Merge remote-tracking branch 'upstream/master' into XssDom

2026-05-09 15:41:36 +02:00 · 2020-04-22 10:20:40 +02:00
parent 76503d3536 1b88c97688
commit 8811455d49
109 changed files with 4820 additions and 399 deletions
--- a/javascript/ql/src/semmle/javascript/AST.qll
+++ b/javascript/ql/src/semmle/javascript/AST.qll
@@ -125,6 +125,42 @@ class ASTNode extends @ast_node, Locatable {
  /** Holds if this syntactic entity belongs to an externs file. */
  predicate inExternsFile() { getTopLevel().isExterns() }

+  /**
+   * Holds if this is an ambient node that is not a `TypeExpr` and is not inside a `.d.ts` file
+   *
+   * Since the overwhelming majority of ambient nodes are `TypeExpr` or inside `.d.ts` files,
+   * we avoid caching them.
+   */
+  cached
+  private predicate isAmbientInternal() {
+    getParent().isAmbientInternal()
+    or
+    not isAmbientTopLevel(getTopLevel()) and
+    (
+      this instanceof ExternalModuleDeclaration
+      or
+      this instanceof GlobalAugmentationDeclaration
+      or
+      this instanceof ExportAsNamespaceDeclaration
+      or
+      this instanceof TypeAliasDeclaration
+      or
+      this instanceof InterfaceDeclaration
+      or
+      hasDeclareKeyword(this)
+      or
+      hasTypeKeyword(this)
+      or
+      // An export such as `export declare function f()` should be seen as ambient.
+      hasDeclareKeyword(this.(ExportNamedDeclaration).getOperand())
+      or
+      exists(Function f |
+        this = f and
+        not f.hasBody()
+      )
+    )
+  }
+
  /**
   * Holds if this is part of an ambient declaration or type annotation in a TypeScript file.
   *
@@ -134,9 +170,22 @@ class ASTNode extends @ast_node, Locatable {
   * The TypeScript compiler emits no code for ambient declarations, but they
   * can affect name resolution and type checking at compile-time.
   */
-  predicate isAmbient() { getParent().isAmbient() }
+  pragma[inline]
+  predicate isAmbient() {
+    isAmbientInternal()
+    or
+    isAmbientTopLevel(getTopLevel())
+    or
+    this instanceof TypeExpr
+  }
 }

+/**
+ * Holds if the given file is a `.d.ts` file.
+ */
+cached
+private predicate isAmbientTopLevel(TopLevel tl) { tl.getFile().getBaseName().matches("%.d.ts") }
+
 /**
 * A toplevel syntactic unit; that is, a stand-alone script, an inline script
 * embedded in an HTML `<script>` tag, a code snippet assigned to an HTML event
@@ -197,11 +246,6 @@ class TopLevel extends @toplevel, StmtContainer {
  override ControlFlowNode getFirstControlFlowNode() { result = getEntry() }

  override string toString() { result = "<toplevel>" }
-
-  override predicate isAmbient() {
-    getFile().getFileType().isTypeScript() and
-    getFile().getBaseName().matches("%.d.ts")
-  }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -96,10 +96,55 @@ module ArrayTaintTracking {
 * Classes and predicates for modelling data-flow for arrays.
 */
 private module ArrayDataFlow {
+  private import DataFlow::PseudoProperties
+
  /**
-   * Gets a pseudo-field representing an element inside an array.
+   * A step modelling the creation of an Array using the `Array.from(x)` method.
+   * The step copies the elements of the argument (set, array, or iterator elements) into the resulting array.
   */
-  private string arrayElement() { result = "$arrayElement$" }
+  private class ArrayFrom extends DataFlow::AdditionalFlowStep, DataFlow::CallNode {
+    ArrayFrom() { this = DataFlow::globalVarRef("Array").getAMemberCall("from") }
+
+    override predicate loadStoreStep(
+      DataFlow::Node pred, DataFlow::Node succ, string fromProp, string toProp
+    ) {
+      pred = this.getArgument(0) and
+      succ = this and
+      fromProp = arrayLikeElement() and
+      toProp = arrayElement()
+    }
+  }
+
+  /**
+   * A step modelling an array copy where the spread operator is used.
+   * The result is essentially array concatenation.
+   *
+   * Such a step can occur both with the `push` and `unshift` methods, or when creating a new array.
+   */
+  private class ArrayCopySpread extends DataFlow::AdditionalFlowStep {
+    DataFlow::Node spreadArgument; // the spread argument containing the elements to be copied.
+    DataFlow::Node base; // the object where the elements should be copied to.
+
+    ArrayCopySpread() {
+      exists(DataFlow::MethodCallNode mcn | mcn = this |
+        mcn.getMethodName() = ["push", "unshift"] and
+        spreadArgument = mcn.getASpreadArgument() and
+        base = mcn.getReceiver().getALocalSource()
+      )
+      or
+      spreadArgument = this.(DataFlow::ArrayCreationNode).getASpreadArgument() and
+      base = this
+    }
+
+    override predicate loadStoreStep(
+      DataFlow::Node pred, DataFlow::Node succ, string fromProp, string toProp
+    ) {
+      pred = spreadArgument and
+      succ = base and
+      fromProp = arrayLikeElement() and
+      toProp = arrayElement()
+    }
+  }

  /**
   * A step for storing an element on an array using `arr.push(e)` or `arr.unshift(e)`.
@@ -110,10 +155,10 @@ private module ArrayDataFlow {
      this.getMethodName() = "unshift"
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
-      (element = this.getAnArgument() or element = this.getASpreadArgument()) and
-      obj = this.getReceiver().getALocalSource()
+      element = this.getAnArgument() and
+      obj.getAMethodCall() = this
    }
  }

@@ -143,10 +188,10 @@ private module ArrayDataFlow {
      element = this
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = this.(DataFlow::PropWrite).getRhs() and
-      this = obj.(DataFlow::SourceNode).getAPropertyWrite()
+      this = obj.getAPropertyWrite()
    }
  }

@@ -189,7 +234,7 @@ private module ArrayDataFlow {
      element = getCallback(0).getParameter(0)
    }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      this.getMethodName() = "map" and
      prop = arrayElement() and
      element = this.getCallback(0).getAReturn() and
@@ -209,7 +254,7 @@ private module ArrayDataFlow {
  private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {
    ArrayCreationStep() { this instanceof DataFlow::ArrayCreationNode }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = this.(DataFlow::ArrayCreationNode).getAnElement() and
      obj = this
@@ -223,10 +268,10 @@ private module ArrayDataFlow {
  private class ArraySpliceStep extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {
    ArraySpliceStep() { this.getMethodName() = "splice" }

-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
      prop = arrayElement() and
      element = getArgument(2) and
-      obj = this.getReceiver().getALocalSource()
+      this = obj.getAMethodCall()
    }
  }

@@ -260,4 +305,20 @@ private module ArrayDataFlow {
      succ = this
    }
  }
+
+  /**
+   * A step for modelling `for of` iteration on arrays.
+   */
+  private class ForOfStep extends DataFlow::AdditionalFlowStep, DataFlow::ValueNode {
+    ForOfStmt forOf;
+    DataFlow::Node element;
+
+    ForOfStep() { this.asExpr() = forOf.getIterationDomain() }
+
+    override predicate loadStep(DataFlow::Node obj, DataFlow::Node e, string prop) {
+      obj = this and
+      e = DataFlow::lvalueNode(forOf.getLValue()) and
+      prop = arrayElement()
+    }
+  }
 }
--- a/javascript/ql/src/semmle/javascript/Classes.qll
+++ b/javascript/ql/src/semmle/javascript/Classes.qll
@@ -1059,12 +1059,6 @@ class FieldDeclaration extends MemberDeclaration, @field {

  /** Holds if this is a TypeScript field marked as definitely assigned with the `!` operator. */
  predicate hasDefiniteAssignmentAssertion() { hasDefiniteAssignmentAssertion(this) }
-
-  override predicate isAmbient() {
-    hasDeclareKeyword(this)
-    or
-    getParent().isAmbient()
-  }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/Collections.qll
+++ b/javascript/ql/src/semmle/javascript/Collections.qll
@@ -0,0 +1,278 @@
+/**
+ * Provides predicates and classes for working with the standard library collection implementations.
+ * Currently [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) and
+ * [Set](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Set) are implemented.
+ */
+
+import javascript
+private import semmle.javascript.dataflow.internal.StepSummary
+private import DataFlow::PseudoProperties
+
+/**
+ * A pseudo-property used in a data-flow/type-tracking step for collections.
+ *
+ * By extending `TypeTrackingPseudoProperty` the class enables the use of the collection related pseudo-properties in type-tracking predicates.
+ */
+private class PseudoProperty extends TypeTrackingPseudoProperty {
+  PseudoProperty() {
+    this = [arrayLikeElement(), "1"] or // the "1" is required for the `ForOfStep`.
+    this = any(CollectionDataFlow::MapSet step).getAPseudoProperty()
+  }
+
+  override PseudoProperty getLoadStoreToProp() {
+    exists(CollectionFlowStep step | step.loadStore(_, _, this, result))
+  }
+}
+
+/**
+ * An `AdditionalFlowStep` used to model a data-flow step related to standard library collections.
+ *
+ * The `loadStep`/`storeStep`/`loadStoreStep` methods are overloaded such that the new predicates
+ * `load`/`store`/`loadStore` can be used in the `CollectionsTypeTracking` module.
+ * (Thereby avoiding naming conflicts with a "cousin" `AdditionalFlowStep` implementation.)
+ */
+abstract private class CollectionFlowStep extends DataFlow::AdditionalFlowStep {
+  final override predicate step(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+  final override predicate step(
+    DataFlow::Node p, DataFlow::Node s, DataFlow::FlowLabel pl, DataFlow::FlowLabel sl
+  ) {
+    none()
+  }
+
+  /**
+   * Holds if the property `prop` of the object `pred` should be loaded into `succ`.
+   */
+  predicate load(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
+
+  final override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    this.load(pred, succ, prop)
+  }
+
+  /**
+   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   */
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, PseudoProperty prop) { none() }
+
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+    this.store(pred, succ, prop)
+  }
+
+  /**
+   * Holds if the property `prop` should be copied from the object `pred` to the object `succ`.
+   */
+  predicate loadStore(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
+
+  final override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    this.loadStore(pred, succ, prop, prop)
+  }
+
+  /**
+   * Holds if the property `loadProp` should be copied from the object `pred` to the property `storeProp` of object `succ`.
+   */
+  predicate loadStore(
+    DataFlow::Node pred, DataFlow::Node succ, PseudoProperty loadProp, PseudoProperty storeProp
+  ) {
+    none()
+  }
+
+  final override predicate loadStoreStep(
+    DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
+  ) {
+    this.loadStore(pred, succ, loadProp, storeProp)
+  }
+}
+
+/**
+ * Provides predicates and clases for type-tracking collections.
+ */
+module CollectionsTypeTracking {
+  /**
+   * Gets the result from a single step through a collection, from `pred` to `result` summarized by `summary`.
+   */
+  pragma[inline]
+  DataFlow::SourceNode collectionStep(DataFlow::Node pred, StepSummary summary) {
+    exists(CollectionFlowStep step, PseudoProperty field |
+      summary = LoadStep(field) and
+      step.load(pred, result, field) and
+      not field = mapValueUnknownKey() // prune unknown reads in type-tracking
+      or
+      summary = StoreStep(field) and
+      step.store(pred, result, field)
+      or
+      summary = CopyStep(field) and
+      step.loadStore(pred, result, field)
+      or
+      exists(PseudoProperty toField | summary = LoadStoreStep(field, toField) |
+        step.loadStore(pred, result, field, toField)
+      )
+    )
+  }
+
+  /**
+   * Gets the result from a single step through a collection, from `pred` with tracker `t2` to `result` with tracker `t`.
+   */
+  pragma[inline]
+  DataFlow::SourceNode collectionStep(
+    DataFlow::SourceNode pred, DataFlow::TypeTracker t, DataFlow::TypeTracker t2
+  ) {
+    exists(DataFlow::Node mid, StepSummary summary | pred.flowsTo(mid) and t = t2.append(summary) |
+      result = collectionStep(mid, summary)
+    )
+  }
+}
+
+/**
+ * A module for data-flow steps related standard library collection implementations.
+ */
+private module CollectionDataFlow {
+  /**
+   * A step for `Set.add()` method, which adds an element to a Set.
+   */
+  private class SetAdd extends CollectionFlowStep, DataFlow::MethodCallNode {
+    SetAdd() { this.getMethodName() = "add" }
+
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
+      element = this.getArgument(0) and
+      prop = setElement()
+    }
+  }
+
+  /**
+   * A step for the `Set` constructor, which copies any elements from the first argument into the resulting set.
+   */
+  private class SetConstructor extends CollectionFlowStep, DataFlow::NewNode {
+    SetConstructor() { this = DataFlow::globalVarRef("Set").getAnInstantiation() }
+
+    override predicate loadStore(
+      DataFlow::Node pred, DataFlow::Node succ, PseudoProperty fromProp, PseudoProperty toProp
+    ) {
+      pred = this.getArgument(0) and
+      succ = this and
+      fromProp = arrayLikeElement() and
+      toProp = setElement()
+    }
+  }
+
+  /**
+   * A step for a `for of` statement on a Map, Set, or Iterator.
+   * For Sets and iterators the l-value are the elements of the set/iterator.
+   * For Maps the l-value is a tuple containing a key and a value.
+   */
+  // This is partially duplicated behavior with the `for of` step for Arrays (`ArrayDataFlow::ForOfStep`).
+  // This duplication is required for the type-tracking steps defined in `CollectionsTypeTracking`.
+  private class ForOfStep extends CollectionFlowStep, DataFlow::ValueNode {
+    ForOfStmt forOf;
+    DataFlow::Node element;
+
+    ForOfStep() {
+      this.asExpr() = forOf.getIterationDomain() and
+      element = DataFlow::lvalueNode(forOf.getLValue())
+    }
+
+    override predicate load(DataFlow::Node obj, DataFlow::Node e, PseudoProperty prop) {
+      obj = this and
+      e = element and
+      prop = arrayLikeElement()
+    }
+
+    override predicate loadStore(
+      DataFlow::Node pred, DataFlow::Node succ, PseudoProperty fromProp, PseudoProperty toProp
+    ) {
+      pred = this and
+      succ = element and
+      fromProp = mapValueAll() and
+      toProp = "1"
+    }
+  }
+
+  /**
+   * A step for a call to `forEach` on a Set or Map.
+   */
+  private class SetMapForEach extends CollectionFlowStep, DataFlow::MethodCallNode {
+    SetMapForEach() { this.getMethodName() = "forEach" }
+
+    override predicate load(DataFlow::Node obj, DataFlow::Node element, PseudoProperty prop) {
+      obj = this.getReceiver() and
+      element = this.getCallback(0).getParameter(0) and
+      prop = [setElement(), mapValueAll()]
+    }
+  }
+
+  /**
+   * A call to the `get` method on a Map.
+   * If the key of the call to `get` has a known string value, then only the value corresponding to that key will be retrieved. (The known string value is encoded as part of the pseudo-property)
+   */
+  private class MapGet extends CollectionFlowStep, DataFlow::MethodCallNode {
+    MapGet() { this.getMethodName() = "get" }
+
+    override predicate load(DataFlow::Node obj, DataFlow::Node element, PseudoProperty prop) {
+      obj = this.getReceiver() and
+      element = this and
+      // reading the join of known and unknown values
+      (prop = mapValue(this.getArgument(0)) or prop = mapValueUnknownKey())
+    }
+  }
+
+  /**
+   * A call to the `set` method on a Map.
+   *
+   * If the key of the call to `set` has a known string value,
+   * then the value will be stored into a pseudo-property corresponding to the known string value.
+   * Otherwise the value will be stored into a pseudo-property corresponding to values with unknown keys.
+   * The value will additionally be stored into a pseudo-property corresponding to all values.
+   */
+  class MapSet extends CollectionFlowStep, DataFlow::MethodCallNode {
+    MapSet() { this.getMethodName() = "set" }
+
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
+      element = this.getArgument(1) and
+      prop = getAPseudoProperty()
+    }
+
+    /**
+     * Gets a pseudo-property used to store an element in a map.
+     * The pseudo-property represents both values where the key is a known string value (which is encoded in the pseudo-property),
+     * and values where the key is unknown.
+     *
+     * Additionally, all elements are stored into the pseudo-property `mapValueAll()`.
+     *
+     * The return-type is `string` as this predicate is used to define which pseudo-properties exist.
+     */
+    string getAPseudoProperty() { result = [mapValue(this.getArgument(0)), mapValueAll()] }
+  }
+
+  /**
+   * A step for a call to `values` on a Map or a Set.
+   */
+  private class MapAndSetValues extends CollectionFlowStep, DataFlow::MethodCallNode {
+    MapAndSetValues() { this.getMethodName() = "values" }
+
+    override predicate loadStore(
+      DataFlow::Node pred, DataFlow::Node succ, PseudoProperty fromProp, PseudoProperty toProp
+    ) {
+      pred = this.getReceiver() and
+      succ = this and
+      fromProp = [mapValueAll(), setElement()] and
+      toProp = iteratorElement()
+    }
+  }
+
+  /**
+   * A step for a call to `keys` on a Set.
+   */
+  private class SetKeys extends CollectionFlowStep, DataFlow::MethodCallNode {
+    SetKeys() { this.getMethodName() = "keys" }
+
+    override predicate loadStore(
+      DataFlow::Node pred, DataFlow::Node succ, PseudoProperty fromProp, PseudoProperty toProp
+    ) {
+      pred = this.getReceiver() and
+      succ = this and
+      fromProp = setElement() and
+      toProp = iteratorElement()
+    }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/ES2015Modules.qll
+++ b/javascript/ql/src/semmle/javascript/ES2015Modules.qll
@@ -79,11 +79,6 @@ class ImportDeclaration extends Stmt, Import, @importdeclaration {

  /** Holds if this is declared with the `type` keyword, so it only imports types. */
  predicate isTypeOnly() { hasTypeKeyword(this) }
-
-  override predicate isAmbient() {
-    Stmt.super.isAmbient() or
-    isTypeOnly()
-  }
 }

 /** A literal path expression appearing in an `import` declaration. */
@@ -267,11 +262,6 @@ abstract class ExportDeclaration extends Stmt, @exportdeclaration {

  /** Holds if is declared with the `type` keyword, so only types are exported. */
  predicate isTypeOnly() { hasTypeKeyword(this) }
-
-  override predicate isAmbient() {
-    Stmt.super.isAmbient() or
-    isTypeOnly()
-  }
 }

 /**
@@ -422,11 +412,6 @@ class ExportNamedDeclaration extends ExportDeclaration, @exportnameddeclaration

  /** Gets an export specifier of this declaration. */
  ExportSpecifier getASpecifier() { result = getSpecifier(_) }
-
-  override predicate isAmbient() {
-    // An export such as `export declare function f()` should be seen as ambient.
-    hasDeclareKeyword(getOperand()) or getParent().isAmbient()
-  }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/Functions.qll
+++ b/javascript/ql/src/semmle/javascript/Functions.qll
@@ -397,8 +397,6 @@ class Function extends @function, Parameterized, TypeParameterized, StmtContaine
   */
  predicate isAbstract() { exists(MethodDeclaration md | this = md.getBody() | md.isAbstract()) }

-  override predicate isAmbient() { getParent().isAmbient() or not hasBody() }
-
  /**
   * Holds if this function cannot be invoked using `new` because it
   * is of the given `kind`.
--- a/javascript/ql/src/semmle/javascript/Promises.qll
+++ b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -176,7 +176,7 @@ module PromiseTypeTracking {
      summary = StoreStep(field) and
      step.store(pred, result, field)
      or
-      summary = LoadStoreStep(field) and
+      summary = CopyStep(field) and
      step.loadStore(pred, result, field)
    )
  }
@@ -232,9 +232,9 @@ abstract private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
  /**
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
   */
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }

-  final override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
    this.store(pred, succ, prop)
  }

@@ -246,6 +246,12 @@ abstract private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
  final override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
    this.loadStore(pred, succ, prop)
  }
+
+  final override predicate loadStoreStep(
+    DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
+  ) {
+    none()
+  }
 }

 /**
@@ -267,7 +273,7 @@ private module PromiseFlow {

    PromiseDefitionStep() { this = promise }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = promise.getResolveParameter().getACall().getArgument(0) and
      succ = this
@@ -296,7 +302,7 @@ private module PromiseFlow {

    CreationStep() { this = promise }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = promise.getValue() and
      succ = this
@@ -362,7 +368,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = valueProp() and
      pred = getCallback([0 .. 1]).getAReturn() and
      succ = this
@@ -396,7 +402,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = errorProp() and
      pred = getCallback(0).getExceptionalReturn() and
      succ = this
@@ -424,7 +430,7 @@ private module PromiseFlow {
      succ = this
    }

-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      prop = errorProp() and
      pred = getCallback(0).getExceptionalReturn() and
      succ = this
--- a/javascript/ql/src/semmle/javascript/Stmt.qll
+++ b/javascript/ql/src/semmle/javascript/Stmt.qll
@@ -54,8 +54,6 @@ class Stmt extends @stmt, ExprOrStmt, Documentable {
    getContainer().(Expr).getEnclosingStmt().nestedIn(outer)
  }

-  override predicate isAmbient() { hasDeclareKeyword(this) or getParent().isAmbient() }
-
  /**
   * Gets the `try` statement with a catch block containing this statement without
   * crossing function boundaries or other `try ` statements with catch blocks.
@@ -931,8 +929,6 @@ class DebuggerStmt extends @debuggerstmt, Stmt {
 */
 class FunctionDeclStmt extends @functiondeclstmt, Stmt, Function {
  override Stmt getEnclosingStmt() { result = this }
-
-  override predicate isAmbient() { Function.super.isAmbient() }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/TypeScript.qll
+++ b/javascript/ql/src/semmle/javascript/TypeScript.qll
@@ -155,8 +155,6 @@ class ExternalModuleDeclaration extends Stmt, StmtContainer, @externalmoduledecl
  int getNumStmt() { result = count(getAStmt()) }

  override StmtContainer getEnclosingContainer() { result = this.getContainer() }
-
-  override predicate isAmbient() { any() }
 }

 /**
@@ -176,8 +174,6 @@ class GlobalAugmentationDeclaration extends Stmt, StmtContainer, @globalaugmenta
  int getNumStmt() { result = count(getAStmt()) }

  override StmtContainer getEnclosingContainer() { result = this.getContainer() }
-
-  override predicate isAmbient() { any() }
 }

 /** A TypeScript "import-equals" declaration. */
@@ -237,8 +233,6 @@ class ExportAsNamespaceDeclaration extends Stmt, @exportasnamespacedeclaration {
   * Gets the `X` in `export as namespace X`.
   */
  Identifier getIdentifier() { result = getChildExpr(0) }
-
-  override predicate isAmbient() { any() }
 }

 /**
@@ -259,8 +253,6 @@ class TypeAliasDeclaration extends @typealiasdeclaration, TypeParameterized, Stm

  override string describe() { result = "type alias " + getName() }

-  override predicate isAmbient() { any() }
-
  /**
   * Gets the canonical name of the type being defined.
   */
@@ -286,8 +278,6 @@ class InterfaceDeclaration extends Stmt, InterfaceDefinition, @interfacedeclarat

  override StmtContainer getContainer() { result = Stmt.super.getContainer() }

-  override predicate isAmbient() { any() }
-
  override string describe() { result = "interface " + getName() }

  /**
@@ -533,8 +523,6 @@ class LocalNamespaceName extends @local_namespace_name, LexicalName {
 class TypeExpr extends ExprOrType, @typeexpr, TypeAnnotation {
  override string toString() { typeexprs(this, _, _, _, result) }

-  override predicate isAmbient() { any() }
-
  /**
   * Gets the static type expressed by this type annotation.
   *
@@ -1410,8 +1398,6 @@ class EnumDeclaration extends NamespaceDefinition, @enumdeclaration, AST::ValueN
  /** Holds if this enumeration is declared with the `const` keyword. */
  predicate isConst() { isConstEnum(this) }

-  override predicate isAmbient() { hasDeclareKeyword(this) or getParent().isAmbient() }
-
  override ControlFlowNode getFirstControlFlowNode() { result = getIdentifier() }
 }

--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -244,8 +244,11 @@ abstract class Configuration extends string {
   * EXPERIMENTAL. This API may change in the future.
   *
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
   */
-  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+    none()
+  }

  /**
   * EXPERIMENTAL. This API may change in the future.
@@ -540,9 +543,10 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
   * EXPERIMENTAL. This API may change in the future.
   *
   * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
   */
  cached
-  predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }

  /**
   * EXPERIMENTAL. This API may change in the future.
@@ -574,6 +578,71 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
  }
 }

+/**
+ * A collection of pseudo-properties that are used in multiple files.
+ *
+ * A pseudo-property represents the location where some value is stored in an object.
+ *
+ * For use with load/store steps in `DataFlow::AdditionalFlowStep` and TypeTracking.
+ */
+module PseudoProperties {
+  bindingset[s]
+  private string pseudoProperty(string s) { result = "$" + s + "$" }
+
+  bindingset[s, v]
+  private string pseudoProperty(string s, string v) { result = "$" + s + "|" + v + "$" }
+
+  /**
+   * Gets a pseudo-property for the location of elements in a `Set`
+   */
+  string setElement() { result = pseudoProperty("setElement") }
+
+  /**
+   * Gets a pseudo-property for the location of elements in a JavaScript iterator.
+   */
+  string iteratorElement() { result = pseudoProperty("iteratorElement") }
+
+  /**
+   * Gets a pseudo-property for the location of elements in an `Array`.
+   */
+  string arrayElement() { result = pseudoProperty("arrayElement") }
+
+  /**
+   * Gets a pseudo-property for the location of elements in some array-like object. (Set, Array, or Iterator).
+   */
+  string arrayLikeElement() { result = [setElement(), iteratorElement(), arrayElement()] }
+
+  /**
+   * Gets a pseudo-property for the location of map values, where the key is unknown.
+   */
+  string mapValueUnknownKey() { result = pseudoProperty("mapValueUnknownKey") }
+
+  /**
+   * Gets a pseudo-property for the location of all the values in a map.
+   */
+  string mapValueAll() { result = pseudoProperty("allMapValues") }
+
+  /**
+   * Gets a pseudo-property for the location of a map value where the key is `key`.
+   * The string value of the `key` is encoded in the result, and there is only a result if the string value of `key` is known.
+   */
+  pragma[inline]
+  string mapValueKnownKey(DataFlow::Node key) {
+    result = pseudoProperty("mapValue", any(string s | key.mayHaveStringValue(s)))
+  }
+
+  /**
+   * Gets a pseudo-property for the location of a map value where the key is `key`.
+   */
+  pragma[inline]
+  string mapValue(DataFlow::Node key) {
+    result = mapValueKnownKey(key)
+    or
+    not exists(mapValueKnownKey(key)) and
+    result = mapValueUnknownKey()
+  }
+}
+
 /**
 * A data flow node that should be considered a source for some specific configuration,
 * in addition to any other sources that configuration may recognize.
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -620,6 +620,16 @@ class ArrayCreationNode extends DataFlow::ValueNode, DataFlow::SourceNode {
    result = this.(ArrayLiteralNode).getSize() or
    result = this.(ArrayConstructorInvokeNode).getSize()
  }
+
+  /**
+   * Gets a data flow node corresponding to an array of values being passed as
+   * individual arguments to this array creation.
+   */
+  DataFlow::Node getASpreadArgument() {
+    exists(SpreadElement arg | arg = getAnElement().getEnclosingExpr() |
+      result = DataFlow::valueNode(arg.getOperand())
+    )
+  }
 }

 /**
--- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
@@ -39,11 +39,7 @@ class SourceNode extends DataFlow::Node {
   * Holds if this node flows into `sink` in zero or more local (that is,
   * intra-procedural) steps.
   */
-  cached
-  predicate flowsTo(DataFlow::Node sink) {
-    sink = this or
-    flowsTo(sink.getAPredecessor())
-  }
+  predicate flowsTo(DataFlow::Node sink) { hasLocalSource(sink, this) }

  /**
   * Holds if this node flows into `sink` in zero or more local (that is,
@@ -195,6 +191,24 @@ class SourceNode extends DataFlow::Node {
  }
 }

+/**
+ * Holds if `source` is a `SourceNode` that can reach `sink` via local flow steps.
+ *
+ * The slightly backwards parametering ordering is to force correct indexing.
+ */
+cached
+private predicate hasLocalSource(DataFlow::Node sink, DataFlow::Node source) {
+  // Declaring `source` to be a `SourceNode` currently causes a redundant check in the
+  // recursive case, so instead we check it explicitly here.
+  source = sink and
+  source instanceof DataFlow::SourceNode
+  or
+  exists(DataFlow::Node mid |
+    hasLocalSource(mid, source) and
+    DataFlow::localFlowStep(mid, sink)
+  )
+}
+
 module SourceNode {
  /**
   * A data flow node that should be considered a source node.
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -603,15 +603,10 @@ module TaintTracking {
     * 3) A `URLSearchParams` object (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value,
     *    which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
     */
-    override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
      succ = this and
      (
-        (
-          prop = "searchParams" or
-          prop = "hash" or
-          prop = "search" or
-          prop = hiddenUrlPseudoProperty()
-        ) and
+        prop = ["searchParams", "hash", "search", hiddenUrlPseudoProperty()] and
        exists(DataFlow::NewNode newUrl | succ = newUrl |
          newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
          pred = newUrl.getArgument(0)
--- a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
@@ -53,7 +53,11 @@ class TypeTracker extends TTypeTracker {
  TypeTracker append(StepSummary step) {
    step = LevelStep() and result = this
    or
-    step = LoadStoreStep(prop) and result = this
+    exists(string toProp | step = LoadStoreStep(prop, toProp) |
+      result = MkTypeTracker(hasCall, toProp)
+    )
+    or
+    step = CopyStep(prop) and result = this
    or
    step = CallStep() and result = MkTypeTracker(true, prop)
    or
@@ -213,7 +217,11 @@ class TypeBackTracker extends TTypeBackTracker {
  TypeBackTracker prepend(StepSummary step) {
    step = LevelStep() and result = this
    or
-    step = LoadStoreStep(prop) and result = this
+    exists(string fromProp | step = LoadStoreStep(fromProp, prop) |
+      result = MkTypeBackTracker(hasReturn, fromProp)
+    )
+    or
+    step = CopyStep(prop) and result = this
    or
    step = CallStep() and hasReturn = false and result = this
    or
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -24,6 +24,11 @@ class OptionalPropertyName extends string {
 abstract class TypeTrackingPseudoProperty extends string {
  bindingset[this]
  TypeTrackingPseudoProperty() { any() }
+
+  /**
+   * Gets a property name that `this` can be copied to in a `LoadStoreStep(this, result)`.
+   */
+  string getLoadStoreToProp() { none() }
 }

 /**
@@ -35,7 +40,10 @@ newtype TStepSummary =
  ReturnStep() or
  StoreStep(PropertyName prop) or
  LoadStep(PropertyName prop) or
-  LoadStoreStep(PropertyName prop)
+  CopyStep(PropertyName prop) or
+  LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
+    exists(TypeTrackingPseudoProperty prop | fromProp = prop and toProp = prop.getLoadStoreToProp())
+  }

 /**
 * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
@@ -55,7 +63,11 @@ class StepSummary extends TStepSummary {
    or
    exists(string prop | this = LoadStep(prop) | result = "load " + prop)
    or
-    exists(string prop | this = LoadStoreStep(prop) | result = "in " + prop)
+    exists(string prop | this = CopyStep(prop) | result = "copy " + prop)
+    or
+    exists(string fromProp, string toProp | this = LoadStoreStep(fromProp, toProp) |
+      result = "load " + fromProp + " and store to " + toProp
+    )
  }
 }

--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -459,7 +459,7 @@ module NodeJSLib {
  private class NodeJSFileSystemAccess extends FileSystemAccess, DataFlow::CallNode {
    string methodName;

-    NodeJSFileSystemAccess() { this = fsModuleMember(methodName).getACall() }
+    NodeJSFileSystemAccess() { this = maybePromisified(fsModuleMember(methodName)).getACall() }

    /**
     * Gets the name of the called method.
@@ -586,6 +586,19 @@ module NodeJSLib {
    }
  }

+  /**
+   * Gets a possibly promisified (using `util.promisify`) version of the input `callback`.
+   */
+  private DataFlow::SourceNode maybePromisified(DataFlow::SourceNode callback) {
+    result = callback
+    or
+    exists(DataFlow::CallNode promisify |
+      promisify = DataFlow::moduleMember("util", "promisify").getACall()
+    |
+      result = promisify and promisify.getArgument(0).getALocalSource() = callback
+    )
+  }
+
  /**
   * A call to a method from module `child_process`.
   */
@@ -593,7 +606,7 @@ module NodeJSLib {
    string methodName;

    ChildProcessMethodCall() {
-      this = DataFlow::moduleMember("child_process", methodName).getACall()
+      this = maybePromisified(DataFlow::moduleMember("child_process", methodName)).getACall()
    }

    private DataFlow::Node getACommandArgument(boolean shell) {