Merge pull request #975 from asger-semmle/global-closure-dataflow

Approved by esben-semmle
2026-04-28 10:15:14 +02:00 · 2019-02-26 13:57:39 +00:00
parent 9d7877907b f9111f68e9
commit 86e646beb4
2 changed files with 21 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
@@ -47,6 +47,14 @@ class AnalyzedNode extends DataFlow::Node {
   */
  AnalyzedNode localFlowPred() { result = getAPredecessor() }

+  /**
+   * INTERNAL. Do not use.
+   *
+   * Gets another data flow node whose value flows into this node in a global step
+   * (this is, involving global variables).
+   */
+  AnalyzedNode globalFlowPred() { none() }
+
  /**
   * Gets an abstract value that this node may evaluate to at runtime.
   *
@@ -57,7 +65,9 @@ class AnalyzedNode extends DataFlow::Node {
   * instances is also performed.
   */
  cached
-  AbstractValue getAValue() { result = getALocalValue() }
+  AbstractValue getAValue() {
+    result = getALocalValue()
+  }

  /**
   * INTERNAL: Do not use.
@@ -68,7 +78,7 @@ class AnalyzedNode extends DataFlow::Node {
   * and global), IIFEs, ES6-style imports that can be resolved uniquely, and
   * the properties of CommonJS `module` and `exports` objects. No
   * tracking through the properties of object literals and function/class
-   * instances is performed.
+   * instances is performed, other than those accounted for by `globalFlowPred`.
   */
  cached
  AbstractValue getALocalValue() {
@@ -82,6 +92,9 @@ class AnalyzedNode extends DataFlow::Node {
    exists(DataFlow::Incompleteness cause |
      isIncomplete(cause) and result = TIndefiniteAbstractValue(cause)
    )
+    or
+    result = globalFlowPred().getALocalValue() and
+    shouldTrackGlobally(result)
  }

  /** Gets a type inferred for this node. */
@@ -282,3 +295,8 @@ private class AnalyzedAsyncFunction extends AnalyzedFunction {

  override AbstractValue getAReturnValue() { result = TAbstractOtherObject() }
 }
+
+/**
+ * Holds if the given value should be propagated along `globalFlowPred()` edges.
+ */
+private predicate shouldTrackGlobally(AbstractValue value) { value instanceof AbstractCallable }
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
@@ -381,13 +381,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp
    accessPath = Closure::getClosureNamespaceFromSourceNode(this)
  }

-  override AnalyzedNode localFlowPred() {
+  override AnalyzedNode globalFlowPred() {
    exists(DataFlow::PropWrite write |
      Closure::getWrittenClosureNamespace(write) = accessPath and
      result = write.getRhs()
    )
-    or
-    result = AnalyzedNode.super.localFlowPred()
  }

  override predicate reads(AbstractValue base, string propName) {