Merge pull request #3809 from max-schaefer/util-deprecate

Approved by asgerf

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -5,6 +5,7 @@
 import javascript
 import semmle.javascript.frameworks.HTTP
 import semmle.javascript.security.SensitiveActions
+private import semmle.javascript.dataflow.internal.PreCallGraphStep
 
 module NodeJSLib {
   private GlobalVariable processVariable() { variables(result, "process", any(GlobalScope sc)) }
@@ -610,6 +611,22 @@ module NodeJSLib {
     )
   }
 
+  /**
+   * A call to `util.deprecate`, considered to introduce data flow from its first argument
+   * to its result.
+   */
+  private class UtilDeprecateStep extends PreCallGraphStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode deprecate |
+        deprecate = DataFlow::moduleMember("util", "deprecate").getACall() or
+        deprecate = DataFlow::moduleImport("util-deprecate").getACall()
+      |
+        pred = deprecate.getArgument(0) and
+        succ = deprecate
+      )
+    }
+  }
+
   /**
    * A call to a method from module `child_process`.
    */

javascript/ql/test/library-tests/TypeTracking/TypeTracking.ql

@@ -0,0 +1,43 @@
+import javascript
+
+/** Gets a node to which the source node annotated with `name` is tracked under state `t`. */
+DataFlow::SourceNode trackNamedNode(DataFlow::TypeTracker t, string name) {
+  t.start() and
+  exists(Comment c, string f, int l |
+    f = c.getFile().getAbsolutePath() and
+    l = c.getLocation().getStartLine() and
+    result.hasLocationInfo(f, l, _, _, _) and
+    name = c.getText().regexpFind("(?<=name: )\\S+", _, _)
+  )
+  or
+  exists(DataFlow::TypeTracker t2 | result = trackNamedNode(t2, name).track(t2, t))
+}
+
+/** Holds if `name` is tracked to expression `e` starting on line `l` of file `f`. */
+predicate actual(Expr e, File f, int l, string name) {
+  trackNamedNode(DataFlow::TypeTracker::end(), name).flowsToExpr(e) and
+  f = e.getFile() and
+  l = e.getLocation().getStartLine()
+}
+
+/**
+ * Holds if there is an annotation comment expecting `name` to be tracked to an expression
+ * on line `l` of file `f`.
+ */
+predicate expected(Comment c, File f, int l, string name) {
+  f = c.getFile() and
+  l = c.getLocation().getStartLine() and
+  name = c.getText().regexpFind("(?<=track: )\\S+", _, _)
+}
+
+from Locatable loc, File f, int l, string name, string msg
+where
+  expected(loc, f, l, name) and
+  not actual(_, f, l, name) and
+  msg = "Failed to track " + name + " here."
+  or
+  actual(loc, f, l, name) and
+  not expected(_, f, l, name) and
+  expected(_, f, l, _) and
+  msg = "Unexpectedly tracked " + name + " here."
+select loc, msg

javascript/ql/test/library-tests/TypeTracking/client2.js

@@ -0,0 +1,3 @@
+const g = require("./deprecated");
+
+g(); // track: f

javascript/ql/test/library-tests/TypeTracking/deprecated.js

@@ -0,0 +1,5 @@
+const util = require("util");
+
+function f() {} // name: f
+
+module.exports = util.deprecate(f, "don't use this function");