JS: Move getACallee into CallGraphs module

2026-04-29 18:55:14 +02:00 · 2019-09-05 13:31:45 +01:00
parent 4a0e54a69f
commit bdc409ccb6
2 changed files with 25 additions and 13 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -141,19 +141,8 @@ class InvokeNode extends DataFlow::SourceNode {
   * This predicate can be overridden to alter the call graph used by the interprocedural
   * data flow libraries.
   */
-  cached
  Function getACallee(int imprecision) {
-    CallGraph::getAFunctionReference(result.flow(), imprecision).flowsTo(getCalleeNode())
-    or
-    imprecision = 0 and
-    exists(InvokeExpr expr | expr = this.(DataFlow::Impl::ExplicitInvokeNode).asExpr() |
-      result = expr.getResolvedCallee()
-      or
-      exists(DataFlow::ClassNode cls |
-        expr.(SuperCall).getBinder() = cls.getConstructor().getFunction() and
-        result = cls.getADirectSuperClass().getConstructor().getFunction()
-      )
-    )
+    result = CallGraph::getACallee(this, imprecision).getFunction()
  }

  /**
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -19,6 +19,9 @@ module CallGraph {

  /**
   * Gets a data flow node that refers to the given function.
+   *
+   * Note that functions are not currently type-tracked, but this exposes the type-tracker `t`
+   * from underlying class tracking if the function came from a class or instance.
   */
  pragma[nomagic]
  private
@@ -119,8 +122,28 @@ module CallGraph {
    or
    exists(DataFlow::ClassNode subclass |
      result = getAnInstanceMemberAccess(subclass, name, t) and
-      not exists(subclass.getAnInstanceMember(name)) and
+      not exists(subclass.getInstanceMember(name, _)) and
      cls = subclass.getADirectSuperClass()
    )
  }
+
+  /**
+   * Gets a possible callee of `node` with the given `imprecision`.
+   *
+   * Does not include custom call edges.
+   */
+  cached
+  DataFlow::FunctionNode getACallee(DataFlow::InvokeNode node, int imprecision) {
+    getAFunctionReference(result, imprecision).flowsTo(node.getCalleeNode())
+    or
+    imprecision = 0 and
+    exists(InvokeExpr expr | expr = node.(DataFlow::Impl::ExplicitInvokeNode).asExpr() |
+      result.getFunction() = expr.getResolvedCallee()
+      or
+      exists(DataFlow::ClassNode cls |
+        expr.(SuperCall).getBinder() = cls.getConstructor().getFunction() and
+        result = cls.getADirectSuperClass().getConstructor()
+      )
+    )
+  }
 }