Merge pull request #2988 from asger-semmle/js/autoformat-again-again

Approved by esbena
2026-04-29 02:35:15 +02:00 · 2020-03-04 21:20:52 +00:00
parent c6e3d8df49 53569453ba
commit 98034aaa53
6 changed files with 23 additions and 27 deletions
--- a/javascript/ql/src/Declarations/UnreachableMethodOverloads.ql
+++ b/javascript/ql/src/Declarations/UnreachableMethodOverloads.ql
@@ -105,7 +105,8 @@ predicate signaturesMatch(MethodSignature method, MethodSignature other) {
    not exists(method.getBody().getThisTypeAnnotation()) and
    not exists(other.getBody().getThisTypeAnnotation())
    or
-    method.getBody().getThisTypeAnnotation().getType() = other.getBody().getThisTypeAnnotation().getType()
+    method.getBody().getThisTypeAnnotation().getType() =
+      other.getBody().getThisTypeAnnotation().getType()
  ) and
  // The types are compared in matchingCallSignature. This is sanity-check that the textual representation of the type-annotations are somewhat similar.
  forall(int i | i in [0 .. -1 + method.getBody().getNumParameter()] |
--- a/javascript/ql/src/semmle/javascript/StringOps.qll
+++ b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -67,7 +67,7 @@ module StringOps {
        inner.getEnclosingExpr() = callee.getAReturnedExpr() and
        this.getACallee() = callee and
        count(this.getACallee()) = 1 and
-        count(callee.getAReturnedExpr()) = 1 and 
+        count(callee.getAReturnedExpr()) = 1 and
        not this.isImprecise() and
        inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getAParameter() and
        inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getAParameter()
@@ -298,7 +298,7 @@ module StringOps {
        inner.getEnclosingExpr() = callee.getAReturnedExpr() and
        this.getACallee() = callee and
        count(this.getACallee()) = 1 and
-        count(callee.getAReturnedExpr()) = 1 and 
+        count(callee.getAReturnedExpr()) = 1 and
        not this.isImprecise() and
        inner.getBaseString().getALocalSource().getEnclosingExpr() = callee.getAParameter() and
        inner.getSubstring().getALocalSource().getEnclosingExpr() = callee.getAParameter()
@@ -321,7 +321,6 @@ module StringOps {
      override boolean getPolarity() { result = inner.getPolarity() }
    }

-
    /**
     * A call of form `A.endsWith(B)`.
     */
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -633,18 +633,19 @@ module NodeJSLib {
      result = getArgument(1)
    }

-    override predicate isSync() {
-      "Sync" = methodName.suffix(methodName.length() - 4)
-    }
+    override predicate isSync() { "Sync" = methodName.suffix(methodName.length() - 4) }

    override DataFlow::Node getOptionsArg() {
      not result.getALocalSource() instanceof DataFlow::FunctionNode and // looks like callback
      not result.getALocalSource() instanceof DataFlow::ArrayCreationNode and // looks like argumentlist
      not result = getArgument(0) and
      // fork/spawn and all sync methos always has options as the last argument
-      if methodName.regexpMatch("fork.*") or methodName.regexpMatch("spawn.*") or methodName.regexpMatch(".*Sync") then
-        result = getLastArgument()
-      else 
+      if
+        methodName.regexpMatch("fork.*") or
+        methodName.regexpMatch("spawn.*") or
+        methodName.regexpMatch(".*Sync")
+      then result = getLastArgument()
+      else
        // the rest (exec/execFile) has the options argument as their second last.
        result = getArgument(this.getNumArgument() - 2)
    }
--- a/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll
@@ -161,7 +161,7 @@ module ShellJS {

    override predicate isShellInterpreted(DataFlow::Node arg) { arg = getACommandArgument() }

-    override predicate isSync() {none ()}
+    override predicate isSync() { none() }

    override DataFlow::Node getOptionsArg() {
      result = getLastArgument() and
--- a/javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
+++ b/javascript/ql/src/semmle/javascript/security/UselessUseOfCat.qll
@@ -23,7 +23,9 @@ private class CommandCall extends DataFlow::InvokeNode {
  /**
   * Gets a list that specifies the arguments given to the command.
   */
-  DataFlow::ArrayCreationNode getArgumentList() { result = command.getArgumentList().getALocalSource() }
+  DataFlow::ArrayCreationNode getArgumentList() {
+    result = command.getArgumentList().getALocalSource()
+  }

  /**
   * Gets the callback (if it exists) for an async `exec`-like call.
@@ -75,8 +77,8 @@ private class CommandCall extends DataFlow::InvokeNode {
 }

 /**
- * Holds if the input `str` contains some character that might be interpreted in a non-trivial way by a shell. 
- */ 
+ * Holds if the input `str` contains some character that might be interpreted in a non-trivial way by a shell.
+ */
 bindingset[str]
 private predicate containsNonTrivialShellChar(string str) {
  exists(str.regexpFind("\\*|\\||>|<| |\\$|&|,|\\`| |;", _, _))
@@ -142,9 +144,7 @@ class UselessCat extends CommandCall {
 /**
 * Gets a string used to call `cat`.
 */
-private string getACatExecuteable() {
-  result = "cat" or result = "/bin/cat"
-}
+private string getACatExecuteable() { result = "cat" or result = "/bin/cat" }

 /**
 * Predicates for creating an equivalent call to `fs.readFile` from a command execution of `cat`.
@@ -173,11 +173,10 @@ module PrettyPrintCatCall {
        callback = "" and not exists(cat.getCallback())
      ) and
      fileArg = createFileArgument(cat).trim() and
-     // sanity check in case of surprising `toString` results, other uses of `containsNonTrivialBashChar` should ensure that this conjunct will hold most of the time
-      not(containsNonTrivialShellChar(fileArg.regexpReplaceAll("\\$|\\`| ", ""))) // string concat might contain " ", template strings might contain "$" or `, and that is OK. 
+      // sanity check in case of surprising `toString` results, other uses of `containsNonTrivialBashChar` should ensure that this conjunct will hold most of the time
+      not containsNonTrivialShellChar(fileArg.regexpReplaceAll("\\$|\\`| ", "")) // string concat might contain " ", template strings might contain "$" or `, and that is OK.
    |
-      result =
-        "fs.readFile" + sync + "(" + fileArg + extraArg + callback + ")"
+      result = "fs.readFile" + sync + "(" + fileArg + extraArg + callback + ")"
    )
  }

--- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat.ql
@@ -19,10 +19,6 @@ select msg, comment

 query string readFile(UselessCat cat) { result = PrettyPrintCatCall::createReadFileCall(cat) }

-query SystemCommandExecution syncCommand() {
-  result.isSync()	
-}
+query SystemCommandExecution syncCommand() { result.isSync() }

-query DataFlow::Node options(SystemCommandExecution sys) {
-  result = sys.getOptionsArg()
-}
+query DataFlow::Node options(SystemCommandExecution sys) { result = sys.getOptionsArg() }