JS: tweak global flow for closure modules

2026-04-30 11:15:13 +02:00 · 2019-02-15 12:05:35 +00:00
parent 5502627242
commit 8c96f5f037
2 changed files with 18 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
@@ -47,6 +47,12 @@ class AnalyzedNode extends DataFlow::Node {
   */
  AnalyzedNode localFlowPred() { result = getAPredecessor() }

+  /**
+   * Gets another data flow node whose value flows into this node in a global step
+   * (this is, involvign global variables).
+   */
+  AnalyzedNode globalFlowPred() { none() }
+
  /**
   * Gets an abstract value that this node may evaluate to at runtime.
   *
@@ -57,7 +63,9 @@ class AnalyzedNode extends DataFlow::Node {
   * instances is also performed.
   */
  cached
-  AbstractValue getAValue() { result = getALocalValue() }
+  AbstractValue getAValue() {
+    result = getALocalValue()
+  }

  /**
   * INTERNAL: Do not use.
@@ -82,6 +90,9 @@ class AnalyzedNode extends DataFlow::Node {
    exists(DataFlow::Incompleteness cause |
      isIncomplete(cause) and result = TIndefiniteAbstractValue(cause)
    )
+    or
+    result = globalFlowPred().getALocalValue() and
+    shouldTrackGlobally(result)
  }

  /** Gets a type inferred for this node. */
@@ -282,3 +293,8 @@ private class AnalyzedAsyncFunction extends AnalyzedFunction {

  override AbstractValue getAReturnValue() { result = TAbstractOtherObject() }
 }
+
+/**
+ * Holds if the given value should be propagated along `globalFlowPred()` edges.
+ */
+private predicate shouldTrackGlobally(AbstractValue value) { value instanceof AbstractCallable }
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
@@ -360,13 +360,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp

  AnalyzedClosureGlobalAccessPath() { accessPath = Closure::getLibraryAccessPath(this) }

-  override AnalyzedNode localFlowPred() {
+  override AnalyzedNode globalFlowPred() {
    exists(DataFlow::PropWrite write |
      Closure::getWrittenLibraryAccessPath(write) = accessPath and
      result = write.getRhs()
    )
-    or
-    result = AnalyzedNode.super.localFlowPred()
  }

  override predicate reads(AbstractValue base, string propName) {