Merge pull request #2270 from erik-krogh/reflectiveExpr

Approved by max-schaefer
2025-12-20 10:46:30 +01:00 · 2019-11-13 13:08:40 +00:00
parent 9c9744620e 0c080a82be
commit b11a7427c2
4 changed files with 349 additions and 2 deletions
--- a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
+++ b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -211,9 +211,9 @@ where
    msg = "the $@ does not return anything, yet the return value from the call to " + call.getCalleeName() + " is used." and
    name = "callback function"
  ) and
-  not benignContext(call.asExpr()) and
+  not benignContext(call.getEnclosingExpr()) and
  not lastStatementHasNoEffect(func) and
  // anonymous one-shot closure. Those are used in weird ways and we ignore them.
-  not oneshotClosure(call.asExpr())
+  not oneshotClosure(call.getEnclosingExpr())
 select
  call, msg, func, name
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -85,6 +85,18 @@ module DataFlow {
    /** Gets the expression corresponding to this data flow node, if any. */
    Expr asExpr() { this = TValueNode(result) }

+    /**
+     * Gets the expression enclosing this data flow node. 
+     * In most cases the result is the same as `asExpr()`, however this method 
+     * additionally the `InvokeExpr` corresponding to reflective calls, and the `Parameter` 
+     * for a `DataFlow::ParameterNode`. 
+     */
+    Expr getEnclosingExpr() {
+      result = asExpr() or
+      this = DataFlow::reflectiveCallNode(result) or
+      result = this.(ParameterNode).getParameter()
+    }
+
    /** Gets the AST node corresponding to this data flow node, if any. */
    ASTNode getAstNode() { none() }

@@ -983,6 +995,16 @@ module DataFlow {
   * Gets a pseudo-node representing the root of a global access path.
   */
  DataFlow::Node globalAccessPathRootPseudoNode() { result instanceof TGlobalAccessPathRoot }
+  
+  /**
+   * Gets a data flow node representing the underlying call performed by the given
+   * call to `Function.prototype.call` or `Function.prototype.apply`.
+   *
+   * For example, for an expression `fn.call(x, y)`, this gets a call node with `fn` as the
+   * callee, `x` as the receiver, and `y` as the first argument.
+   */
+  DataFlow::InvokeNode reflectiveCallNode(InvokeExpr expr) { result = TReflectiveCallNode(expr, _) }
+  

  /**
   * Gets a data flow node representing the underlying call performed by the given