JS: add some parsed torrent properties as remote flow sources

javascript/ql/src/javascript.qll

@@ -90,6 +90,7 @@ import semmle.javascript.frameworks.SystemCommandExecutors
 import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.SocketIO
 import semmle.javascript.frameworks.StringFormatters
+import semmle.javascript.frameworks.TorrentLibraries
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.XmlParsers

javascript/ql/src/semmle/javascript/frameworks/TorrentLibraries.qll

@@ -0,0 +1,61 @@
+/**
+ * Provides classes for modelling Torrent libraries.
+ */
+
+import javascript
+
+/**
+ * Provides classes for working with [parse-torrent](https://github.com/webtorrent/parse-torrent) code.
+ */
+module ParseTorrent {
+  private DataFlow::SourceNode mod() { result = DataFlow::moduleImport("parse-torrent") }
+
+  /**
+   * A torrent that has been parsed into a JavaScript object.
+   */
+  class ParsedTorrent extends DataFlow::SourceNode {
+    ParsedTorrent() {
+      this = mod().getACall() or
+      this = mod().getAMemberCall("remote").getCallback(1).getParameter(1)
+    }
+  }
+
+  private DataFlow::SourceNode parsedTorrentRef(DataFlow::TypeTracker t) {
+    t.start() and
+    result instanceof ParsedTorrent
+    or
+    exists(DataFlow::TypeTracker t2 | result = parsedTorrentRef(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to a parsed torrent. */
+  DataFlow::SourceNode parsedTorrentRef() {
+    result = parsedTorrentRef(DataFlow::TypeTracker::end())
+  }
+
+  /**
+   * An access to user-controlled torrent information.
+   */
+  class UserControlledTorrentInfo extends RemoteFlowSource {
+    UserControlledTorrentInfo() {
+      exists(DataFlow::SourceNode ref, DataFlow::PropRead read |
+        ref = parsedTorrentRef() and
+        read = ref.getAPropertyRead() and
+        this = read
+      |
+        exists(string prop |
+          not (
+            prop = "private" or
+            prop = "infoHash" or
+            prop = "length"
+            // "pieceLength" and "lastPieceLength" are not guaranteed to be numbers as of commit ae3ad15d
+          ) and
+          read.getPropertyName() = prop
+        )
+        or
+        not exists(read.getPropertyName())
+      )
+    }
+
+    override string getSourceType() { result = "torrent information" }
+  }
+}

javascript/ql/test/library-tests/TorrentLibraries/ParsedTorrent.expected

@@ -0,0 +1 @@
+| tst.js:4:15:4:28 | parseTorrent() |

javascript/ql/test/library-tests/TorrentLibraries/ParsedTorrent.ql

@@ -0,0 +1,3 @@
+import javascript
+
+select any(ParseTorrent::ParsedTorrent t)

javascript/ql/test/library-tests/TorrentLibraries/UserControlledTorrentInfo.expected

@@ -0,0 +1,4 @@
+| tst.js:6:2:6:12 | parsed.name |
+| tst.js:8:2:8:19 | parsed.pieceLength |
+| tst.js:14:2:14:25 | indirec ... ed.name |
+| tst.js:20:2:20:7 | t.name |

javascript/ql/test/library-tests/TorrentLibraries/UserControlledTorrentInfo.ql

@@ -0,0 +1,3 @@
+import javascript
+
+select any(ParseTorrent::UserControlledTorrentInfo i)

javascript/ql/test/library-tests/TorrentLibraries/parsedTorrentRef.expected

@@ -0,0 +1,3 @@
+| tst.js:4:15:4:28 | parseTorrent() |
+| tst.js:14:2:14:20 | indirection1.parsed |
+| tst.js:19:23:19:23 | t |

javascript/ql/test/library-tests/TorrentLibraries/parsedTorrentRef.ql

@@ -0,0 +1,3 @@
+import javascript
+
+select ParseTorrent::parsedTorrentRef()

javascript/ql/test/library-tests/TorrentLibraries/tst.js

@@ -0,0 +1,21 @@
+const parseTorrent = require('parse-torrent');
+
+(function(){
+	let parsed = parseTorrent();
+
+	parsed.name;
+	parsed.length;
+	parsed.pieceLength;
+
+	let indirection1 = {
+		parsed: parsed
+	};
+
+	indirection1.parsed.name;
+	indirection2(parsed);
+
+});
+
+function indirection2(t) {
+	t.name;
+}