions.getParameter(0).getMember(getTypeTag()).getARhs()) and
result.flowsTo(createActions.getParameter(0).getMember(getTypeTag()).asSink()) and
async = false
}
@@ -614,12 +614,12 @@ module Redux {
CreateSliceAction() {
call = API::moduleImport("@reduxjs/toolkit").getMember("createSlice").getACall() and
this = call.getReturn().getMember("actions").getMember(actionName).getAnImmediateUse()
this = call.getReturn().getMember("actions").getMember(actionName).asSource()
}
override string getTypeTag() {
exists(string prefix |
call.getParameter(0).getMember("name").getARhs().mayHaveStringValue(prefix) and
call.getParameter(0).getMember("name").asSink().mayHaveStringValue(prefix) and
result = prefix + "/" + actionName
)
}
@@ -640,7 +640,7 @@ module Redux {
override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
async = true and
result = getParameter(1).getAValueReachingRhs()
result = getParameter(1).getAValueReachingSink()
}
override string getTypeTag() { getArgument(0).mayHaveStringValue(result) }
@@ -885,12 +885,12 @@ module Redux {
accessPath = getAffectedStateAccessPath(reducer)
|
pred = function.getReturnNode() and
succ = rootStateAccessPath(accessPath).getAnImmediateUse()
succ = rootStateAccessPath(accessPath).asSource()
or
exists(string suffix, DataFlow::SourceNode base |
base = [function.getParameter(0), function.getReturnNode().getALocalSource()] and
pred = AccessPath::getAnAssignmentTo(base, suffix) and
succ = rootStateAccessPath(accessPath + "." + suffix).getAnImmediateUse()
succ = rootStateAccessPath(accessPath + "." + suffix).asSource()
)
)
or
@@ -901,7 +901,7 @@ module Redux {
reducer.isRootStateHandler() and
base = [function.getParameter(0), function.getReturnNode().getALocalSource()] and
pred = AccessPath::getAnAssignmentTo(base, suffix) and
succ = rootStateAccessPath(suffix).getAnImmediateUse()
succ = rootStateAccessPath(suffix).asSource()
)
}
@@ -916,7 +916,7 @@ module Redux {
*/
private DataFlow::ObjectLiteralNode getAManuallyDispatchedValue(string actionType) {
result.getAPropertyWrite("type").getRhs().mayHaveStringValue(actionType) and
result = getADispatchedValueNode().getAValueReachingRhs()
result = getADispatchedValueNode().getAValueReachingSink()
}
/**
@@ -994,7 +994,7 @@ module Redux {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call |
call = useSelector().getACall() and
pred = call.getParameter(0).getReturn().getARhs() and
pred = call.getParameter(0).getReturn().asSink() and
succ = call
)
}
@@ -1046,19 +1046,19 @@ module Redux {
//
// const mapDispatchToProps = { foo }
//
result = getMapDispatchToProps().getMember(name).getARhs()
result = getMapDispatchToProps().getMember(name).asSink()
or
//
// const mapDispatchToProps = dispatch => ( { foo } )
//
result = getMapDispatchToProps().getReturn().getMember(name).getARhs()
result = getMapDispatchToProps().getReturn().getMember(name).asSink()
or
// Explicitly bound by bindActionCreators:
//
// const mapDispatchToProps = dispatch => bindActionCreators({ foo }, dispatch);
//
exists(BindActionCreatorsCall bind |
bind.flowsTo(getMapDispatchToProps().getReturn().getARhs()) and
bind.flowsTo(getMapDispatchToProps().getReturn().asSink()) and
result = bind.getOptionArgument(0, name)
)
}
@@ -1096,9 +1096,7 @@ module Redux {
private class HeuristicConnectEntryPoint extends API::EntryPoint {
HeuristicConnectEntryPoint() { this = "react-redux-connect" }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getAUse() {
override DataFlow::SourceNode getASource() {
exists(DataFlow::CallNode call |
call.getAnArgument().asExpr().(Identifier).getName() =
["mapStateToProps", "mapDispatchToProps"] and
@@ -1115,12 +1113,12 @@ module Redux {
override API::Node getMapStateToProps() {
result = getAParameter() and
result.getARhs().asExpr().(Identifier).getName() = "mapStateToProps"
result.asSink().asExpr().(Identifier).getName() = "mapStateToProps"
}
override API::Node getMapDispatchToProps() {
result = getAParameter() and
result.getARhs().asExpr().(Identifier).getName() = "mapDispatchToProps"
result.asSink().asExpr().(Identifier).getName() = "mapDispatchToProps"
}
}
@@ -1130,7 +1128,7 @@ module Redux {
private class StateToPropsStep extends StateStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(ConnectCall call |
pred = call.getMapStateToProps().getReturn().getARhs() and
pred = call.getMapStateToProps().getReturn().asSink() and
succ = call.getReactComponent().getADirectPropsAccess()
)
}
@@ -1205,7 +1203,7 @@ module Redux {
// Selector functions may be given as an array
exists(DataFlow::ArrayCreationNode array |
array.flowsTo(getArgument(0)) and
result.getAUse() = array.getElement(i)
result.getAValueReachableFromSource() = array.getElement(i)
)
}
}
@@ -1221,13 +1219,13 @@ module Redux {
// Return value of `i`th callback flows to the `i`th parameter of the last callback.
exists(CreateSelectorCall call, int index |
call.getNumArgument() > 1 and
pred = call.getSelectorFunction(index).getReturn().getARhs() and
succ = call.getLastParameter().getParameter(index).getAnImmediateUse()
pred = call.getSelectorFunction(index).getReturn().asSink() and
succ = call.getLastParameter().getParameter(index).asSource()
)
or
// The result of the last callback is the final result
exists(CreateSelectorCall call |
pred = call.getLastParameter().getReturn().getARhs() and
pred = call.getLastParameter().getReturn().asSink() and
succ = call
)
}

17
javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
View File

@@ -9,7 +9,7 @@ module SQL {
abstract class SqlString extends Expr { }
private class SqlStringFromModel extends SqlString {
SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").getARhs().asExpr() }
SqlStringFromModel() { this = ModelOutput::getASinkNode("sql-injection").asSink().asExpr() }
}
/**
@@ -109,7 +109,7 @@ private module MySql {
Credentials() {
exists(API::Node callee, string prop |
callee in [createConnection(), createPool()] and
this = callee.getParameter(0).getMember(prop).getARhs().asExpr() and
this = callee.getParameter(0).getMember(prop).asSink().asExpr() and
(
prop = "user" and kind = "user name"
or
@@ -200,7 +200,7 @@ private module Postgres {
QueryString() {
this = any(QueryCall qc).getAQueryArgument().asExpr()
or
this = API::moduleImport("pg-cursor").getParameter(0).getARhs().asExpr()
this = API::moduleImport("pg-cursor").getParameter(0).asSink().asExpr()
}
}
@@ -210,9 +210,9 @@ private module Postgres {
Credentials() {
exists(string prop |
this = [newClient(), newPool()].getParameter(0).getMember(prop).getARhs().asExpr()
this = [newClient(), newPool()].getParameter(0).getMember(prop).asSink().asExpr()
or
this = pgPromise().getParameter(0).getMember(prop).getARhs().asExpr()
this = pgPromise().getParameter(0).getMember(prop).asSink().asExpr()
|
prop = "user" and kind = "user name"
or
@@ -383,7 +383,7 @@ private module Sqlite {
/** A call to a Sqlite query method. */
private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
QueryCall() {
this = getAChainingQueryCall().getAnImmediateUse()
this = getAChainingQueryCall().asSource()
or
this = database().getMember("prepare").getACall()
}
@@ -440,7 +440,8 @@ private module MsSql {
override TaggedTemplateExpr astNode;
QueryTemplateExpr() {
mssql().getMember("query").getAUse() = DataFlow::valueNode(astNode.getTag())
mssql().getMember("query").getAValueReachableFromSource() =
DataFlow::valueNode(astNode.getTag())
}
override DataFlow::Node getAResult() {
@@ -494,7 +495,7 @@ private module MsSql {
or
callee = mssql().getMember("ConnectionPool")
) and
this = callee.getParameter(0).getMember(prop).getARhs().asExpr() and
this = callee.getParameter(0).getMember(prop).asSink().asExpr() and
(
prop = "user" and kind = "user name"
or

4
javascript/ql/lib/semmle/javascript/frameworks/Snapdragon.qll
View File

@@ -27,7 +27,7 @@ private module Snapdragon {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(string methodName, API::CallNode set, API::CallNode call, API::Node base |
// the handler, registered with a call to `.set`.
set = getSetCall+(base.getMember(methodName + "r")).getAnImmediateUse() and
set = getSetCall+(base.getMember(methodName + "r")).asSource() and
// the snapdragon instance. The API is chaining, you can also use the instance directly.
base = API::moduleImport("snapdragon").getInstance() and
methodName = ["parse", "compile"] and
@@ -47,7 +47,7 @@ private module Snapdragon {
or
// for compiler handlers the input is the first parameter.
methodName = "compile" and
succ = set.getParameter(1).getParameter(0).getAnImmediateUse()
succ = set.getParameter(1).getParameter(0).asSource()
)
)
}

8
javascript/ql/lib/semmle/javascript/frameworks/SocketIO.qll
View File

@@ -41,7 +41,7 @@ module SocketIO {
class ServerObject extends SocketIOObject {
API::Node node;
ServerObject() { node = newServer() and this = node.getAnImmediateUse() }
ServerObject() { node = newServer() and this = node.asSource() }
/** Gets the Api node for this server. */
API::Node asApiNode() { result = node }
@@ -81,7 +81,7 @@ module SocketIO {
)
}
override DataFlow::SourceNode ref() { result = this.server().getAUse() }
override DataFlow::SourceNode ref() { result = this.server().getAValueReachableFromSource() }
}
/** A data flow node that may produce (that is, create or return) a socket.io server. */
@@ -119,7 +119,7 @@ module SocketIO {
API::Node node;
NamespaceBase() {
this = node.getAnImmediateUse() and
this = node.asSource() and
exists(ServerObject srv |
// namespace lookup on `srv`
node = srv.asApiNode().getMember("sockets") and
@@ -158,7 +158,7 @@ module SocketIO {
)
}
override DataFlow::SourceNode ref() { result = this.namespace().getAUse() }
override DataFlow::SourceNode ref() { result = this.namespace().getAValueReachableFromSource() }
}
/** A data flow node that may produce a namespace object. */

16
javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
View File

@@ -233,7 +233,7 @@ module Templating {
/** Gets an API node that may flow to `succ` through a template instantiation. */
private API::Node getTemplateInput(DataFlow::SourceNode succ) {
exists(TemplateInstantiation inst, API::Node base, string name |
base.getARhs() = inst.getTemplateParamsNode() and
base.asSink() = inst.getTemplateParamsNode() and
result = base.getMember(name) and
succ =
inst.getTemplateFile()
@@ -244,7 +244,7 @@ module Templating {
)
or
exists(TemplateInstantiation inst, string accessPath |
result.getARhs() = inst.getTemplateParamForValue(accessPath) and
result.asSink() = inst.getTemplateParamForValue(accessPath) and
succ =
inst.getTemplateFile()
.getAnImportedFile*()
@@ -261,7 +261,7 @@ module Templating {
private class TemplateInputStep extends DataFlow::SharedFlowStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
getTemplateInput(succ).getARhs() = pred
getTemplateInput(succ).asSink() = pred
}
}
@@ -321,8 +321,8 @@ module Templating {
result = this.getStringValue()
or
exists(API::Node node |
this = node.getARhs() and
result = node.getAValueReachingRhs().getStringValue()
this = node.asSink() and
result = node.getAValueReachingSink().getStringValue()
)
}
@@ -657,11 +657,9 @@ module Templating {
private class IncludeFunctionAsEntryPoint extends API::EntryPoint {
IncludeFunctionAsEntryPoint() { this = "IncludeFunctionAsEntryPoint" }
override DataFlow::SourceNode getAUse() {
override DataFlow::SourceNode getASource() {
result = any(TemplatePlaceholderTag tag).getInnerTopLevel().getAVariableUse("include")
}
override DataFlow::Node getARhs() { none() }
}
/**
@@ -718,7 +716,7 @@ module Templating {
override TemplateSyntax getTemplateSyntax() { result.getAPackageName() = engine }
override DataFlow::SourceNode getOutput() {
result = this.getParameter([1, 2]).getParameter(1).getAnImmediateUse()
result = this.getParameter([1, 2]).getParameter(1).asSource()
or
not exists(this.getParameter([1, 2]).getParameter(1)) and
result = this

8
javascript/ql/lib/semmle/javascript/frameworks/TorrentLibraries.qll
View File

@@ -21,7 +21,7 @@ module ParseTorrent {
node = mod().getReturn() or
node = mod().getMember("remote").getParameter(1).getParameter(1)
) and
this = node.getAnImmediateUse()
this = node.asSource()
}
/** Gets the API node for this torrent object. */
@@ -29,7 +29,9 @@ module ParseTorrent {
}
/** Gets a data flow node referring to a parsed torrent. */
DataFlow::SourceNode parsedTorrentRef() { result = any(ParsedTorrent t).asApiNode().getAUse() }
DataFlow::SourceNode parsedTorrentRef() {
result = any(ParsedTorrent t).asApiNode().getAValueReachableFromSource()
}
/**
* An access to user-controlled torrent information.
@@ -38,7 +40,7 @@ module ParseTorrent {
UserControlledTorrentInfo() {
exists(API::Node read |
read = any(ParsedTorrent t).asApiNode().getAMember() and
this = read.getAnImmediateUse()
this = read.asSource()
|
exists(string prop |
not (

6
javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll
View File

@@ -14,9 +14,7 @@ module TrustedTypes {
private class TrustedTypesEntry extends API::EntryPoint {
TrustedTypesEntry() { this = "TrustedTypesEntry" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("trustedTypes") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("trustedTypes") }
}
private API::Node trustedTypesObj() { result = any(TrustedTypesEntry entry).getANode() }
@@ -38,7 +36,7 @@ module TrustedTypes {
private class PolicyInputStep extends DataFlow::SharedFlowStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(PolicyCreation policy, string method |
pred = policy.getReturn().getMember(method).getParameter(0).getARhs() and
pred = policy.getReturn().getMember(method).getParameter(0).asSink() and
succ = policy.getPolicyCallback(method).getParameter(0)
)
}

2
javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
View File

@@ -190,7 +190,7 @@ module Querystringify {
* Gets a data flow source node for member `name` of the querystringify library.
*/
DataFlow::SourceNode querystringifyMember(string name) {
result = querystringify().getMember(name).getAnImmediateUse()
result = querystringify().getMember(name).asSource()
}
/** Gets an API node referring to the `querystringify` module. */

55
javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
View File

@@ -9,9 +9,7 @@ module Vue {
private class GlobalVueEntryPoint extends API::EntryPoint {
GlobalVueEntryPoint() { this = "VueEntryPoint" }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("Vue") }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("Vue") }
}
/**
@@ -22,9 +20,7 @@ module Vue {
private class VueExportEntryPoint extends API::EntryPoint {
VueExportEntryPoint() { this = "VueExportEntryPoint" }
override DataFlow::SourceNode getAUse() { none() }
override DataFlow::Node getARhs() {
override DataFlow::Node getASink() {
result = any(SingleFileComponent c).getModule().getDefaultOrBulkExport()
}
}
@@ -41,7 +37,7 @@ module Vue {
/**
* Gets a reference to the 'Vue' object.
*/
DataFlow::SourceNode vue() { result = vueLibrary().getAnImmediateUse() }
DataFlow::SourceNode vue() { result = vueLibrary().asSource() }
/** Gets an API node referring to a component or `Vue`. */
private API::Node component() {
@@ -176,8 +172,8 @@ module Vue {
/** Gets a component which is extended by this one. */
Component getABaseComponent() {
result.getComponentRef().getAUse() =
getOwnOptions().getMember(["extends", "mixins"]).getARhs()
result.getComponentRef().getAValueReachableFromSource() =
getOwnOptions().getMember(["extends", "mixins"]).asSink()
}
/**
@@ -195,12 +191,12 @@ module Vue {
}
/**
* DEPRECATED. Use `getOwnOptions().getARhs()`.
* DEPRECATED. Use `getOwnOptions().getASink()`.
*
* Gets the options passed to the Vue object, such as the object literal `{...}` in `new Vue{{...})`
* or the default export of a single-file component.
*/
deprecated DataFlow::Node getOwnOptionsObject() { result = getOwnOptions().getARhs() }
deprecated DataFlow::Node getOwnOptionsObject() { result = getOwnOptions().asSink() }
/**
* Gets the class implementing this Vue component, if any.
@@ -208,19 +204,19 @@ module Vue {
* Specifically, this is a class annotated with `@Component` which flows to the options
* object of this Vue component.
*/
ClassComponent getAsClassComponent() { result = getOwnOptions().getAValueReachingRhs() }
ClassComponent getAsClassComponent() { result = getOwnOptions().getAValueReachingSink() }
/**
* Gets the node for option `name` for this component, not including
* those from extended objects and mixins.
*/
DataFlow::Node getOwnOption(string name) { result = getOwnOptions().getMember(name).getARhs() }
DataFlow::Node getOwnOption(string name) { result = getOwnOptions().getMember(name).asSink() }
/**
* Gets the node for option `name` for this component, including those from
* extended objects and mixins.
*/
DataFlow::Node getOption(string name) { result = getOptions().getMember(name).getARhs() }
DataFlow::Node getOption(string name) { result = getOptions().getMember(name).asSink() }
/**
* Gets a source node flowing into the option `name` of this component, including those from
@@ -228,7 +224,7 @@ module Vue {
*/
pragma[nomagic]
DataFlow::SourceNode getOptionSource(string name) {
result = getOptions().getMember(name).getAValueReachingRhs()
result = getOptions().getMember(name).getAValueReachingSink()
}
/**
@@ -289,7 +285,7 @@ module Vue {
DataFlow::FunctionNode getWatchHandler(string propName) {
exists(API::Node propWatch |
propWatch = getOptions().getMember("watch").getMember(propName) and
result = [propWatch, propWatch.getMember("handler")].getAValueReachingRhs()
result = [propWatch, propWatch.getMember("handler")].getAValueReachingSink()
)
}
@@ -322,16 +318,16 @@ module Vue {
* Gets a node for a function that will be invoked with `this` bound to this component.
*/
DataFlow::FunctionNode getABoundFunction() {
result = getOptions().getAMember+().getAValueReachingRhs()
result = getOptions().getAMember+().getAValueReachingSink()
or
result = getAsClassComponent().getAnInstanceMember()
}
/** Gets an API node referring to an instance of this component. */
API::Node getInstance() { result.getAnImmediateUse() = getABoundFunction().getReceiver() }
API::Node getInstance() { result.asSource() = getABoundFunction().getReceiver() }
/** Gets a data flow node referring to an instance of this component. */
DataFlow::SourceNode getAnInstanceRef() { result = getInstance().getAnImmediateUse() }
DataFlow::SourceNode getAnInstanceRef() { result = getInstance().asSource() }
pragma[noinline]
private DataFlow::PropWrite getAPropertyValueWrite(string name) {
@@ -484,14 +480,12 @@ module Vue {
private class VueFileImportEntryPoint extends API::EntryPoint {
VueFileImportEntryPoint() { this = "VueFileImportEntryPoint" }
override DataFlow::SourceNode getAUse() {
override DataFlow::SourceNode getASource() {
exists(Import imprt |
imprt.getImportedPath().resolve() instanceof VueFile and
result = imprt.getImportedModuleNode()
)
}
override DataFlow::Node getARhs() { none() }
}
/**
@@ -533,13 +527,13 @@ module Vue {
// of the .vue file.
exists(Import imprt |
imprt.getImportedPath().resolve() = file and
result.getAnImmediateUse() = imprt.getImportedModuleNode()
result.asSource() = imprt.getImportedModuleNode()
)
}
override API::Node getOwnOptions() {
// Use the entry point generated by `VueExportEntryPoint`
result.getARhs() = getModule().getDefaultOrBulkExport()
result.asSink() = getModule().getDefaultOrBulkExport()
}
override string toString() { result = file.toString() }
@@ -695,7 +689,7 @@ module Vue {
t.start() and
(
exists(API::Node router | router = API::moduleImport("vue-router") |
result = router.getInstance().getMember("currentRoute").getAnImmediateUse()
result = router.getInstance().getMember("currentRoute").asSource()
or
result =
router
@@ -703,17 +697,12 @@ module Vue {
.getMember(["beforeEach", "beforeResolve", "afterEach"])
.getParameter(0)
.getParameter([0, 1])
.getAnImmediateUse()
.asSource()
or
result =
router
.getParameter(0)
.getMember("scrollBehavior")
.getParameter([0, 1])
.getAnImmediateUse()
result = router.getParameter(0).getMember("scrollBehavior").getParameter([0, 1]).asSource()
)
or
result = routeConfig().getMember("beforeEnter").getParameter([0, 1]).getAnImmediateUse()
result = routeConfig().getMember("beforeEnter").getParameter([0, 1]).asSource()
or
exists(Component c |
result = c.getABoundFunction().getAFunctionValue().getReceiver().getAPropertyRead("$route")

45
javascript/ql/lib/semmle/javascript/frameworks/Vuex.qll
View File

@@ -75,7 +75,7 @@ module Vuex {
or
exists(API::CallNode call |
call = vuex().getMember("createNamespacedHelpers").getACall() and
namespace = call.getParameter(0).getAValueReachingRhs().getStringValue() + "/" and
namespace = call.getParameter(0).getAValueReachingSink().getStringValue() + "/" and
this = call.getReturn().getMember(helperName).getACall()
)
)
@@ -88,7 +88,8 @@ module Vuex {
pragma[noinline]
string getNamespace() {
getNumArgument() = 2 and
result = appendToNamespace(namespace, getParameter(0).getAValueReachingRhs().getStringValue())
result =
appendToNamespace(namespace, getParameter(0).getAValueReachingSink().getStringValue())
or
getNumArgument() = 1 and
result = namespace
@@ -99,28 +100,28 @@ module Vuex {
*/
predicate hasMapping(string localName, string storeName) {
// mapGetters('foo')
getLastParameter().getAValueReachingRhs().getStringValue() = localName and
getLastParameter().getAValueReachingSink().getStringValue() = localName and
storeName = getNamespace() + localName
or
// mapGetters(['foo', 'bar'])
getLastParameter().getUnknownMember().getAValueReachingRhs().getStringValue() = localName and
getLastParameter().getUnknownMember().getAValueReachingSink().getStringValue() = localName and
storeName = getNamespace() + localName
or
// mapGetters({foo: 'bar'})
storeName =
getNamespace() +
getLastParameter().getMember(localName).getAValueReachingRhs().getStringValue() and
getLastParameter().getMember(localName).getAValueReachingSink().getStringValue() and
localName != "*" // ignore special API graph member named "*"
}
/** Gets the Vue component in which the generated functions are installed. */
Vue::Component getVueComponent() {
exists(DataFlow::ObjectLiteralNode obj |
obj.getASpreadProperty() = getReturn().getAUse() and
result.getOwnOptions().getAMember().getARhs() = obj
obj.getASpreadProperty() = getReturn().getAValueReachableFromSource() and
result.getOwnOptions().getAMember().asSink() = obj
)
or
result.getOwnOptions().getAMember().getARhs() = this
result.getOwnOptions().getAMember().asSink() = this
}
}
@@ -146,7 +147,7 @@ module Vuex {
/** Gets a value that is returned by a getter registered with the given name. */
private DataFlow::Node getterPred(string name) {
exists(string prefix, string prop |
result = storeConfigObject(prefix).getMember("getters").getMember(prop).getReturn().getARhs() and
result = storeConfigObject(prefix).getMember("getters").getMember(prop).getReturn().asSink() and
name = prefix + prop
)
}
@@ -154,12 +155,12 @@ module Vuex {
/** Gets a property access that may receive the produced by a getter of the given name. */
private DataFlow::Node getterSucc(string name) {
exists(string prefix, string prop |
result = storeRef(prefix).getMember("getters").getMember(prop).getAnImmediateUse() and
result = storeRef(prefix).getMember("getters").getMember(prop).asSource() and
prop != "*" and
name = prefix + prop
)
or
result = getAMappedAccess("mapGetters", name).getAnImmediateUse()
result = getAMappedAccess("mapGetters", name).asSource()
}
/** Holds if `pred -> succ` is a step from a getter function to a relevant property access. */
@@ -212,19 +213,19 @@ module Vuex {
commitCall = commitLikeFunctionRef(kind, prefix).getACall()
|
// commit('name', payload)
name = prefix + commitCall.getParameter(0).getAValueReachingRhs().getStringValue() and
name = prefix + commitCall.getParameter(0).getAValueReachingSink().getStringValue() and
result = commitCall.getArgument(1)
or
// commit({type: 'name', ...<payload>...})
name =
prefix +
commitCall.getParameter(0).getMember("type").getAValueReachingRhs().getStringValue() and
commitCall.getParameter(0).getMember("type").getAValueReachingSink().getStringValue() and
result = commitCall.getArgument(0)
)
or
// this.name(payload)
// methods: {...mapMutations(['name'])} }
result = getAMappedAccess(getMapHelperForCommitKind(kind), name).getParameter(0).getARhs()
result = getAMappedAccess(getMapHelperForCommitKind(kind), name).getParameter(0).asSink()
}
/** Gets a node that refers the payload of a committed mutation with the given `name.` */
@@ -238,7 +239,7 @@ module Vuex {
.getMember(getStorePropForCommitKind(kind))
.getMember(prop)
.getParameter(1)
.getAnImmediateUse() and
.asSource() and
prop != "*" and
name = prefix + prop
)
@@ -293,19 +294,17 @@ module Vuex {
/** Gets a value that flows into the given access path of the state. */
DataFlow::Node stateMutationPred(string path) {
result = stateRefByAccessPath(path).getARhs()
result = stateRefByAccessPath(path).asSink()
or
exists(ExtendCall call, string base, string prop |
call.getDestinationOperand() = stateRefByAccessPath(base).getAUse() and
call.getDestinationOperand() = stateRefByAccessPath(base).getAValueReachableFromSource() and
result = call.getASourceOperand().getALocalSource().getAPropertyWrite(prop).getRhs() and
path = appendToNamespace(base, prop)
)
}
/** Gets a value that refers to the given access path of the state. */
DataFlow::Node stateMutationSucc(string path) {
result = stateRefByAccessPath(path).getAnImmediateUse()
}
DataFlow::Node stateMutationSucc(string path) { result = stateRefByAccessPath(path).asSource() }
/** Holds if `pred -> succ` is a step from state mutation to state access. */
predicate stateMutationStep(DataFlow::Node pred, DataFlow::Node succ) {
@@ -325,7 +324,7 @@ module Vuex {
exists(MapHelperCall call |
call.getHelperName() = "mapState" and
component = call.getVueComponent() and
result = call.getLastParameter().getMember(name).getReturn().getARhs()
result = call.getLastParameter().getMember(name).getReturn().asSink()
)
}
@@ -336,7 +335,7 @@ module Vuex {
predicate mapStateHelperStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(Vue::Component component, string name |
pred = mapStateHelperPred(component, name) and
succ = pragma[only_bind_out](component).getInstance().getMember(name).getAnImmediateUse()
succ = pragma[only_bind_out](component).getInstance().getMember(name).asSource()
)
}
@@ -378,7 +377,7 @@ module Vuex {
/** Gets a package that can be considered an entry point for a Vuex app. */
private PackageJson entryPointPackage() {
result = getPackageJson(storeRef().getAnImmediateUse().getFile())
result = getPackageJson(storeRef().asSource().getFile())
or
// Any package that imports a store-creating package is considered a potential entry point.
packageDependsOn(result, entryPointPackage())

8
javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll
View File

@@ -100,7 +100,7 @@ module XML {
}
override DataFlow::Node getAResult() {
result = [doc(), element(), attr()].getAnImmediateUse()
result = [doc(), element(), attr()].asSource()
or
result = element().getMember(["name", "text"]).getACall()
or
@@ -282,11 +282,7 @@ module XML {
override DataFlow::Node getAResult() {
result =
parser
.getReturn()
.getMember(any(string s | s.matches("on%")))
.getAParameter()
.getAnImmediateUse()
parser.getReturn().getMember(any(string s | s.matches("on%"))).getAParameter().asSource()
}
}

6
javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll
View File

@@ -26,7 +26,7 @@ import Shared::ModelOutput as ModelOutput
* A remote flow source originating from a CSV source row.
*/
private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
RemoteFlowSourceFromCsv() { this = ModelOutput::getASourceNode("remote").getAnImmediateUse() }
RemoteFlowSourceFromCsv() { this = ModelOutput::getASourceNode("remote").asSource() }
override string getSourceType() { result = "Remote flow" }
}
@@ -37,8 +37,8 @@ private class RemoteFlowSourceFromCsv extends RemoteFlowSource {
private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
exists(API::Node predNode, API::Node succNode |
Specific::summaryStep(predNode, succNode, kind) and
pred = predNode.getARhs() and
succ = succNode.getAnImmediateUse()
pred = predNode.asSink() and
succ = succNode.asSource()
)
}

2
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View File

@@ -299,7 +299,7 @@ private class AccessPathRange extends AccessPath::Range {
bindingset[token]
API::Node getSuccessorFromNode(API::Node node, AccessPathToken token) {
// API graphs use the same label for arguments and parameters. An edge originating from a
// use-node represents be an argument, and an edge originating from a def-node represents a parameter.
// use-node represents an argument, and an edge originating from a def-node represents a parameter.
// We just map both to the same thing.
token.getName() = ["Argument", "Parameter"] and
result = node.getParameter(AccessPath::parseIntUnbounded(token.getAnArgument()))

6
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
View File

@@ -61,9 +61,7 @@ private class GlobalApiEntryPoint extends API::EntryPoint {
this = "GlobalApiEntryPoint:" + global
}
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef(global) }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef(global) }
/** Gets the name of the global variable. */
string getGlobal() { result = global }
@@ -151,7 +149,7 @@ API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken toke
or
token.getName() = "Argument" and
token.getAnArgument() = "this" and
result.getARhs() = node.(DataFlow::CallNode).getReceiver()
result.asSink() = node.(DataFlow::CallNode).getReceiver()
}
/**

2
javascript/ql/lib/semmle/javascript/heuristics/AdditionalSources.qll
View File

@@ -58,7 +58,7 @@ class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
*/
private class RemoteFlowSourceFromDBAccess extends RemoteFlowSource, HeuristicSource {
RemoteFlowSourceFromDBAccess() {
this = ModelOutput::getASourceNode("database-access-result").getAUse() or
this = ModelOutput::getASourceNode("database-access-result").getAValueReachableFromSource() or
exists(DatabaseAccess dba | this = dba.getAResult())
}

5
javascript/ql/lib/semmle/javascript/internal/CachedStages.qll
View File

@@ -176,6 +176,8 @@ module Stages {
exists(DataFlow::moduleImport(_))
or
exists(any(ReExportDeclaration d).getReExportedModule())
or
exists(any(Module m).getABulkExportedNode())
}
}
@@ -276,6 +278,9 @@ module Stages {
.getInstance()
.getReceiver()
.getPromisedError()
.getADecoratedClass()
.getADecoratedMember()
.getADecoratedParameter()
)
}
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
View File

@@ -49,7 +49,7 @@ module DomBasedXss {
or
// A construction of a JSDOM object (server side DOM), where scripts are allowed.
exists(DataFlow::NewNode instance |
instance = API::moduleImport("jsdom").getMember("JSDOM").getInstance().getAnImmediateUse() and
instance = API::moduleImport("jsdom").getMember("JSDOM").getInstance().asSource() and
this = instance.getArgument(0) and
instance.getOptionArgument(1, "runScripts").mayHaveStringValue("dangerously")
)

2
javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssCustomizations.qll
View File

@@ -61,7 +61,7 @@ module ExceptionXss {
*/
private class JsonSchemaValidationError extends Source {
JsonSchemaValidationError() {
this = any(JsonSchema::Ajv::Instance i).getAValidationError().getAnImmediateUse()
this = any(JsonSchema::Ajv::Instance i).getAValidationError().asSource()
or
this = any(JsonSchema::Joi::JoiValidationErrorRead r).getAValidationResultAccess(_)
}

6
javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
View File

@@ -48,7 +48,7 @@ module ExternalApiUsedWithUntrustedData {
}
/** Holds if `node` corresponds to a deep object argument. */
private predicate isDeepObjectSink(API::Node node) { node.getARhs() instanceof DeepObjectSink }
private predicate isDeepObjectSink(API::Node node) { node.asSink() instanceof DeepObjectSink }
/**
* A sanitizer for data flowing to an external API.
@@ -165,9 +165,9 @@ module ExternalApiUsedWithUntrustedData {
not param = base.getReceiver()
|
result = param and
name = param.getAnImmediateUse().asExpr().(Parameter).getName()
name = param.asSource().asExpr().(Parameter).getName()
or
param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and
param.asSource().asExpr() instanceof DestructuringPattern and
result = param.getMember(name)
)
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
View File

@@ -74,7 +74,7 @@ module IndirectCommandInjection {
].getMember("parse").getACall()
or
// `require('commander').myCmdArgumentName`
this = commander().getAMember().getAnImmediateUse()
this = commander().getAMember().asSource()
or
// `require('commander').opt()` => `{a: ..., b: ...}`
this = commander().getMember("opts").getACall()

10
javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
View File

@@ -152,9 +152,7 @@ abstract class RateLimitingMiddleware extends DataFlow::SourceNode {
* A rate limiter constructed using the `express-rate-limit` package.
*/
class ExpressRateLimit extends RateLimitingMiddleware {
ExpressRateLimit() {
this = API::moduleImport("express-rate-limit").getReturn().getAnImmediateUse()
}
ExpressRateLimit() { this = API::moduleImport("express-rate-limit").getReturn().asSource() }
}
/**
@@ -162,7 +160,7 @@ class ExpressRateLimit extends RateLimitingMiddleware {
*/
class BruteForceRateLimit extends RateLimitingMiddleware {
BruteForceRateLimit() {
this = API::moduleImport("express-brute").getInstance().getMember("prevent").getAnImmediateUse()
this = API::moduleImport("express-brute").getInstance().getMember("prevent").asSource()
}
}
@@ -174,7 +172,7 @@ class BruteForceRateLimit extends RateLimitingMiddleware {
*/
class RouteHandlerLimitedByExpressLimiter extends RateLimitingMiddleware {
RouteHandlerLimitedByExpressLimiter() {
this = API::moduleImport("express-limiter").getReturn().getReturn().getAnImmediateUse()
this = API::moduleImport("express-limiter").getReturn().getReturn().asSource()
}
override Routing::Node getRoutingNode() {
@@ -211,7 +209,7 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
rateLimiterClass = API::moduleImport("rate-limiter-flexible").getMember(rateLimiterClassName) and
rateLimiterConsume = rateLimiterClass.getInstance().getMember("consume") and
request.getParameter() = getRouteHandlerParameter(this.getFunction(), "request") and
request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().getARhs())
request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().asSink())
)
}
}

6
javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll
View File

@@ -164,9 +164,7 @@ private class ExternalRemoteFlowSourceSpecEntryPoint extends API::EntryPoint {
string getName() { result = name }
override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef(name) }
override DataFlow::Node getARhs() { none() }
override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef(name) }
}
/**
@@ -175,7 +173,7 @@ private class ExternalRemoteFlowSourceSpecEntryPoint extends API::EntryPoint {
private class ExternalRemoteFlowSource extends RemoteFlowSource {
RemoteFlowSourceAccessPath ap;
ExternalRemoteFlowSource() { Stages::Taint::ref() and this = ap.resolve().getAnImmediateUse() }
ExternalRemoteFlowSource() { Stages::Taint::ref() and this = ap.resolve().asSource() }
override string getSourceType() { result = ap.getSourceType() }
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
View File

@@ -51,7 +51,7 @@ module SqlInjection {
this = any(LdapJS::ClientCall call).getArgument(0)
or
// A search options object, which contains a filter and a baseDN.
this = any(LdapJS::SearchOptions opt).getARhs()
this = any(LdapJS::SearchOptions opt).asSink()
or
// A call to "parseDN", which parses a DN from a string.
this = LdapJS::ldapjs().getMember("parseDN").getACall().getArgument(0)

10
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -681,7 +681,7 @@ module TaintedPath {
.getMember(["pdf", "screenshot"])
.getParameter(0)
.getMember("path")
.getARhs()
.asSink()
}
}
@@ -702,7 +702,7 @@ module TaintedPath {
.getACall()
.getParameter(1)
.getMember("config")
.getARhs()
.asSink()
}
}
@@ -716,7 +716,7 @@ module TaintedPath {
.getMember(["readPackageAsync", "readPackageSync"])
.getParameter(0)
.getMember("cwd")
.getARhs()
.asSink()
}
}
@@ -726,8 +726,8 @@ module TaintedPath {
private class ShellCwdSink extends TaintedPath::Sink {
ShellCwdSink() {
exists(SystemCommandExecution sys, API::Node opts |
opts.getARhs() = sys.getOptionsArg() and // assuming that an API::Node exists here.
this = opts.getMember("cwd").getARhs()
opts.asSink() = sys.getOptionsArg() and // assuming that an API::Node exists here.
this = opts.getMember("cwd").asSink()
)
}
}

26
javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll
View File

@@ -27,4 +27,30 @@ class Configuration extends DataFlow::Configuration {
}
override predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
guard instanceof TypeOfTestBarrier or
guard instanceof IsArrayBarrier
}
}
private class TypeOfTestBarrier extends DataFlow::BarrierGuardNode, DataFlow::ValueNode {
override EqualityTest astNode;
TypeOfTestBarrier() { TaintTracking::isTypeofGuard(astNode, _, _) }
override predicate blocks(boolean outcome, Expr e) {
if TaintTracking::isTypeofGuard(astNode, e, ["string", "object"])
then outcome = [true, false] // separation between string/array removes type confusion in both branches
else outcome = astNode.getPolarity() // block flow to branch where value is neither string nor array
}
}
private class IsArrayBarrier extends DataFlow::BarrierGuardNode, DataFlow::CallNode {
IsArrayBarrier() { this = DataFlow::globalVarRef("Array").getAMemberCall("isArray").getACall() }
override predicate blocks(boolean outcome, Expr e) {
e = getArgument(0).asExpr() and
outcome = [true, false] // separation between string/array removes type confusion in both branches
}
}

3
javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
View File

@@ -208,8 +208,7 @@ module XssThroughDom {
exists(API::Node useForm |
useForm = API::moduleImport("react-hook-form").getMember("useForm").getReturn()
|
this =
useForm.getMember("handleSubmit").getParameter(0).getParameter(0).getAnImmediateUse()
this = useForm.getMember("handleSubmit").getParameter(0).getParameter(0).asSource()
or
this = useForm.getMember("getValues").getACall()
)

4
javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
View File

@@ -103,7 +103,7 @@ module ZipSlip {
class JSZipFilesSource extends Source instanceof DynamicPropertyAccess::EnumeratedPropName {
JSZipFilesSource() {
super.getSourceObject() =
API::moduleImport("jszip").getInstance().getMember("files").getAnImmediateUse()
API::moduleImport("jszip").getInstance().getMember("files").asSource()
}
}
@@ -116,7 +116,7 @@ module ZipSlip {
.getMember(["forEach", "filter"])
.getParameter(0)
.getParameter(0)
.getAnImmediateUse()
.asSource()
}
}

2
javascript/ql/src/Declarations/UnusedProperty.ql
View File

@@ -27,6 +27,8 @@ predicate hasUnknownPropertyRead(LocalObject obj) {
or
exists(obj.getAPropertyRead("hasOwnProperty"))
or
obj.flowsTo(DataFlow::globalVarRef("Object").getAMemberCall("hasOwn").getArgument(0))
or
exists(obj.getAPropertyRead("propertyIsEnumerable"))
}

2
javascript/ql/src/Performance/PolynomialReDoS.qhelp
View File

@@ -71,7 +71,7 @@
</p>
<sample language="javascript">
^0\.\d+E?\d+$ // BAD
/^0\.\d+E?\d+$/.test(str) // BAD
</sample>
<p>

2
javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
View File

@@ -45,7 +45,7 @@ where
or
// the same thing, but with API-nodes if they happen to be available
exists(API::Node tlsInvk | tlsInvk.getAnInvocation() = tlsInvocation() |
disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").getARhs()
disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").asSink()
)
) and
disable.getRhs().(AnalyzedNode).getTheBooleanValue() = false

2
javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
View File

@@ -143,7 +143,7 @@ API::CallNode passportAuthenticateCall() {
*/
API::CallNode nonSessionBasedAuthMiddleware() {
result = passportAuthenticateCall() and
result.getParameter(1).getMember("session").getARhs().mayHaveBooleanValue(false)
result.getParameter(1).getMember("session").asSink().mayHaveBooleanValue(false)
}
/**

9
javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
View File

@@ -339,19 +339,16 @@ class AllowListEqualityGuard extends DataFlow::LabeledBarrierGuardNode, ValueNod
* but the destination object generally doesn't. It is therefore only a sanitizer when
* used on the destination object.
*/
class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode, CallNode {
class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode instanceof HasOwnPropertyCall {
HasOwnPropertyGuard() {
// Make sure we handle reflective calls since libraries love to do that.
getCalleeNode().getALocalSource().(DataFlow::PropRead).getPropertyName() = "hasOwnProperty" and
exists(getReceiver()) and
// Try to avoid `src.hasOwnProperty` by requiring that the receiver
// does not locally have its properties enumerated. Typically there is no
// reason to enumerate the properties of the destination object.
not arePropertiesEnumerated(getReceiver().getALocalSource())
not arePropertiesEnumerated(super.getObject().getALocalSource())
}
override predicate blocks(boolean outcome, Expr e) {
e = getArgument(0).asExpr() and outcome = true
e = super.getProperty().asExpr() and outcome = true
}
}

2
javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
View File

@@ -12,4 +12,4 @@
import javascript
import meta.MetaMetrics
select projectRoot(), count(any(API::Node nd).getARhs())
select projectRoot(), count(any(API::Node nd).asSink())

2
javascript/ql/src/meta/ApiGraphs/ApiGraphUseNodes.ql
View File

@@ -11,4 +11,4 @@
import javascript
import meta.MetaMetrics
select projectRoot(), count(any(API::Node nd).getAUse())
select projectRoot(), count(any(API::Node nd).getAValueReachableFromSource())

Some files were not shown because too many files have changed in this diff Show More