Merge pull request #20375 from asgerf/js/promise-try

JS: Support Promise.try and Array.prototype.with
2026-05-05 05:35:13 +02:00 · 2025-09-16 14:44:07 +02:00
parent eac8a79d49 edf79a3730
commit 7670a2bd77
6 changed files with 110 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
@@ -544,6 +544,25 @@ class ToSpliced extends SummarizedCallable {
  }
 }

+class With extends SummarizedCallable {
+  With() { this = "Array#with" }
+
+  override InstanceCall getACallSimple() { result.getMethodName() = "with" }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = true and
+    (
+      // Copy all elements from the original array to the new array
+      input = "Argument[this].WithArrayElement" and
+      output = "ReturnValue"
+      or
+      // Replace the value at the specified index
+      input = "Argument[1]" and
+      output = "ReturnValue.ArrayElement"
+    )
+  }
+}
+
 class ArrayCoercionPackage extends FunctionalPackageSummary {
  ArrayCoercionPackage() { this = "ArrayCoercionPackage" }

--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/FlowSummaryUtil.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/FlowSummaryUtil.qll
@@ -49,3 +49,10 @@ string getAnArrayContent() {
  // Values stored at an unknown index
  result = "ArrayElement[?]"
 }
+
+/**
+ * Gets an argument position up to a certain limit.
+ *
+ * This can be used to generate flow summaries that should preserve such positions.
+ */
+int getAnArgumentPosition() { result = [0 .. 10] }
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Promises.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Promises.qll
@@ -368,3 +368,29 @@ private class PromiseWithResolversLike extends SummarizedCallable {
    )
  }
 }
+
+class PromiseTry extends DataFlow::SummarizedCallable {
+  PromiseTry() { this = "Promise.try()" }
+
+  override DataFlow::CallNode getACallSimple() {
+    result = promiseConstructorRef().getAMemberCall(["try", "attempt"])
+    or
+    result = DataFlow::moduleImport(["p-try", "es6-promise-try"]).getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = true and
+    (
+      exists(int i | i = getAnArgumentPosition() |
+        input = "Argument[" + (i + 1) + "]" and
+        output = "Argument[0].Parameter[" + i + "]"
+      )
+      or
+      input = "Argument[0].ReturnValue" and
+      output = "ReturnValue.Awaited"
+      or
+      input = "Argument[0].ReturnValue[exception]" and
+      output = "ReturnValue.Awaited[error]"
+    )
+  }
+}