JS: add model of async package

javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected

@@ -0,0 +1,8 @@
+| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item |
+| map.js:10:13:10:20 | source() | map.js:12:14:12:17 | item |
+| map.js:20:19:20:26 | source() | map.js:23:27:23:32 | result |
+| map.js:26:13:26:20 | source() | map.js:28:27:28:32 | result |
+| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result |
+| waterfall.js:7:30:7:37 | source() | waterfall.js:10:12:10:16 | taint |
+| waterfall.js:7:30:7:37 | source() | waterfall.js:19:10:19:14 | taint |
+| waterfall.js:27:18:27:25 | source() | waterfall.js:38:10:38:12 | err |

javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.ql

@@ -0,0 +1,23 @@
+import javascript
+
+DataFlow::CallNode getACall(string name) {
+  result.getCalleeName() = name
+}
+
+class BasicConfig extends TaintTracking::Configuration {
+  BasicConfig() { this = "BasicConfig" }
+
+  override
+  predicate isSource(DataFlow::Node node) {
+    node = getACall("source")
+  }
+
+  override
+  predicate isSink(DataFlow::Node node) {
+    node = getACall("sink").getAnArgument()
+  }
+}
+
+from BasicConfig cfg, DataFlow::Node src, DataFlow::Node sink
+where cfg.hasFlow(src, sink)
+select src, sink

javascript/ql/test/library-tests/frameworks/AsyncPackage/each.js

@@ -0,0 +1,20 @@
+let async_ = require('async');
+
+function source() {
+    return 'TAINT'
+}
+function sink(x) {
+    console.log(x)
+}
+
+async_.each(
+    [1, source(), 2], 
+    function (item, callback) {
+      sink(item); // NOT OK
+      callback(null, 'Hello ' + item);
+    },
+    function (err, result) {
+      sink(err); // OK
+      sink(result); // OK - 'each' does not propagate return value
+    }
+)

javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js

@@ -0,0 +1,34 @@
+let async_ = require('async');
+
+function source() {
+    return 'TAINT'
+}
+function sink(x) {
+    console.log(x)
+}
+
+async_.map([source()],
+    (item, cb) => {
+        sink(item), // NOT OK
+        cb(null, 'safe');
+    },
+    (err, result) => sink(result) // OK
+);
+
+async_.map(['safe'],
+    (item, cb) => {
+        let src = source();
+        cb(null, src);
+    },
+    (err, result) => sink(result) // NOT OK
+);
+
+async_.map([source()],
+    (item, cb) => cb(null, item.substring(1)),
+    (err, result) => sink(result) // NOT OK
+);
+
+async_.map(['safe'],
+    (item, cb) => cb(null, item),
+    (err, result) => sink(result) // OK
+);

javascript/ql/test/library-tests/frameworks/AsyncPackage/sortBy.js

@@ -0,0 +1,12 @@
+let async_ = require('async');
+
+function source() {
+    return 'TAINT'
+}
+function sink(x) {
+    console.log(x)
+}
+
+async_.sortBy(['zz', source()],
+    (x, cb) => cb(x.length),
+    (err, result) => sink(result)); // NOT OK

javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js

@@ -0,0 +1,41 @@
+let async_ = require('async');
+
+var source, sink, somethingWrong;
+
+async_.waterfall([
+    function(callback) {
+      callback(null, 'safe', source());
+    },
+    function(safe, taint, callback) {
+      sink(taint); // NOT OK
+      sink(safe);  // OK
+      callback(null, taint, safe);
+    },
+    function(taint, safe, callback) {
+      callback(null, taint, safe);
+    }
+  ],
+  function finalCallback(err, taint, safe) {
+    sink(taint); // NOT OK
+    sink(safe);  // OK
+  }
+);
+
+async_.waterfall([
+    function(callback) {
+      if (somethingWrong()) {
+        callback(source());
+      } else {
+        callback(null, 'safe');
+      }
+    },
+    function(safe, callback) {
+      sink(safe); // OK
+      callback(null, safe);
+    }
+  ],
+  function(err, safe) {
+    sink(err); // NOT OK
+    sink(safe); // OK
+  }
+);