JS: Parse mustache-style tags as expressions

2026-04-28 18:25:24 +02:00 · 2021-07-17 14:00:55 +02:00
parent d1c31db06f
commit a7cdf532fa
15 changed files with 867 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/Expr.qll
+++ b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -2873,3 +2873,40 @@ class ImportMetaExpr extends @import_meta_expr, Expr {

  override string getAPrimaryQlClass() { result = "ImportMetaExpr" }
 }
+
+/**
+ * A placeholder for some code generated by a templating engine,
+ * speculatively parsed as an expression.
+ *
+ * For example, the right-hand side of the following assignments will each be parsed
+ * as `GeneratedNodeExpr` nodes:
+ * ```js
+ * let data1 = {{ user_data1 }};
+ * let data2 = {{{ user_data2 }}};
+ * ```
+ *
+ * Note that templating placeholders occuring inside strings literals are not parsed,
+ * and are simply seen as being part of the string literal.
+ * For example, following snippet does not contain any `GeneratedCodeExpr` nodes:
+ * ```js
+ * let data1 = "{{ user_data }}";
+ * ```
+ */
+class GeneratedCodeExpr extends @generated_code_expr, Expr {
+  /** Gets the opening delimiter, such as `{{` or `{{{`. */
+  string getOpeningDelimiter() {
+    generated_code_expr_info(this, result, _, _)
+  }
+
+  /** Gets the closing delimiter, such as `}}` or `}}}`. */
+  string getClosingDelimiter() {
+    generated_code_expr_info(this, _, result, _)
+  }
+
+  /** Gets the text between the delimiters, including any surrounding whitespace, such as the `x` in `{{x}}`. */
+  string getBody() {
+    generated_code_expr_info(this, _, _, result)
+  }
+
+  override string getAPrimaryQlClass() { result = "GeneratedCodeExpr" }
+}
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1654,6 +1654,9 @@ module DataFlow {
      or
      (e instanceof AwaitExpr or e instanceof DynamicImportExpr) and
      cause = "await"
+      or
+      e instanceof GeneratedCodeExpr and
+      cause = "eval" // we use 'eval' here to represent code generation more broadly
    )
    or
    nd instanceof TExceptionalInvocationReturnNode and cause = "call"
--- a/javascript/ql/src/semmlecode.javascript.dbscheme
+++ b/javascript/ql/src/semmlecode.javascript.dbscheme
@@ -366,6 +366,7 @@ case @expr.kind of
 | 117 = @assignlogorexpr
 | 118 = @assignnullishcoalescingexpr
 | 119 = @angular_pipe_ref
+| 120 = @generated_code_expr
 ;

@varaccess = @proper_varaccess | @export_varaccess;
@@ -416,6 +417,13 @@ case @expr.kind of
@e4x_xml_attribute_selector = @e4x_xml_static_attribute_selector | @e4x_xml_dynamic_attribute_selector;
@e4x_xml_qualident = @e4x_xml_static_qualident | @e4x_xml_dynamic_qualident;

+generated_code_expr_info(
+  unique int expr: @generated_code_expr ref,
+  varchar(900) openingDelimiter: string ref,
+  varchar(900) closingDelimiter: string ref,
+  varchar(900) body: string ref
+);
+
 // scopes
 scopes (unique int id: @scope,
        int kind: int ref);