diff --git a/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql b/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql index 144f025f32f..69b4d9d3bd7 100644 --- a/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql +++ b/javascript/ql/examples/queries/dataflow/DecodingAfterSanitization/DecodingAfterSanitizationGeneralized.ql @@ -17,7 +17,6 @@ import DataFlow::PathGraph */ class DecodingCall extends CallNode { string kind; - Node input; DecodingCall() { diff --git a/javascript/ql/src/AlertSuppression.ql b/javascript/ql/src/AlertSuppression.ql index 4b3cc078c25..3e0dea68ad6 100644 --- a/javascript/ql/src/AlertSuppression.ql +++ b/javascript/ql/src/AlertSuppression.ql @@ -12,7 +12,6 @@ import javascript */ class SuppressionComment extends Locatable { string text; - string annotation; SuppressionComment() { diff --git a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql index d363de41552..0e5a48ba8a9 100644 --- a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql +++ b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql @@ -32,7 +32,6 @@ predicate isResourceUrlWhitelist( */ class ResourceUrlWhitelistEntry extends Expr { DataFlow::MethodCallNode setupCall; - string pattern; ResourceUrlWhitelistEntry() { diff --git a/javascript/ql/src/Declarations/DeadStoreOfLocal.ql b/javascript/ql/src/Declarations/DeadStoreOfLocal.ql index f13168932ad..ae74e0eddf6 100644 --- a/javascript/ql/src/Declarations/DeadStoreOfLocal.ql +++ b/javascript/ql/src/Declarations/DeadStoreOfLocal.ql @@ -58,9 +58,8 @@ where ( // To avoid confusion about the meaning of "definition" and "declaration" we avoid // the term "definition" when the alert location is a variable declaration. - if dead instanceof VariableDeclarator then - msg = "The initial value of " + v.getName() + " is unused, since it is always overwritten." - else - msg = "This definition of " + v.getName() + " is useless, since its value is never read." + if dead instanceof VariableDeclarator + then msg = "The initial value of " + v.getName() + " is unused, since it is always overwritten." + else msg = "This definition of " + v.getName() + " is useless, since its value is never read." ) select dead, msg diff --git a/javascript/ql/src/Declarations/DeadStoreOfProperty.ql b/javascript/ql/src/Declarations/DeadStoreOfProperty.ql index dd2993bd251..1470f164ab2 100644 --- a/javascript/ql/src/Declarations/DeadStoreOfProperty.ql +++ b/javascript/ql/src/Declarations/DeadStoreOfProperty.ql @@ -160,7 +160,8 @@ where ) and // exclude results from non-value definitions from `Object.defineProperty` ( - assign1 instanceof CallToObjectDefineProperty implies + assign1 instanceof CallToObjectDefineProperty + implies assign1.(CallToObjectDefineProperty).hasPropertyAttributeWrite("value", _) ) select assign1.getWriteNode(), diff --git a/javascript/ql/src/Declarations/UnusedProperty.ql b/javascript/ql/src/Declarations/UnusedProperty.ql index 8edc3493666..33896e0a0c1 100644 --- a/javascript/ql/src/Declarations/UnusedProperty.ql +++ b/javascript/ql/src/Declarations/UnusedProperty.ql @@ -34,15 +34,16 @@ predicate hasUnknownPropertyRead(LocalObject obj) { * Holds if `obj` flows to an expression that must have a specific type. */ predicate flowsToTypeRestrictedExpression(LocalObject obj) { - exists (Expr restricted, TypeExpr type | + exists(Expr restricted, TypeExpr type | obj.flowsToExpr(restricted) and - not type.isAny() | - exists (TypeAssertion assertion | + not type.isAny() + | + exists(TypeAssertion assertion | type = assertion.getTypeAnnotation() and restricted = assertion.getExpression() ) or - exists (BindingPattern v | + exists(BindingPattern v | type = v.getTypeAnnotation() and restricted = v.getAVariable().getAnAssignedExpr() ) diff --git a/javascript/ql/src/Expressions/ExprHasNoEffect.ql b/javascript/ql/src/Expressions/ExprHasNoEffect.ql index 98958d19249..14024ec8f38 100644 --- a/javascript/ql/src/Expressions/ExprHasNoEffect.ql +++ b/javascript/ql/src/Expressions/ExprHasNoEffect.ql @@ -36,16 +36,16 @@ predicate isDeclaration(Expr e) { */ predicate isGetterProperty(string name) { // there is a call of the form `Object.defineProperty(..., name, descriptor)` ... - exists(CallToObjectDefineProperty defProp | - name = defProp.getPropertyName() | + exists(CallToObjectDefineProperty defProp | name = defProp.getPropertyName() | // ... where `descriptor` defines a getter - defProp.hasPropertyAttributeWrite("get", _) or + defProp.hasPropertyAttributeWrite("get", _) + or // ... where `descriptor` may define a getter - exists (DataFlow::SourceNode descriptor | - descriptor.flowsTo(defProp.getPropertyDescriptor()) | - descriptor.isIncomplete(_) or + exists(DataFlow::SourceNode descriptor | descriptor.flowsTo(defProp.getPropertyDescriptor()) | + descriptor.isIncomplete(_) + or // minimal escape analysis for the descriptor - exists (DataFlow::InvokeNode invk | + exists(DataFlow::InvokeNode invk | not invk = defProp and descriptor.flowsTo(invk.getAnArgument()) ) diff --git a/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql b/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql index 556a88524b3..9a8ba5edcb5 100644 --- a/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql +++ b/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql @@ -28,9 +28,10 @@ private predicate isBoundInMethod(MethodDeclaration method) { ) or // require("auto-bind")(this) - exists (string mod | + exists(string mod | mod = "auto-bind" or - mod = "react-autobind" | + mod = "react-autobind" + | thiz.flowsTo(DataFlow::moduleImport(mod).getACall().getArgument(0)) ) or diff --git a/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql b/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql index efc300e1974..6f2ba8483cb 100644 --- a/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql +++ b/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql @@ -18,7 +18,6 @@ class CandidateTopLevel extends TopLevel { /** A string literal in a toplevel that contains at least one template literal. */ class CandidateStringLiteral extends StringLiteral { CandidateTopLevel tl; - string v; CandidateStringLiteral() { diff --git a/javascript/ql/src/Performance/ReDoS.ql b/javascript/ql/src/Performance/ReDoS.ql index 4bdf265ab70..0d3bfdf2ba5 100644 --- a/javascript/ql/src/Performance/ReDoS.ql +++ b/javascript/ql/src/Performance/ReDoS.ql @@ -395,7 +395,6 @@ newtype TStatePair = class StatePair extends TStatePair { State q1; - State q2; StatePair() { this = MkStatePair(q1, q2) } diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql index 97edf829e31..48a86226c08 100644 --- a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql +++ b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql @@ -109,7 +109,6 @@ predicate isDerivedFromLength(DataFlow::Node length, DataFlow::Node operand) { */ class UnsafeIndexOfComparison extends EqualityTest { IndexOfCall indexOf; - DataFlow::Node testedValue; UnsafeIndexOfComparison() { diff --git a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql index d0141361f4b..935eb536b06 100644 --- a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql +++ b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql @@ -37,7 +37,8 @@ predicate isInterestingSemiAnchoredRegExpString(RegExpPatternSource src, string ) and anchorPart = src.getPattern().regexpCapture(regex, 1) and anchorPart.regexpMatch("(?i).*[a-z].*") and - msg = "Misleading operator precedence. The subexpression '" + anchorPart + "' is anchored, but the other parts of this regular expression are not" + msg = "Misleading operator precedence. The subexpression '" + anchorPart + + "' is anchored, but the other parts of this regular expression are not" ) } diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql index 7f32ca3efaa..a150a2d7a7a 100644 --- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql +++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql @@ -70,7 +70,7 @@ class Replacement extends DataFlow::Node { Replacement() { exists(DataFlow::MethodCallNode mcn | this = mcn | mcn.getMethodName() = "replace" and - pattern.flow().(DataFlow::SourceNode).flowsTo(mcn.getArgument(0))and + pattern.flow().(DataFlow::SourceNode).flowsTo(mcn.getArgument(0)) and mcn.getNumArgument() = 2 and pattern.isGlobal() ) diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql index 695f6fc2937..752900a2bea 100644 --- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql +++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql @@ -64,4 +64,4 @@ where pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1) ) and not exclude(valElement.getFile()) -select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file." +select valElement.(FirstLineOf), "Hard-coded password '" + pwd + "' in configuration file." diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollution.ql b/javascript/ql/src/Security/CWE-400/PrototypePollution.ql index 583d1b0dbc6..2e7f1f0984d 100644 --- a/javascript/ql/src/Security/CWE-400/PrototypePollution.ql +++ b/javascript/ql/src/Security/CWE-400/PrototypePollution.ql @@ -1,7 +1,7 @@ /** * @name Prototype pollution * @description Recursively merging a user-controlled object into another object - * can allow an attacker to modify the built-in Object prototype. + * can allow an attacker to modify the built-in Object prototype. * @kind path-problem * @problem.severity error * @precision high @@ -17,7 +17,8 @@ import DataFlow::PathGraph import semmle.javascript.dependencies.Dependencies from - Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string moduleName, Locatable dependencyLoc + Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string moduleName, + Locatable dependencyLoc where cfg.hasFlowPath(source, sink) and sink.getNode().(Sink).dependencyInfo(moduleName, dependencyLoc) diff --git a/javascript/ql/src/Security/Summaries/ImportFromCsv.qll b/javascript/ql/src/Security/Summaries/ImportFromCsv.qll index 643a497254d..55018ef3ca5 100644 --- a/javascript/ql/src/Security/Summaries/ImportFromCsv.qll +++ b/javascript/ql/src/Security/Summaries/ImportFromCsv.qll @@ -135,9 +135,7 @@ class AdditionalStepSpec extends ExternalData { private class AdditionalFlowStepFromSpec extends DataFlow::Configuration { AdditionalStepSpec spec; - DataFlow::Node entry; - DataFlow::Node exit; AdditionalFlowStepFromSpec() { diff --git a/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll b/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll index 63ffddb1f38..8f67f1508cd 100644 --- a/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll +++ b/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll @@ -36,9 +36,7 @@ external predicate additionalSteps( */ private class AdditionalSourceFromSpec extends DataFlow::AdditionalSource { Portal portal; - string flowLabel; - string config; AdditionalSourceFromSpec() { @@ -56,9 +54,7 @@ private class AdditionalSourceFromSpec extends DataFlow::AdditionalSource { */ private class AdditionalSinkFromSpec extends DataFlow::AdditionalSink { Portal portal; - string flowLabel; - string config; AdditionalSinkFromSpec() { @@ -76,11 +72,8 @@ private class AdditionalSinkFromSpec extends DataFlow::AdditionalSink { */ private class AdditionalFlowStepFromSpec extends DataFlow::Configuration { DataFlow::Node entry; - string startFlowLabel; - DataFlow::Node exit; - string endFlowLabel; AdditionalFlowStepFromSpec() { diff --git a/javascript/ql/src/Security/Summaries/PortalEntrySink.qll b/javascript/ql/src/Security/Summaries/PortalEntrySink.qll index c23182e4356..d5d804e0cc2 100644 --- a/javascript/ql/src/Security/Summaries/PortalEntrySink.qll +++ b/javascript/ql/src/Security/Summaries/PortalEntrySink.qll @@ -10,9 +10,7 @@ class PortalEntrySink extends DataFlow::AdditionalSink { PortalEntrySink() { this = p.getAnEntryNode(true) } - override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) { - any() - } + override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) { any() } /** Gets the portal of which this is an entry node. */ Portal getPortal() { result = p } diff --git a/javascript/ql/src/Security/Summaries/PortalExitSource.qll b/javascript/ql/src/Security/Summaries/PortalExitSource.qll index 8a5b01d149f..14e0942ce6d 100644 --- a/javascript/ql/src/Security/Summaries/PortalExitSource.qll +++ b/javascript/ql/src/Security/Summaries/PortalExitSource.qll @@ -10,9 +10,7 @@ class PortalExitSource extends DataFlow::AdditionalSource { PortalExitSource() { this = p.getAnExitNode(true) } - override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) { - any() - } + override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) { any() } /** Gets the portal of which this is an exit node. */ Portal getPortal() { result = p } diff --git a/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql b/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql index dc79821e4e6..719a389fc36 100644 --- a/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql +++ b/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql @@ -61,7 +61,6 @@ class SpliceCall extends ArrayShiftingCall { */ class ArrayIterationLoop extends ForStmt { DataFlow::SourceNode array; - LocalVariable indexVariable; ArrayIterationLoop() { diff --git a/javascript/ql/src/Statements/UnreachableStatement.ql b/javascript/ql/src/Statements/UnreachableStatement.ql index 25cd35c6693..092189609c0 100644 --- a/javascript/ql/src/Statements/UnreachableStatement.ql +++ b/javascript/ql/src/Statements/UnreachableStatement.ql @@ -26,7 +26,7 @@ where // ignore ambient statements not s.isAmbient() and // ignore empty statements - not s instanceof EmptyStmt and + not s instanceof EmptyStmt and // ignore unreachable throws not s instanceof ThrowStmt select s.(FirstLineOf), "This statement is unreachable." diff --git a/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll b/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll index 752d811ad30..aae1af25ff8 100644 --- a/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll +++ b/javascript/ql/src/meta/analysis-quality/CallGraphQuality.qll @@ -4,7 +4,6 @@ */ import javascript - private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps private import semmle.javascript.dependencies.Dependencies private import semmle.javascript.dependencies.FrameworkLibraries @@ -96,17 +95,13 @@ predicate isExternalLibrary(string name) { * Holds if the global variable `name` is defined externally. */ predicate isExternalGlobal(string name) { - exists(ExternalGlobalDecl decl | - decl.getName() = name - ) + exists(ExternalGlobalDecl decl | decl.getName() = name) or exists(Dependency dep | // If name is never assigned anywhere, and it coincides with a dependency, // it's most likely coming from there. dep.info(name, _) and - not exists(Assignment assign | - assign.getLhs().(GlobalVarAccess).getName() = name - ) + not exists(Assignment assign | assign.getLhs().(GlobalVarAccess).getName() = name) ) or name = "_" @@ -229,9 +224,7 @@ class UnresolvableCall extends RelevantInvoke { * A call that is believed to call a function within the same project. */ class NonExternalCall extends RelevantInvoke { - NonExternalCall() { - not this instanceof ExternalCall - } + NonExternalCall() { not this instanceof ExternalCall } } /** @@ -249,7 +242,5 @@ class FunctionWithCallers extends RelevantFunction { * A function without any call sites. */ class FunctionWithoutCallers extends RelevantFunction { - FunctionWithoutCallers() { - not this instanceof FunctionWithCallers - } + FunctionWithoutCallers() { not this instanceof FunctionWithCallers } } diff --git a/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql b/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql index 712afee55ba..b4eb6f219e0 100644 --- a/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql +++ b/javascript/ql/src/meta/analysis-quality/CalledFunctionCandidates.ql @@ -1,13 +1,14 @@ /** * @name Called function candidates * @description The number of functions for which finding call sites is relevant -* for analysis quality. + * for analysis quality. * @kind metric * @metricType project * @metricAggregate sum * @tags meta * @id js/meta/called-function-candidates */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql b/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql index 1748a240227..248d64e59a8 100644 --- a/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql +++ b/javascript/ql/src/meta/analysis-quality/CalledFunctionRatio.ql @@ -7,7 +7,8 @@ * @tags meta * @id js/meta/called-function-ratio */ + import javascript import CallGraphQuality -select projectRoot(), 100.0 * count(FunctionWithCallers f) / (float) count(RelevantFunction f) +select projectRoot(), 100.0 * count(FunctionWithCallers f) / count(RelevantFunction f).(float) diff --git a/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql b/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql index 5054891d15c..d476915a955 100644 --- a/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql +++ b/javascript/ql/src/meta/analysis-quality/CalledFunctions.ql @@ -7,6 +7,7 @@ * @tags meta * @id js/meta/called-functions */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql b/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql index 7c7acb9ff06..9f39a15ff63 100644 --- a/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql +++ b/javascript/ql/src/meta/analysis-quality/ResolvableCallCandidates.ql @@ -7,6 +7,7 @@ * @tags meta * @id js/meta/resolvable-call-candidates */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql b/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql index f03b742933b..a5fc52afdb4 100644 --- a/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql +++ b/javascript/ql/src/meta/analysis-quality/ResolvableCallRatio.ql @@ -7,7 +7,8 @@ * @tags meta * @id js/meta/resolvable-call-ratio */ + import javascript import CallGraphQuality -select projectRoot(), 100.0 * count(ResolvableCall call) / (float) count(NonExternalCall call) +select projectRoot(), 100.0 * count(ResolvableCall call) / count(NonExternalCall call).(float) diff --git a/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql b/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql index 735803d4ce3..aaa718875a3 100644 --- a/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql +++ b/javascript/ql/src/meta/analysis-quality/ResolvableCalls.ql @@ -7,6 +7,7 @@ * @tags meta * @id js/meta/resolvable-calls */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql b/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql index 385a4abbdd6..8bd114befab 100644 --- a/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql +++ b/javascript/ql/src/meta/analysis-quality/UncalledFunctions.ql @@ -7,6 +7,7 @@ * @tags meta * @id js/meta/uncalled-functions */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql b/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql index 105a62e35c4..760dd5dfb35 100644 --- a/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql +++ b/javascript/ql/src/meta/analysis-quality/UnresolvableCalls.ql @@ -7,6 +7,7 @@ * @tags meta * @id js/meta/unresolvable-calls */ + import javascript import CallGraphQuality diff --git a/javascript/ql/src/semmle/javascript/AST.qll b/javascript/ql/src/semmle/javascript/AST.qll index ef27dea941e..efc9ef53af3 100644 --- a/javascript/ql/src/semmle/javascript/AST.qll +++ b/javascript/ql/src/semmle/javascript/AST.qll @@ -160,8 +160,8 @@ class TopLevel extends @toplevel, StmtContainer { ) or // many variables, and they all have short names - count (VarDecl d | d.getTopLevel() = this) > 100 and - forall (VarDecl d | d.getTopLevel() = this | d.getName().length() <= 2) + count(VarDecl d | d.getTopLevel() = this) > 100 and + forall(VarDecl d | d.getTopLevel() = this | d.getName().length() <= 2) } /** Holds if this toplevel is an externs definitions file. */ diff --git a/javascript/ql/src/semmle/javascript/BasicBlocks.qll b/javascript/ql/src/semmle/javascript/BasicBlocks.qll index 62675e01fe3..0e0ebfabbc5 100644 --- a/javascript/ql/src/semmle/javascript/BasicBlocks.qll +++ b/javascript/ql/src/semmle/javascript/BasicBlocks.qll @@ -95,6 +95,7 @@ private module Internal { exists(BasicBlock predBB | succBB(predBB, bb) | reachableBB(predBB)) } } + private import Internal /** Holds if `dom` is an immediate dominator of `bb`. */ diff --git a/javascript/ql/src/semmle/javascript/Comments.qll b/javascript/ql/src/semmle/javascript/Comments.qll index fcb8c3e0c88..6a67b8fe392 100644 --- a/javascript/ql/src/semmle/javascript/Comments.qll +++ b/javascript/ql/src/semmle/javascript/Comments.qll @@ -10,7 +10,7 @@ import javascript * 
  * // a line comment
  * /* a block
-  *   comment */
+ *   comment */
  * <!-- an HTML line comment
  *
*/ diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll index 1fc51a6d841..71f0239ed27 100644 --- a/javascript/ql/src/semmle/javascript/DOM.qll +++ b/javascript/ql/src/semmle/javascript/DOM.qll @@ -288,7 +288,7 @@ module DOM { /** * A data flow node that should be considered a source of DOM values. */ - abstract class Range extends DataFlow::Node {} + abstract class Range extends DataFlow::Node { } private class DefaultRange extends Range { DefaultRange() { @@ -301,9 +301,7 @@ module DOM { } /** Gets a data flow node that refers directly to a value from the DOM. */ - DataFlow::SourceNode domValueSource() { - result instanceof DomValueSource::Range - } + DataFlow::SourceNode domValueSource() { result instanceof DomValueSource::Range } /** Gets a data flow node that may refer to a value from the DOM. */ private DataFlow::SourceNode domValueRef(DataFlow::TypeTracker t) { @@ -322,7 +320,7 @@ module DOM { * * Can be subclassed to add additional such nodes. */ - abstract class Range extends DataFlow::Node {} + abstract class Range extends DataFlow::Node { } private class DefaultRange extends Range { DefaultRange() { @@ -342,9 +340,7 @@ module DOM { } /** Gets a data flow node that directly refers to a DOM `location` object. */ - DataFlow::SourceNode locationSource() { - result instanceof LocationSource::Range - } + DataFlow::SourceNode locationSource() { result instanceof LocationSource::Range } /** Gets a reference to a DOM `location` object. */ private DataFlow::SourceNode locationRef(DataFlow::TypeTracker t) { @@ -363,7 +359,7 @@ module DOM { * * Can be subclassed to add additional such nodes. */ - abstract class Range extends DataFlow::Node {} + abstract class Range extends DataFlow::Node { } private class DefaultRange extends Range { DefaultRange() { this = DataFlow::globalVarRef("document") } @@ -373,9 +369,7 @@ module DOM { /** * Gets a direct reference to the `document` object. */ - DataFlow::SourceNode documentSource() { - result instanceof DocumentSource::Range - } + DataFlow::SourceNode documentSource() { result instanceof DocumentSource::Range } /** * Gets a reference to the `document` object. diff --git a/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll b/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll index 476c22df7a8..2acf4ac961d 100644 --- a/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll +++ b/javascript/ql/src/semmle/javascript/DefensiveProgramming.qll @@ -84,7 +84,6 @@ module Internal { */ private class CompositeUndefinedNullTestPart extends DefensiveExpressionTest { UndefinedNullTest test; - boolean polarity; CompositeUndefinedNullTestPart() { @@ -114,7 +113,6 @@ module Internal { */ private class SanityCheckingUndefinedNullGuard extends DefensiveExpressionTest { UndefinedNullTest test; - boolean polarity; SanityCheckingUndefinedNullGuard() { @@ -152,7 +150,6 @@ module Internal { */ private class NullUndefinedComparison extends UndefinedNullTest { Expr operand; - InferredType op2type; NullUndefinedComparison() { @@ -268,7 +265,6 @@ module Internal { */ private class UndefinedNullTruthinessGuard extends DefensiveExpressionTest { VarRef guardVar; - boolean polarity; UndefinedNullTruthinessGuard() { @@ -296,7 +292,6 @@ module Internal { */ private class UndefinedNullTypeGuard extends DefensiveExpressionTest { UndefinedNullTest test; - boolean polarity; UndefinedNullTypeGuard() { @@ -324,7 +319,6 @@ module Internal { */ private class TypeofTest extends EqualityTest { Expr operand; - TypeofTag tag; TypeofTest() { @@ -362,7 +356,6 @@ module Internal { */ private class FunctionTypeGuard extends DefensiveExpressionTest { TypeofTest test; - boolean polarity; FunctionTypeGuard() { diff --git a/javascript/ql/src/semmle/javascript/E4X.qll b/javascript/ql/src/semmle/javascript/E4X.qll index 72d9c1f8ae2..e8e224e1e51 100644 --- a/javascript/ql/src/semmle/javascript/E4X.qll +++ b/javascript/ql/src/semmle/javascript/E4X.qll @@ -14,8 +14,7 @@ module E4X { * * * ``` */ - class XMLAnyName extends Expr, @e4x_xml_anyname { - } + class XMLAnyName extends Expr, @e4x_xml_anyname { } /** * An E4X qualified identifier. @@ -133,4 +132,4 @@ module E4X { result = getBase().getFirstControlFlowNode() } } -} \ No newline at end of file +} diff --git a/javascript/ql/src/semmle/javascript/ES2015Modules.qll b/javascript/ql/src/semmle/javascript/ES2015Modules.qll index eea7b82ea50..edaca58dff0 100644 --- a/javascript/ql/src/semmle/javascript/ES2015Modules.qll +++ b/javascript/ql/src/semmle/javascript/ES2015Modules.qll @@ -334,7 +334,8 @@ class ExportDefaultDeclaration extends ExportDeclaration, @exportdefaultdeclarat } } -/** A named export declaration. +/** + * A named export declaration. * * * Examples: * @@ -343,7 +344,7 @@ class ExportDefaultDeclaration extends ExportDeclaration, @exportdefaultdeclarat * export var x = 42; * export { x } from 'a'; * ``` - * */ + */ class ExportNamedDeclaration extends ExportDeclaration, @exportnameddeclaration { /** Gets the operand statement or expression that is exported by this declaration. */ ExprOrStmt getOperand() { result = getChild(-1) } diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll index 09a04872068..db988aed214 100644 --- a/javascript/ql/src/semmle/javascript/Expr.qll +++ b/javascript/ql/src/semmle/javascript/Expr.qll @@ -36,33 +36,19 @@ class ExprOrType extends @exprortype, Documentable { // if there is no JSDoc for the expression itself, check the enclosing property or statement not exists(getOwnDocumentation()) and ( - exists(Property prop | prop = getParent() | - result = prop.getDocumentation() - ) + exists(Property prop | prop = getParent() | result = prop.getDocumentation()) or - exists(MethodDeclaration decl | decl = getParent() | - result = decl.getDocumentation() - ) + exists(MethodDeclaration decl | decl = getParent() | result = decl.getDocumentation()) or - exists(VariableDeclarator decl | decl = getParent() | - result = decl.getDocumentation() - ) + exists(VariableDeclarator decl | decl = getParent() | result = decl.getDocumentation()) or - exists(DeclStmt stmt | this = stmt.getDecl(0) | - result = stmt.getDocumentation() - ) + exists(DeclStmt stmt | this = stmt.getDecl(0) | result = stmt.getDocumentation()) or - exists(DotExpr dot | this = dot.getProperty() | - result = dot.getDocumentation() - ) + exists(DotExpr dot | this = dot.getProperty() | result = dot.getDocumentation()) or - exists(AssignExpr e | this = e.getRhs() | - result = e.getDocumentation() - ) + exists(AssignExpr e | this = e.getRhs() | result = e.getDocumentation()) or - exists(ParExpr p | this = p.getExpression() | - result = p.getDocumentation() - ) + exists(ParExpr p | this = p.getExpression() | result = p.getDocumentation()) ) } @@ -203,13 +189,13 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode { /** * Holds if the syntactic context that the expression appears in relies on the expression * being non-null/non-undefined. - * + * * A context relies on the subexpression being non-null/non-undefined if either... - * + * * * Using null or undefined would cause a runtime error * * Using null or undefined would cause no error due to type conversion, but the * behavior in the broader context is sufficiently non-obvious to warrant explicitly - * converting to ensure that readers understand the intent + * converting to ensure that readers understand the intent */ predicate inNullSensitiveContext() { exists(ExprOrStmt ctx | @@ -668,7 +654,7 @@ class Property extends @property, Documentable { /** * A value property definition in an object literal. - + * * Examples: * * ``` @@ -2377,7 +2363,6 @@ class LegacyLetExpr extends Expr, @legacy_letexpr { class ImmediatelyInvokedFunctionExpr extends Function { /** The invocation expression of this IIFE. */ InvokeExpr invk; - /** * The kind of invocation by which this IIFE is invoked: `"call"` * for a direct function call, `"call"` or `"apply"` for a reflective diff --git a/javascript/ql/src/semmle/javascript/Files.qll b/javascript/ql/src/semmle/javascript/Files.qll index 9abbc10f496..88efd373769 100644 --- a/javascript/ql/src/semmle/javascript/Files.qll +++ b/javascript/ql/src/semmle/javascript/Files.qll @@ -74,9 +74,7 @@ abstract class Container extends @container { * "//FileServer/""" * */ - string getBaseName() { - result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(\\.([^.]*))?)", 1) - } + string getBaseName() { result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(\\.([^.]*))?)", 1) } /** * Gets the extension of this container, that is, the suffix of its base name @@ -101,7 +99,9 @@ abstract class Container extends @container { * "/tmp/x.tar.gz""gz" * */ - string getExtension() { result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(\\.([^.]*))?)", 4) } + string getExtension() { + result = getAbsolutePath().regexpCapture(".*/(([^/]*?)(\\.([^.]*))?)", 4) + } /** * Gets the stem of this container, that is, the prefix of its base name up to diff --git a/javascript/ql/src/semmle/javascript/GeneratedCode.qll b/javascript/ql/src/semmle/javascript/GeneratedCode.qll index 6a75a4fd57e..b4877f8a8fa 100644 --- a/javascript/ql/src/semmle/javascript/GeneratedCode.qll +++ b/javascript/ql/src/semmle/javascript/GeneratedCode.qll @@ -157,9 +157,7 @@ private int countStartingHtmlElements(File f, int l) { /** * Holds if the base name of `f` is a number followed by a single extension. */ -predicate isGeneratedFileName(File f) { - f.getStem().regexpMatch("[0-9]+") -} +predicate isGeneratedFileName(File f) { f.getStem().regexpMatch("[0-9]+") } /** * Holds if `tl` looks like it contains generated code. diff --git a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll index 24d70315bcd..9e089fc9cf0 100644 --- a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll +++ b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll @@ -1,6 +1,7 @@ /** * Provides predicates for associating qualified names with data flow nodes. */ + import javascript module GlobalAccessPath { @@ -13,14 +14,10 @@ module GlobalAccessPath { } /** Gets the SSA definition of this variable. */ - SsaExplicitDefinition getSsaDefinition() { - result.getSourceVariable() = this - } + SsaExplicitDefinition getSsaDefinition() { result.getSourceVariable() = this } /** Gets the data flow node representing the value of this variable, if one exists. */ - DataFlow::Node getValue() { - result = getSsaDefinition().getRhsNode() - } + DataFlow::Node getValue() { result = getSsaDefinition().getRhsNode() } } /** @@ -39,7 +36,7 @@ module GlobalAccessPath { * (function(ns) { * ns.x; // reference to 'NS.x' * })(NS = NS || {}); - * ``` + * ``` */ cached string fromReference(DataFlow::Node node) { @@ -59,9 +56,7 @@ module GlobalAccessPath { result = fromReference(prop.getBase()) + "." + prop.getPropertyName() ) or - exists(Closure::ClosureNamespaceAccess acc | node = acc | - result = acc.getClosureNamespace() - ) + exists(Closure::ClosureNamespaceAccess acc | node = acc | result = acc.getClosureNamespace()) or exists(PropertyProjection proj | node = proj | proj.isSingletonProjection() and @@ -101,9 +96,7 @@ module GlobalAccessPath { * foo = foo || {}; * ``` */ - private predicate isSelfAssignment(DataFlow::Node rhs) { - fromRhs(rhs) = fromReference(rhs) - } + private predicate isSelfAssignment(DataFlow::Node rhs) { fromRhs(rhs) = fromReference(rhs) } /** * Holds if there is an assignment to `accessPath` in `file`, not counting @@ -139,7 +132,7 @@ module GlobalAccessPath { * foo = { bar: class {} }; * * (function(f) { - * f.bar = class {} + * f.bar = class {} * })(foo = foo || {}); * ``` */ diff --git a/javascript/ql/src/semmle/javascript/JSDoc.qll b/javascript/ql/src/semmle/javascript/JSDoc.qll index 016c1cd1591..2488cf6f27c 100644 --- a/javascript/ql/src/semmle/javascript/JSDoc.qll +++ b/javascript/ql/src/semmle/javascript/JSDoc.qll @@ -122,9 +122,7 @@ class JSDocTag extends @jsdoc_tag, JSDocTypeExprParent { /** Gets the toplevel in which this tag appears. */ TopLevel getTopLevel() { result = getParent().getComment().getTopLevel() } - override JSDoc getJSDocComment() { - result.getATag() = this - } + override JSDoc getJSDocComment() { result.getATag() = this } } /** @@ -180,9 +178,7 @@ class JSDocTypeExpr extends @jsdoc_type_expr, JSDocTypeExprParent, TypeAnnotatio override string toString() { jsdoc_type_exprs(this, _, _, _, result) } - override JSDoc getJSDocComment() { - result = getParent().getJSDocComment() - } + override JSDoc getJSDocComment() { result = getParent().getJSDocComment() } override Stmt getEnclosingStmt() { exists(Documentable astNode | astNode.getDocumentation() = getJSDocComment() | @@ -195,9 +191,9 @@ class JSDocTypeExpr extends @jsdoc_type_expr, JSDocTypeExprParent, TypeAnnotatio } override StmtContainer getContainer() { result = getEnclosingStmt().getContainer() } - + override Function getEnclosingFunction() { result = getContainer() } - + override TopLevel getTopLevel() { result = getEnclosingStmt().getTopLevel() } } @@ -396,13 +392,9 @@ class JSDocAppliedTypeExpr extends @jsdoc_applied_type_expr, JSDocTypeExpr { */ JSDocTypeExpr getAnArgument() { result = getArgument(_) } - override predicate hasQualifiedName(string globalName) { - getHead().hasQualifiedName(globalName) - } + override predicate hasQualifiedName(string globalName) { getHead().hasQualifiedName(globalName) } - override DataFlow::ClassNode getClass() { - result = getHead().getClass() - } + override DataFlow::ClassNode getClass() { result = getHead().getClass() } } /** @@ -423,9 +415,7 @@ class JSDocNullableTypeExpr extends @jsdoc_nullable_type_expr, JSDocTypeExpr { override JSDocTypeExpr getAnUnderlyingType() { result = getTypeExpr().getAnUnderlyingType() } - override DataFlow::ClassNode getClass() { - result = getTypeExpr().getClass() - } + override DataFlow::ClassNode getClass() { result = getTypeExpr().getClass() } } /** @@ -446,9 +436,7 @@ class JSDocNonNullableTypeExpr extends @jsdoc_non_nullable_type_expr, JSDocTypeE override JSDocTypeExpr getAnUnderlyingType() { result = getTypeExpr().getAnUnderlyingType() } - override DataFlow::ClassNode getClass() { - result = getTypeExpr().getClass() - } + override DataFlow::ClassNode getClass() { result = getTypeExpr().getClass() } } /** @@ -548,11 +536,11 @@ class JSDocOptionalParameterTypeExpr extends @jsdoc_optional_type_expr, JSDocTyp /** Gets the underlying type of this optional type. */ JSDocTypeExpr getUnderlyingType() { result = getChild(0) } - override JSDocTypeExpr getAnUnderlyingType() { result = getUnderlyingType().getAnUnderlyingType() } - - override DataFlow::ClassNode getClass() { - result = getUnderlyingType().getClass() + override JSDocTypeExpr getAnUnderlyingType() { + result = getUnderlyingType().getAnUnderlyingType() } + + override DataFlow::ClassNode getClass() { result = getUnderlyingType().getClass() } } /** diff --git a/javascript/ql/src/semmle/javascript/Paths.qll b/javascript/ql/src/semmle/javascript/Paths.qll index c90db21ee72..f15345bd94b 100644 --- a/javascript/ql/src/semmle/javascript/Paths.qll +++ b/javascript/ql/src/semmle/javascript/Paths.qll @@ -92,9 +92,7 @@ private class ConsPath extends Path, TConsPath { * that is, everything after the last dot. The fourth group includes the dot, the * fifth does not. */ -private string pathRegex() { - result = "(.*)(?:/|^)(([^/]*?)(\\.([^.]*))?)" -} +private string pathRegex() { result = "(.*)(?:/|^)(([^/]*?)(\\.([^.]*))?)" } /** * A string value that represents a (relative or absolute) file system path. diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll index 2d745937319..858064e85a0 100644 --- a/javascript/ql/src/semmle/javascript/Promises.qll +++ b/javascript/ql/src/semmle/javascript/Promises.qll @@ -75,11 +75,11 @@ private module ClosurePromise { ClosurePromiseTaintStep() { // static methods in goog.Promise - exists (DataFlow::CallNode call, string name | + exists(DataFlow::CallNode call, string name | call = Closure::moduleImport("goog.Promise." + name).getACall() and this = call and pred = call.getAnArgument() - | + | name = "all" or name = "allSettled" or name = "firstFulfilled" or @@ -87,15 +87,13 @@ private module ClosurePromise { ) or // promise created through goog.promise.withResolver() - exists (DataFlow::CallNode resolver | + exists(DataFlow::CallNode resolver | resolver = Closure::moduleImport("goog.Promise.withResolver").getACall() and this = resolver.getAPropertyRead("promise") and pred = resolver.getAMethodCall("resolve").getArgument(0) ) } - override predicate step(DataFlow::Node src, DataFlow::Node dst) { - src = pred and dst = this - } + override predicate step(DataFlow::Node src, DataFlow::Node dst) { src = pred and dst = this } } } diff --git a/javascript/ql/src/semmle/javascript/SSA.qll b/javascript/ql/src/semmle/javascript/SSA.qll index d3a8f493597..f214e1fa484 100644 --- a/javascript/ql/src/semmle/javascript/SSA.qll +++ b/javascript/ql/src/semmle/javascript/SSA.qll @@ -384,6 +384,7 @@ private module Internal { rewindReads(bb, i, v) = 1 and result = getDefReachingEndOf(bb.getImmediateDominator(), v) } } + private import Internal /** diff --git a/javascript/ql/src/semmle/javascript/StringOps.qll b/javascript/ql/src/semmle/javascript/StringOps.qll index deb4a2d399a..f33dbd9f74d 100644 --- a/javascript/ql/src/semmle/javascript/StringOps.qll +++ b/javascript/ql/src/semmle/javascript/StringOps.qll @@ -75,7 +75,6 @@ module StringOps { */ private class StartsWith_IndexOfEquals extends Range, DataFlow::ValueNode { override EqualityTest astNode; - DataFlow::MethodCallNode indexOf; StartsWith_IndexOfEquals() { @@ -118,8 +117,10 @@ module StringOps { StartsWith_Library() { getNumArgument() = 2 and exists(DataFlow::SourceNode callee | this = callee.getACall() | - callee = LodashUnderscore::member("startsWith") or - callee = DataFlow::moduleMember("ramda", "startsWith") or + callee = LodashUnderscore::member("startsWith") + or + callee = DataFlow::moduleMember("ramda", "startsWith") + or exists(string name | callee = Closure::moduleImport("goog.string." + name) and (name = "startsWith" or name = "caseInsensitiveStartsWith") @@ -137,9 +138,7 @@ module StringOps { */ private class StartsWith_FirstCharacter extends Range, DataFlow::ValueNode { override EqualityTest astNode; - DataFlow::PropRead read; - Expr constant; StartsWith_FirstCharacter() { @@ -161,9 +160,7 @@ module StringOps { */ private class StartsWith_Substring extends Range, DataFlow::ValueNode { override EqualityTest astNode; - DataFlow::MethodCallNode call; - DataFlow::Node substring; StartsWith_Substring() { @@ -270,7 +267,6 @@ module StringOps { */ private class Includes_IndexOfEquals extends Range, DataFlow::ValueNode { MethodCallExpr indexOf; - override EqualityTest astNode; Includes_IndexOfEquals() { @@ -294,9 +290,7 @@ module StringOps { */ private class Includes_IndexOfRelational extends Range, DataFlow::ValueNode { MethodCallExpr indexOf; - override RelationalComparison astNode; - boolean polarity; Includes_IndexOfRelational() { @@ -336,7 +330,6 @@ module StringOps { */ private class Includes_IndexOfBitwise extends Range, DataFlow::ValueNode { MethodCallExpr indexOf; - override BitNotExpr astNode; Includes_IndexOfBitwise() { @@ -422,8 +415,10 @@ module StringOps { EndsWith_Library() { getNumArgument() = 2 and exists(DataFlow::SourceNode callee | this = callee.getACall() | - callee = LodashUnderscore::member("endsWith") or - callee = DataFlow::moduleMember("ramda", "endsWith") or + callee = LodashUnderscore::member("endsWith") + or + callee = DataFlow::moduleMember("ramda", "endsWith") + or exists(string name | callee = Closure::moduleImport("goog.string." + name) and (name = "endsWith" or name = "caseInsensitiveEndsWith") @@ -488,49 +483,37 @@ module StringOps { * Gets the `n`th operand of this string concatenation. */ pragma[inline] - ConcatenationOperand getOperand(int n) { - result = StringConcatenation::getOperand(this, n) - } + ConcatenationOperand getOperand(int n) { result = StringConcatenation::getOperand(this, n) } /** * Gets an operand of this string concatenation. */ pragma[inline] - ConcatenationOperand getAnOperand() { - result = StringConcatenation::getAnOperand(this) - } + ConcatenationOperand getAnOperand() { result = StringConcatenation::getAnOperand(this) } /** * Gets the number of operands of this string concatenation. */ pragma[inline] - int getNumOperand() { - result = StringConcatenation::getNumOperand(this) - } + int getNumOperand() { result = StringConcatenation::getNumOperand(this) } /** * Gets the first operand of this string concatenation. */ pragma[inline] - ConcatenationOperand getFirstOperand() { - result = StringConcatenation::getFirstOperand(this) - } + ConcatenationOperand getFirstOperand() { result = StringConcatenation::getFirstOperand(this) } /** * Gets the last operand of this string concatenation */ pragma[inline] - ConcatenationOperand getLastOperand() { - result = StringConcatenation::getLastOperand(this) - } + ConcatenationOperand getLastOperand() { result = StringConcatenation::getLastOperand(this) } /** * Holds if this only acts as a string coercion, such as `"" + x`. */ pragma[inline] - predicate isCoercion() { - StringConcatenation::isCoercion(this) - } + predicate isCoercion() { StringConcatenation::isCoercion(this) } /** * Holds if this is the root of a concatenation tree, that is, @@ -538,34 +521,26 @@ module StringOps { * another concatenation operator. */ pragma[inline] - predicate isRoot() { - StringConcatenation::isRoot(this) - } + predicate isRoot() { StringConcatenation::isRoot(this) } /** * Holds if this is a leaf in the concatenation tree, that is, it is not * itself a concatenation. */ pragma[inline] - predicate isLeaf() { - not exists(StringConcatenation::getAnOperand(this)) - } + predicate isLeaf() { not exists(StringConcatenation::getAnOperand(this)) } /** * Gets the root of the concatenation tree in which this is an operator. */ pragma[inline] - ConcatenationRoot getRoot() { - result = StringConcatenation::getRoot(this) - } + ConcatenationRoot getRoot() { result = StringConcatenation::getRoot(this) } /** * Gets the enclosing concatenation in which this is an operand, if any. */ pragma[inline] - Concatenation getParentConcatenation() { - this = StringConcatenation::getAnOperand(result) - } + Concatenation getParentConcatenation() { this = StringConcatenation::getAnOperand(result) } /** * Gets the last leaf in this concatenation tree. @@ -573,9 +548,7 @@ module StringOps { * For example, `z` is the last leaf in `x + y + z`. */ pragma[inline] - ConcatenationLeaf getLastLeaf() { - result = StringConcatenation::getLastOperand*(this) - } + ConcatenationLeaf getLastLeaf() { result = StringConcatenation::getLastOperand*(this) } /** * Gets the first leaf in this concatenation tree. @@ -583,9 +556,7 @@ module StringOps { * For example, `x` is the first leaf in `x + y + z`. */ pragma[inline] - ConcatenationLeaf getFirstLeaf() { - result = StringConcatenation::getFirstOperand*(this) - } + ConcatenationLeaf getFirstLeaf() { result = StringConcatenation::getFirstOperand*(this) } /** * Gets the leaf that is occurs immediately before this leaf in the @@ -594,9 +565,7 @@ module StringOps { * For example, `y` is the previous leaf from `z` in `x + y + z`. */ pragma[inline] - ConcatenationLeaf getPreviousLeaf() { - adjacentLeaves(result, this) - } + ConcatenationLeaf getPreviousLeaf() { adjacentLeaves(result, this) } /** * Gets the leaf that is occurs immediately after this leaf in the @@ -605,9 +574,7 @@ module StringOps { * For example, `y` is the next leaf from `x` in `x + y + z`. */ pragma[inline] - ConcatenationLeaf getNextLeaf() { - adjacentLeaves(this, result) - } + ConcatenationLeaf getNextLeaf() { adjacentLeaves(this, result) } } /** @@ -626,9 +593,7 @@ module StringOps { */ class Concatenation extends ConcatenationNode { pragma[inline] - Concatenation() { - exists(StringConcatenation::getAnOperand(this)) - } + Concatenation() { exists(StringConcatenation::getAnOperand(this)) } } /** @@ -645,9 +610,7 @@ module StringOps { */ class ConcatenationOperand extends ConcatenationNode { pragma[inline] - ConcatenationOperand() { - this = StringConcatenation::getAnOperand(_) - } + ConcatenationOperand() { this = StringConcatenation::getAnOperand(_) } } /** @@ -664,17 +627,13 @@ module StringOps { */ class ConcatenationRoot extends Concatenation { pragma[inline] - ConcatenationRoot() { - isRoot() - } + ConcatenationRoot() { isRoot() } /** * Gets a leaf in this concatenation tree that this node is the root of. */ pragma[inline] - ConcatenationLeaf getALeaf() { - this = StringConcatenation::getRoot(result) - } + ConcatenationLeaf getALeaf() { this = StringConcatenation::getRoot(result) } /** * Returns the concatenation of all constant operands in this concatenation, @@ -691,11 +650,10 @@ module StringOps { or not exists(getStringValue()) and result = strictconcat(StringLiteralLike leaf | - leaf = getALeaf().asExpr() - | - leaf.getStringValue() - order by leaf.getFirstToken().getIndex() asc - ) + leaf = getALeaf().asExpr() + | + leaf.getStringValue() order by leaf.getFirstToken().getIndex() + ) } } @@ -720,9 +678,7 @@ module StringOps { */ class ConcatenationLeaf extends ConcatenationOperand { pragma[inline] - ConcatenationLeaf() { - isLeaf() - } + ConcatenationLeaf() { isLeaf() } } /** @@ -739,9 +695,7 @@ module StringOps { * A data flow node that is part of an HTML string concatenation. */ class HtmlConcatenationNode extends ConcatenationNode { - HtmlConcatenationNode() { - getRoot() instanceof HtmlConcatenationRoot - } + HtmlConcatenationNode() { getRoot() instanceof HtmlConcatenationRoot } } /** @@ -749,8 +703,6 @@ module StringOps { * and is not itself a concatenation operator. */ class HtmlConcatenationLeaf extends ConcatenationLeaf { - HtmlConcatenationLeaf() { - getRoot() instanceof HtmlConcatenationRoot - } + HtmlConcatenationLeaf() { getRoot() instanceof HtmlConcatenationRoot } } } diff --git a/javascript/ql/src/semmle/javascript/TypeScript.qll b/javascript/ql/src/semmle/javascript/TypeScript.qll index 9681ecb79f8..b17a1b93401 100644 --- a/javascript/ql/src/semmle/javascript/TypeScript.qll +++ b/javascript/ql/src/semmle/javascript/TypeScript.qll @@ -551,9 +551,7 @@ class TypeExpr extends ExprOrType, @typeexpr, TypeAnnotation { override TopLevel getTopLevel() { result = ExprOrType.super.getTopLevel() } - override DataFlow::ClassNode getClass() { - result.getAstNode() = getType().(ClassType).getClass() - } + override DataFlow::ClassNode getClass() { result.getAstNode() = getType().(ClassType).getClass() } } /** @@ -1525,7 +1523,6 @@ class TSGlobalDeclImport extends DataFlow::ModuleImportNode::Range { */ class ReferenceImport extends LineComment { string attribute; - string value; ReferenceImport() { @@ -1554,16 +1551,14 @@ class ReferenceImport extends LineComment { * * Gets the file referenced by this import. */ - deprecated - File getImportedFile() { none() } + deprecated File getImportedFile() { none() } /** * DEPRECATED. This is no longer supported. * * Gets the top-level of the referenced file. */ - deprecated - TopLevel getImportedTopLevel() { none() } + deprecated TopLevel getImportedTopLevel() { none() } } /** diff --git a/javascript/ql/src/semmle/javascript/Variables.qll b/javascript/ql/src/semmle/javascript/Variables.qll index 4033af6d0ed..e527cce13af 100644 --- a/javascript/ql/src/semmle/javascript/Variables.qll +++ b/javascript/ql/src/semmle/javascript/Variables.qll @@ -447,7 +447,7 @@ class GlobalVarDecl extends VarDecl { /** * An array pattern. - * + * * Example: * * ``` @@ -456,7 +456,7 @@ class GlobalVarDecl extends VarDecl { * var c; * } * ``` -*/ + */ class ArrayPattern extends DestructuringPattern, @arraypattern { /** Gets the `i`th element of this array pattern. */ Expr getElement(int i) { @@ -542,7 +542,7 @@ class ObjectPattern extends DestructuringPattern, @objectpattern { /** * A property pattern in an object pattern. - * + * * Examples: * * ``` @@ -551,7 +551,7 @@ class ObjectPattern extends DestructuringPattern, @objectpattern { * var c; * } * ``` -*/ + */ class PropertyPattern extends @property, ASTNode { PropertyPattern() { // filter out ordinary properties @@ -831,7 +831,7 @@ class DeclarationSpace extends string { * function id(x: String) : any { * return x; * } - * ``` + * ``` */ class LexicalName extends @lexical_name { /** Gets the scope in which this name was declared. */ diff --git a/javascript/ql/src/semmle/javascript/XML.qll b/javascript/ql/src/semmle/javascript/XML.qll index ec109b4b969..1bc2778a9b8 100755 --- a/javascript/ql/src/semmle/javascript/XML.qll +++ b/javascript/ql/src/semmle/javascript/XML.qll @@ -215,14 +215,14 @@ class XMLElement extends @xmlelement, XMLParent, XMLLocatable { /** * An attribute that occurs inside an XML element. - * + * * Examples: * * ``` * package="com.example.exampleapp" * android:versionCode="1" * ``` -*/ + */ class XMLAttribute extends @xmlattribute, XMLLocatable { /** Gets the name of this attribute. */ string getName() { xmlAttrs(this, _, result, _, _, _) } diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index 41736ba7d73..3b12416015b 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -1016,9 +1016,7 @@ private DataFlow::Configuration id(DataFlow::Configuration cfg) { result >= cfg */ class PathNode extends TPathNode { DataFlow::Node nd; - DataFlow::Configuration cfg; - PathSummary summary; PathNode() { this = MkPathNode(nd, cfg, summary) } diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll index 9e49e183950..49597c8101b 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll @@ -35,9 +35,7 @@ module DataFlow { (kind = "call" or kind = "apply") } or TThisNode(StmtContainer f) { f.(Function).getThisBinder() = f or f instanceof TopLevel } or - TUnusedParameterNode(SimpleParameter p) { - not exists(SSA::definition(p)) - } or + TUnusedParameterNode(SimpleParameter p) { not exists(SSA::definition(p)) } or TDestructuredModuleImportNode(ImportDeclaration decl) { exists(decl.getASpecifier().getImportedName()) } or @@ -340,7 +338,6 @@ module DataFlow { */ private class RestPatternNode extends Node, TRestPatternNode { DestructuringPattern pattern; - Expr rest; RestPatternNode() { this = TRestPatternNode(pattern, rest) } @@ -386,7 +383,6 @@ module DataFlow { */ private class ElementPatternNode extends Node, TElementPatternNode { ArrayPattern pattern; - Expr elt; ElementPatternNode() { this = TElementPatternNode(pattern, elt) } @@ -414,7 +410,6 @@ module DataFlow { */ private class ElementNode extends Node, TElementNode { ArrayExpr arr; - Expr elt; ElementNode() { this = TElementNode(arr, elt) } @@ -438,7 +433,6 @@ module DataFlow { */ private class ReflectiveCallNode extends Node, TReflectiveCallNode { MethodCallExpr call; - string kind; ReflectiveCallNode() { this = TReflectiveCallNode(call, kind) } @@ -685,7 +679,7 @@ module DataFlow { exists(Parameter param, Node paramNode | param = prop.getParameter() and parameterNode(paramNode, param) - | + | result = paramNode or // special case: there is no SSA flow step for unused parameters @@ -807,7 +801,6 @@ module DataFlow { */ private class ImportSpecifierAsPropRead extends PropRead { ImportDeclaration imprt; - ImportSpecifier spec; ImportSpecifierAsPropRead() { @@ -883,9 +876,7 @@ module DataFlow { function.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) } - override BasicBlock getBasicBlock() { - result = function.(ExprOrStmt).getBasicBlock() - } + override BasicBlock getBasicBlock() { result = function.(ExprOrStmt).getBasicBlock() } /** * Gets the function corresponding to this exceptional return node. @@ -909,9 +900,7 @@ module DataFlow { invoke.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) } - override BasicBlock getBasicBlock() { - result = invoke.getBasicBlock() - } + override BasicBlock getBasicBlock() { result = invoke.getBasicBlock() } /** * Gets the invocation corresponding to this exceptional return node. @@ -1053,7 +1042,6 @@ module DataFlow { */ private class ReflectiveCallNodeDef extends CallNodeDef { ExplicitMethodCallNode originalCall; - string kind; ReflectiveCallNodeDef() { this = TReflectiveCallNode(originalCall.asExpr(), kind) } @@ -1115,9 +1103,7 @@ module DataFlow { override string toString() { result = "this" } override BasicBlock getBasicBlock() { - exists(StmtContainer container | this = TThisNode(container) | - result = container.getEntry() - ) + exists(StmtContainer container | this = TThisNode(container) | result = container.getEntry()) } override predicate hasLocationInfo( @@ -1125,7 +1111,8 @@ module DataFlow { ) { // Use the function entry as the location exists(StmtContainer container | this = TThisNode(container) | - container.getEntry() + container + .getEntry() .getLocation() .hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) ) @@ -1154,9 +1141,7 @@ module DataFlow { /** * INTERNAL: Use `parameterNode(Parameter)` instead. */ - predicate parameterNode(DataFlow::Node nd, Parameter p) { - nd = lvalueNode(p) - } + predicate parameterNode(DataFlow::Node nd, Parameter p) { nd = lvalueNode(p) } /** * INTERNAL: Use `thisNode(StmtContainer container)` instead. @@ -1476,6 +1461,7 @@ module DataFlow { exists(ComprehensionBlock cb | def = cb.getIterator()) and cause = "yield" } + import Nodes import Sources import TypeInference diff --git a/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll b/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll index b4881f01aa1..864a1f33ce1 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/LocalObjects.qll @@ -20,16 +20,14 @@ private predicate isEscape(DataFlow::Node escape, string cause) { or escape = any(ExportDeclaration e).getSourceNode(_) and cause = "export" or - exists (WithStmt with, Assignment assign | + exists(WithStmt with, Assignment assign | with.mayAffect(assign.getLhs()) and assign.getRhs().flow() = escape and cause = "heap" ) } -private DataFlow::Node getAnEscape() { - isEscape(result, _) -} +private DataFlow::Node getAnEscape() { isEscape(result, _) } /** * Holds if `n` can flow to a `this`-variable. diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll index 763b80743c1..c158ffc69bc 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll @@ -77,7 +77,8 @@ class InvokeNode extends DataFlow::SourceNode { * x.push(x, ...args, y, ...more); // 'args' and 'more' are a spread arguments * Array.prototype.push.apply(x, args); // 'args' is a spread argument * ``` - .*/ + * . + */ DataFlow::Node getASpreadArgument() { result = impl.getASpreadArgument() } /** Gets the number of arguments of this invocation, if it can be determined. */ @@ -866,13 +867,12 @@ module ClassNode { */ class FunctionStyleClass extends Range, DataFlow::ValueNode { override Function astNode; - AbstractFunction function; FunctionStyleClass() { function.getFunction() = astNode and ( - exists (DataFlow::PropRef read | + exists(DataFlow::PropRef read | read.getPropertyName() = "prototype" and read.getBase().analyze().getAValue() = function ) diff --git a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll index c1ebb286e8e..9b290397b1e 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll @@ -158,9 +158,7 @@ class SourceNode extends DataFlow::Node { /** * Gets a source node whose value is stored in a property of this node. */ - DataFlow::SourceNode getAPropertySource() { - result.flowsTo(getAPropertyWrite().getRhs()) - } + DataFlow::SourceNode getAPropertySource() { result.flowsTo(getAPropertyWrite().getRhs()) } /** * Gets a node that this node may flow to using one heap and/or interprocedural step. @@ -168,9 +166,7 @@ class SourceNode extends DataFlow::Node { * See `TypeTracker` for more details about how to use this. */ pragma[inline] - DataFlow::SourceNode track(TypeTracker t2, TypeTracker t) { - t = t2.step(this, result) - } + DataFlow::SourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) } /** * Gets a node that may flow into this one using one heap and/or interprocedural step. diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll index 11e2a421eb7..06a0d904261 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll @@ -63,7 +63,9 @@ module TaintTracking { * * Holds if the edge from `source` to `sink` is a taint sanitizer for data labelled with `lbl`. */ - deprecated predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl) { + deprecated predicate isSanitizer( + DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl + ) { none() } @@ -309,9 +311,7 @@ module TaintTracking { ) or // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`. - exists(string name | - name = "splice" - | + exists(string name | name = "splice" | pred = call.getArgument(2) and succ.(DataFlow::SourceNode).getAMethodCall(name) = call ) @@ -346,7 +346,6 @@ module TaintTracking { */ private class DictionaryTaintStep extends AdditionalTaintStep, DataFlow::ValueNode { override VarAccess astNode; - DataFlow::Node source; DictionaryTaintStep() { @@ -643,9 +642,7 @@ module TaintTracking { */ class ErrorConstructorTaintStep extends AdditionalTaintStep, DataFlow::InvokeNode { ErrorConstructorTaintStep() { - exists(string name | - this = DataFlow::globalVarRef(name).getAnInvocation() - | + exists(string name | this = DataFlow::globalVarRef(name).getAnInvocation() | name = "Error" or name = "EvalError" or name = "RangeError" or @@ -762,7 +759,6 @@ module TaintTracking { /** A check of the form `if(o[x] != undefined)`, which sanitizes `x` in its "then" branch. */ class UndefinedCheckSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode { Expr x; - override EqualityTest astNode; UndefinedCheckSanitizer() { @@ -806,7 +802,6 @@ module TaintTracking { */ class PositiveIndexOfSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode { MethodCallExpr indexOf; - override RelationalComparison astNode; PositiveIndexOfSanitizer() { @@ -827,21 +822,18 @@ module TaintTracking { } /** Gets a variable that is defined exactly once. */ - private Variable singleDef() { - strictcount(result.getADefinition()) = 1 - } + private Variable singleDef() { strictcount(result.getADefinition()) = 1 } /** A check of the form `if(x == 'some-constant')`, which sanitizes `x` in its "then" branch. */ class ConstantComparison extends AdditionalSanitizerGuardNode, DataFlow::ValueNode { Expr x; - override EqualityTest astNode; ConstantComparison() { - exists(Expr const | - astNode.hasOperands(x, const) | + exists(Expr const | astNode.hasOperands(x, const) | // either the other operand is a constant - const instanceof ConstantExpr or + const instanceof ConstantExpr + or // or it's an access to a variable that probably acts as a symbolic constant const = singleDef().getAnAccess() ) @@ -859,9 +851,7 @@ module TaintTracking { */ private class SanitizingFunction extends Function { DataFlow::ParameterNode sanitizedParameter; - SanitizerGuardNode sanitizer; - boolean sanitizerOutcome; SanitizingFunction() { @@ -927,7 +917,6 @@ module TaintTracking { */ private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode { VarAccess event; - override EqualityTest astNode; PostMessageEventSanitizer() { diff --git a/javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll b/javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll index 6bbdf2a4fc4..bacd7f8519e 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll @@ -158,7 +158,7 @@ private module NodeTracking { returnExpr(f, nd, _) and summary = PathSummary::level() or - exists (DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary | + exists(DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary | flowStep(nd, mid, oldSummary) and reachesReturn(f, mid, newSummary) and summary = oldSummary.append(newSummary) @@ -210,12 +210,13 @@ private module NodeTracking { * Holds if property `prop` of `pred` may flow into `succ` along a path summarized by * `summary`. */ - private predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop, - PathSummary summary) { + private predicate loadStep( + DataFlow::Node pred, DataFlow::Node succ, string prop, PathSummary summary + ) { basicLoadStep(pred, succ, prop) and summary = PathSummary::level() or - exists (Function f, DataFlow::SourceNode parm | + exists(Function f, DataFlow::SourceNode parm | argumentPassing(succ, pred, f, parm) and reachesReturn(f, parm.getAPropertyRead(prop), summary) ) @@ -246,7 +247,7 @@ private module NodeTracking { private predicate flowThroughProperty( DataFlow::Node pred, DataFlow::Node succ, PathSummary summary ) { - exists (string prop, DataFlow::Node base, PathSummary oldSummary, PathSummary newSummary | + exists(string prop, DataFlow::Node base, PathSummary oldSummary, PathSummary newSummary | reachableFromStoreBase(prop, pred, base, oldSummary) and loadStep(base, succ, prop, newSummary) and summary = oldSummary.append(newSummary) diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll index 9d5e21d0482..32d6e4f8c03 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll @@ -57,9 +57,7 @@ class AnalyzedNode extends DataFlow::Node { * instances is also performed. */ cached - AbstractValue getAValue() { - result = getALocalValue() - } + AbstractValue getAValue() { result = getALocalValue() } /** * INTERNAL: Do not use. diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll index 8708f4ce37b..b4f7f3a6bbe 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll @@ -144,7 +144,6 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalPropertyNa */ class TypeTracker extends TTypeTracker { Boolean hasCall; - string prop; TypeTracker() { this = MkTypeTracker(hasCall, prop) } @@ -291,7 +290,6 @@ private newtype TTypeBackTracker = MkTypeBackTracker(Boolean hasReturn, Optional */ class TypeBackTracker extends TTypeBackTracker { Boolean hasReturn; - string prop; TypeBackTracker() { this = MkTypeBackTracker(hasReturn, prop) } diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll index 591a4ab2a1d..bea4ddc8511 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll @@ -78,9 +78,7 @@ private newtype TAccessPath = /** * A property access on an access path. */ - MkAccessStep(AccessPath base, PropertyName name) { - exists(namedPropAccess(base, name, _)) - } + MkAccessStep(AccessPath base, PropertyName name) { exists(namedPropAccess(base, name, _)) } /** * A representation of a (nested) property access on an SSA variable or captured variable diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll index 4d37dbb1775..85b15285fd8 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll @@ -402,6 +402,7 @@ private module CachedSteps { DataFlow::thisNode(f).hasPropertyWrite(prop, rhs) } } + import CachedSteps /** @@ -431,11 +432,8 @@ newtype TPathSummary = */ class PathSummary extends TPathSummary { Boolean hasReturn; - Boolean hasCall; - FlowLabel start; - FlowLabel end; PathSummary() { this = MkPathSummary(hasReturn, hasCall, start, end) } @@ -447,9 +445,7 @@ class PathSummary extends TPathSummary { boolean hasCall() { result = hasCall } /** Holds if the path represented by this summary contains no unmatched call or return steps. */ - predicate isLevel() { - hasReturn = false and hasCall = false - } + predicate isLevel() { hasReturn = false and hasCall = false } /** Gets the flow label describing the value at the start of this flow path. */ FlowLabel getStartLabel() { result = start } diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll index 4e29cdb15d4..d87825a5651 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll @@ -263,7 +263,8 @@ private class AnalyzedAmdImport extends AnalyzedPropertyRead, DataFlow::Node { requireCall = amd.getDefine().getARequireCall() and dep = requireCall.getAnArgument() and this = requireCall.flow() - ) | + ) + | required = dep.(Import).getImportedModule() ) } @@ -290,7 +291,6 @@ private class AnalyzedAmdParameter extends AnalyzedVarDef, @vardecl { */ private class AnalyzedValueExport extends AnalyzedPropertyWrite, DataFlow::ValueNode { ExportDeclaration export; - string name; AnalyzedValueExport() { this = export.getSourceNode(name) } @@ -307,9 +307,7 @@ private class AnalyzedValueExport extends AnalyzedPropertyWrite, DataFlow::Value */ private class AnalyzedVariableExport extends AnalyzedPropertyWrite, DataFlow::ValueNode { ExportDeclaration export; - string name; - AnalyzedVarDef varDef; AnalyzedVariableExport() { @@ -370,7 +368,6 @@ private class AnalyzedExportAssign extends AnalyzedPropertyWrite, DataFlow::Valu */ private class AnalyzedClosureExportAssign extends AnalyzedPropertyWrite, DataFlow::ValueNode { override AssignExpr astNode; - Closure::ClosureModule mod; AnalyzedClosureExportAssign() { astNode.getLhs() = mod.getExportsVariable().getAReference() } diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll index 9141a919265..d2243aeff7a 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll @@ -236,16 +236,13 @@ private class TypeInferredCalleeWithAnalyzedReturnFlow extends CallWithNonLocalA * Holds if `call` uses `receiver` as its only receiver value. */ pragma[noinline] -private predicate hasDefiniteReceiver( - DataFlow::MethodCallNode call, LocalObject receiver -) { +private predicate hasDefiniteReceiver(DataFlow::MethodCallNode call, LocalObject receiver) { call = receiver.getAMethodCall() and - exists (DataFlow::AnalyzedNode receiverNode, AbstractValue abstractCapturedReceiver | + exists(DataFlow::AnalyzedNode receiverNode, AbstractValue abstractCapturedReceiver | receiverNode = call.getReceiver() and not receiverNode.getALocalValue().isIndefinite(_) and abstractCapturedReceiver = receiver.analyze().getALocalValue() and - forall(DataFlow::AbstractValue v | - receiverNode.getALocalValue() = v | + forall(DataFlow::AbstractValue v | receiverNode.getALocalValue() = v | v = abstractCapturedReceiver ) ) @@ -276,4 +273,4 @@ private class TypeInferredMethodWithAnalyzedReturnFlow extends CallWithNonLocalA } override AnalyzedFunction getACallee() { result = fun } -} \ No newline at end of file +} diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll index ce0e035a49f..54e98769964 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/PropertyTypeInference.qll @@ -54,9 +54,7 @@ abstract class AnalyzedPropertyRead extends DataFlow::AnalyzedNode { */ private class AnalyzedPropertyAccess extends AnalyzedPropertyRead, DataFlow::ValueNode { override PropAccess astNode; - DataFlow::AnalyzedNode baseNode; - string propName; AnalyzedPropertyAccess() { diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll index 30bc42244d3..63d9c8e9563 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll @@ -43,9 +43,7 @@ private class AnalyzedSsaDefinitionNode extends AnalyzedNode, DataFlow::SsaDefin private class SsaDefinitionWithNonLocalFlow extends SsaExplicitDefinition { CallWithNonLocalAnalyzedReturnFlow source; - SsaDefinitionWithNonLocalFlow() { - source = getDef().getSource().flow() - } + SsaDefinitionWithNonLocalFlow() { source = getDef().getSource().flow() } CallWithNonLocalAnalyzedReturnFlow getSource() { result = source } } @@ -56,9 +54,7 @@ private class SsaDefinitionWithNonLocalFlow extends SsaExplicitDefinition { private class AnalyzedSsaDefinitionNodeWithNonLocalAnalysis extends AnalyzedSsaDefinitionNode { override SsaDefinitionWithNonLocalFlow ssa; - override AbstractValue getAValue() { - result = ssa.getSource().getAValue() - } + override AbstractValue getAValue() { result = ssa.getSource().getAValue() } } /** @@ -388,7 +384,6 @@ private predicate nodeBuiltins(Variable var, AbstractValue av) { */ private class AnalyzedGlobalVarUse extends DataFlow::AnalyzedValueNode { GlobalVariable gv; - AnalyzedGlobal agv; AnalyzedGlobalVarUse() { @@ -532,7 +527,6 @@ private class AnalyzedGlobal extends TAnalyzedGlobal { */ private class AnalyzedGlocal extends AnalyzedGlobal, TAnalyzedGlocal { GlobalVariable gv; - TopLevel tl; AnalyzedGlocal() { this = TAnalyzedGlocal(gv, tl) } diff --git a/javascript/ql/src/semmle/javascript/dependencies/SemVer.qll b/javascript/ql/src/semmle/javascript/dependencies/SemVer.qll index bca9ad72b7d..1d091e9219c 100644 --- a/javascript/ql/src/semmle/javascript/dependencies/SemVer.qll +++ b/javascript/ql/src/semmle/javascript/dependencies/SemVer.qll @@ -11,7 +11,6 @@ import semmle.javascript.dependencies.Dependencies */ class DependencySemVer extends string { Dependency dep; - string normalized; DependencySemVer() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll index 9e86f96c383..3bd386d6e17 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll @@ -132,7 +132,6 @@ DataFlow::CallNode moduleRef(AngularModule m) { class ModuleApiCall extends DataFlow::CallNode { /** The module on which the method is called. */ AngularModule mod; - /** The name of the called method. */ string methodName; @@ -146,7 +145,6 @@ class ModuleApiCall extends DataFlow::CallNode { class ModuleApiCallDependencyInjection extends DependencyInjection { ModuleApiCall call; - string methodName; ModuleApiCallDependencyInjection() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll index 9b8cb303eca..191c8bf3268 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll @@ -65,7 +65,6 @@ private string getInterpolatedExpressionPattern() { result = "(?<=\\{\\{).*?(?=\ */ private class HtmlTextNodeAsNgSourceProvider extends NgSourceProvider, HTML::TextNode { string source; - int offset; HtmlTextNodeAsNgSourceProvider() { @@ -108,7 +107,6 @@ abstract private class HtmlAttributeAsNgSourceProvider extends NgSourceProvider, */ private class HtmlAttributeAsInterpolatedNgSourceProvider extends HtmlAttributeAsNgSourceProvider { string source; - int offset; HtmlAttributeAsInterpolatedNgSourceProvider() { @@ -149,9 +147,7 @@ private class HtmlAttributeAsPlainNgSourceProvider extends HtmlAttributeAsNgSour */ private class TemplateFieldNgSourceProvider extends NgSourceProvider { AngularJS::GeneralDirective directive; - string source; - int offset; TemplateFieldNgSourceProvider() { @@ -365,6 +361,7 @@ private module Lexer { NgOpToken() { this = MkNgToken(_, _, any(NgOpTokenType t), _) } } } + private import Lexer /** @@ -814,6 +811,7 @@ private module Parser { TNgNumber(NgNumToken t) or TNgEmpty() } + private import Parser /** diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/DependencyInjections.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/DependencyInjections.qll index 035166f9de2..247b133fdf6 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/DependencyInjections.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/DependencyInjections.qll @@ -126,7 +126,6 @@ private DataFlow::PropWrite getAPropertyDependencyInjection(Function function) { */ private class FunctionWithInjectProperty extends InjectableFunction { override Function astNode; - DataFlow::ArrayCreationNode dependencies; FunctionWithInjectProperty() { @@ -164,7 +163,6 @@ private class FunctionWithInjectProperty extends InjectableFunction { */ private class FunctionWithExplicitDependencyAnnotation extends InjectableFunction { DataFlow::FunctionNode function; - override ArrayExpr astNode; FunctionWithExplicitDependencyAnnotation() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll index f39f2377723..217fb7ff975 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll @@ -252,7 +252,6 @@ abstract class CustomServiceDefinition extends DataFlow::Node { abstract class RecipeDefinition extends DataFlow::CallNode, CustomServiceDefinition, DependencyInjection { string methodName; - string name; RecipeDefinition() { @@ -327,7 +326,6 @@ private predicate isCustomServiceDefinitionOnProvider( */ class ControllerDefinition extends CustomSpecialServiceDefinition { string name; - DataFlow::SourceNode factoryFunction; ControllerDefinition() { @@ -348,7 +346,6 @@ class ControllerDefinition extends CustomSpecialServiceDefinition { */ class FilterDefinition extends CustomSpecialServiceDefinition { string name; - DataFlow::SourceNode factoryFunction; FilterDefinition() { @@ -373,7 +370,6 @@ class FilterDefinition extends CustomSpecialServiceDefinition { */ class DirectiveDefinition extends CustomSpecialServiceDefinition { string name; - DataFlow::SourceNode factoryFunction; DirectiveDefinition() { @@ -413,7 +409,6 @@ private class CustomDirectiveControllerDependencyInjection extends DependencyInj */ class ComponentDefinition extends CustomSpecialServiceDefinition { string name; - DataFlow::SourceNode config; ComponentDefinition() { @@ -441,7 +436,6 @@ class ComponentDefinition extends CustomSpecialServiceDefinition { */ class AnimationDefinition extends CustomSpecialServiceDefinition { string name; - DataFlow::SourceNode factoryFunction; AnimationDefinition() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll b/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll index c2b85f7c50c..3072e8d565a 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll @@ -72,7 +72,6 @@ module AsyncPackage { */ private class WaterfallNextTaskCall extends DataFlow::AdditionalPartialInvokeNode { Waterfall waterfall; - int n; WaterfallNextTaskCall() { this = getLastParameter(waterfall.getTask(n)).getACall() } diff --git a/javascript/ql/src/semmle/javascript/frameworks/Babel.qll b/javascript/ql/src/semmle/javascript/frameworks/Babel.qll index 1e3cd03b61f..4a66fdd6d10 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Babel.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Babel.qll @@ -53,7 +53,6 @@ module Babel { */ class Plugin extends JSONValue { Config cfg; - string pluginName; Plugin() { this = cfg.getPluginConfig(pluginName) } @@ -141,13 +140,9 @@ module Babel { */ private class BabelRootTransformedPathExpr extends PathExpr, Expr { RootImportConfig plugin; - string rawPath; - string prefix; - string mappedPrefix; - string suffix; BabelRootTransformedPathExpr() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll index 50b1be7188c..603a3ef3550 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll @@ -106,13 +106,13 @@ module ClientRequest { } /** - * Gets the name of an HTTP request method, in all-lowercase. - */ + * Gets the name of an HTTP request method, in all-lowercase. + */ private string httpMethodName() { result = any(HTTP::RequestMethodName m).toLowerCase() } /** - * A model of a URL request made using the `request` library. - */ + * A model of a URL request made using the `request` library. + */ class RequestUrlRequest extends ClientRequest::Range, DataFlow::CallNode { boolean promise; @@ -145,10 +145,9 @@ module ClientRequest { /** Gets the response type from the options passed in. */ string getResponseType() { - if getOptionArgument(1, "json").mayHaveBooleanValue(true) then - result = "json" - else - result = "text" + if getOptionArgument(1, "json").mayHaveBooleanValue(true) + then result = "json" + else result = "text" } override DataFlow::Node getAResponseDataNode(string responseType, boolean pr) { @@ -161,28 +160,26 @@ module ClientRequest { promise = false and pr = false and ( - result = getCallback([1..2]).getParameter(2) + result = getCallback([1 .. 2]).getParameter(2) or - result = getCallback([1..2]).getParameter(1).getAPropertyRead("body") + result = getCallback([1 .. 2]).getParameter(1).getAPropertyRead("body") ) or responseType = "error" and promise = false and pr = false and - result = getCallback([1..2]).getParameter(0) + result = getCallback([1 .. 2]).getParameter(0) } override DataFlow::Node getADataNode() { result = getArgument(1) } } /** Gets the string `url` or `uri`. */ - private string urlPropertyName() { - result = "url" or result = "uri" - } + private string urlPropertyName() { result = "url" or result = "uri" } /** - * A model of a URL request made using the `axios` library. - */ + * A model of a URL request made using the `axios` library. + */ class AxiosUrlRequest extends ClientRequest::Range { string method; @@ -256,8 +253,8 @@ module ClientRequest { } /** - * A model of a URL request made using an implementation of the `fetch` API. - */ + * A model of a URL request made using an implementation of the `fetch` API. + */ class FetchUrlRequest extends ClientRequest::Range { DataFlow::Node url; @@ -292,8 +289,8 @@ module ClientRequest { } /** - * A model of a URL request made using the `got` library. - */ + * A model of a URL request made using the `got` library. + */ class GotUrlRequest extends ClientRequest::Range { GotUrlRequest() { exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() | @@ -333,28 +330,29 @@ module ClientRequest { } /** Holds if the result is a JSON object. */ - predicate isJson() { - getOptionArgument(1, "json").mayHaveBooleanValue(true) - } + predicate isJson() { getOptionArgument(1, "json").mayHaveBooleanValue(true) } override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) { result = this and - if isStream() then ( + if isStream() + then responseType = "stream" and promise = false - ) else if isJson() then ( - responseType = "json" and - promise = true - ) else ( - responseType = "text" and - promise = true - ) + else + if isJson() + then ( + responseType = "json" and + promise = true + ) else ( + responseType = "text" and + promise = true + ) } } /** - * A model of a URL request made using the `superagent` library. - */ + * A model of a URL request made using the `superagent` library. + */ class SuperAgentUrlRequest extends ClientRequest::Range { DataFlow::Node url; @@ -460,7 +458,8 @@ module ClientRequest { ) or exists(string method | result = getAnAlias().getAMethodCall(method) | - method = "getAllResponseHeaders" and responseType = "headers" or + method = "getAllResponseHeaders" and responseType = "headers" + or method = "getResponseHeader" and responseType = "header" ) ) @@ -468,14 +467,14 @@ module ClientRequest { } /** - * A model of a URL request made using the `XhrIo` class from the closure library. - */ + * A model of a URL request made using the `XhrIo` class from the closure library. + */ class ClosureXhrIoRequest extends ClientRequest::Range { DataFlow::SourceNode base; boolean static; ClosureXhrIoRequest() { - exists (DataFlow::SourceNode xhrIo | xhrIo = Closure::moduleImport("goog.net.XhrIo") | + exists(DataFlow::SourceNode xhrIo | xhrIo = Closure::moduleImport("goog.net.XhrIo") | static = true and base = xhrIo and this = xhrIo.getAMethodCall("send") @@ -490,9 +489,7 @@ module ClientRequest { override DataFlow::Node getHost() { none() } - override DataFlow::Node getADataNode() { - result = getArgument([2 .. 3]) - } + override DataFlow::Node getADataNode() { result = getArgument([2 .. 3]) } /** Gets an event listener with `this` bound to this object. */ DataFlow::FunctionNode getAnEventListener() { @@ -550,5 +547,4 @@ module ClientRequest { ) } } - } diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll b/javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll index 74c8787c7fa..b220c05dbc2 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll @@ -11,10 +11,10 @@ module ClosureLibrary { Node pred; StringStep() { - exists (string name | this = Closure::moduleImport("goog.string." + name).getACall() | + exists(string name | this = Closure::moduleImport("goog.string." + name).getACall() | pred = getAnArgument() and ( - name = "canonicalizeNewlines" or + name = "canonicalizeNewlines" or name = "capitalize" or name = "collapseBreakingSpaces" or name = "collapseWhitespace" or diff --git a/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll b/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll index 4885e9b6512..7f56771b8a8 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll @@ -30,7 +30,6 @@ private class ComposedFunction extends DataFlow::CallNode { */ private class ComposedFunctionTaintStep extends TaintTracking::AdditionalTaintStep { ComposedFunction composed; - DataFlow::CallNode call; ComposedFunctionTaintStep() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/Connect.qll b/javascript/ql/src/semmle/javascript/frameworks/Connect.qll index dd5da051650..bd2c17589d8 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Connect.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Connect.qll @@ -125,9 +125,7 @@ module Connect { t.start() and result = getARouteHandlerExpr().flow().getALocalSource() or - exists(DataFlow::TypeBackTracker t2 | - result = getARouteHandler(t2).backtrack(t2, t) - ) + exists(DataFlow::TypeBackTracker t2 | result = getARouteHandler(t2).backtrack(t2, t)) } override Expr getServer() { result = server } @@ -159,7 +157,6 @@ module Connect { */ private class RequestInputAccess extends HTTP::RequestInputAccess { RequestExpr request; - string kind; RequestInputAccess() { @@ -181,10 +178,7 @@ module Connect { */ private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler, HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode { - - TrackedRouteHandlerCandidateWithSetup() { - this = any(RouteSetup s).getARouteHandler() - } + TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() } override SimpleParameter getRouteHandlerParameter(string kind) { result = getRouteHandlerParameter(astNode, kind) diff --git a/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll index cc239efd570..624040db386 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll @@ -81,6 +81,7 @@ private module AlgorithmNames { predicate isWeakPasswordHashingAlgorithm(string name) { none() } } + private import AlgorithmNames /** @@ -135,7 +136,6 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm { */ class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm { string name; - boolean isWeak; HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) } @@ -150,7 +150,6 @@ class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm { */ class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm { string name; - boolean isWeak; EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) } @@ -165,7 +164,6 @@ class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm */ class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm { string name; - boolean isWeak; PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) } @@ -210,7 +208,6 @@ class CryptographicKeyCredentialsExpr extends CredentialsExpr { private module AsmCrypto { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; // non-functional Apply() { @@ -250,7 +247,6 @@ private module BrowserIdCrypto { private class Apply extends CryptographicOperation { CryptographicAlgorithm algorithm; // non-functional - MethodCallExpr mce; Apply() { @@ -424,7 +420,6 @@ private module CryptoJS { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; // non-functional Apply() { @@ -463,9 +458,7 @@ private module CryptoJS { private module TweetNaCl { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; - MethodCallExpr mce; Apply() { @@ -527,9 +520,7 @@ private module HashJs { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; // non-functional - MethodCallExpr mce; Apply() { @@ -572,7 +563,6 @@ private module Forge { private class KeyCipher extends Cipher { DataFlow::Node key; - CryptographicAlgorithm algorithm; // non-functional KeyCipher() { @@ -631,9 +621,7 @@ private module Forge { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; // non-functional - MethodCallExpr mce; Apply() { @@ -661,9 +649,7 @@ private module Forge { private module Md5 { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; - CallExpr call; Apply() { @@ -689,9 +675,7 @@ private module Md5 { private module Bcrypt { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; - MethodCallExpr mce; Apply() { @@ -726,9 +710,7 @@ private module Bcrypt { private module Hasha { private class Apply extends CryptographicOperation { Expr input; - CryptographicAlgorithm algorithm; - CallExpr call; Apply() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/Electron.qll b/javascript/ql/src/semmle/javascript/frameworks/Electron.qll index 84373662a24..686891277cc 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Electron.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Electron.qll @@ -102,7 +102,6 @@ module Electron { */ class Callback extends DataFlow::FunctionNode { DataFlow::Node channel; - Process process; Callback() { @@ -139,11 +138,8 @@ module Electron { */ class DirectMessage extends Message { DataFlow::MethodCallNode mc; - Process process; - DataFlow::Node channel; - boolean isSync; DirectMessage() { @@ -178,7 +174,6 @@ module Electron { */ class AsyncReplyMessage extends Message { Callback callback; - DataFlow::Node channel; AsyncReplyMessage() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll index b33baa26a4e..bb3ba39b3f1 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll @@ -35,9 +35,7 @@ module Express { /** * Holds if `e` may refer to the given `router` object. */ - private predicate isRouter(Expr e, RouterDefinition router) { - router.flowsTo(e) - } + private predicate isRouter(Expr e, RouterDefinition router) { router.flowsTo(e) } /** * Holds if `e` may refer to a router object. @@ -161,7 +159,6 @@ module Express { */ class RouteHandlerExpr extends Expr { RouteSetup setup; - int index; RouteHandlerExpr() { this = setup.getRouteHandlerExpr(index) } @@ -337,8 +334,7 @@ module Express { } /** An Express response source. */ - abstract private class ResponseSource extends HTTP::Servers::ResponseSource { - } + abstract private class ResponseSource extends HTTP::Servers::ResponseSource { } /** * An Express response source, that is, the response parameter of a @@ -363,16 +359,13 @@ module Express { * An Express response source, based on static type information. */ private class TypedResponseSource extends ResponseSource { - TypedResponseSource() { - hasUnderlyingType("express", "Response") - } + TypedResponseSource() { hasUnderlyingType("express", "Response") } override RouteHandler getRouteHandler() { none() } // Not known. } /** An Express request source. */ - abstract private class RequestSource extends HTTP::Servers::RequestSource { - } + abstract private class RequestSource extends HTTP::Servers::RequestSource { } /** * An Express request source, that is, the request parameter of a @@ -393,9 +386,7 @@ module Express { * An Express request source, based on static type information. */ private class TypedRequestSource extends RequestSource { - TypedRequestSource() { - hasUnderlyingType("express", "Request") - } + TypedRequestSource() { hasUnderlyingType("express", "Request") } override RouteHandler getRouteHandler() { none() } // Not known. } @@ -419,7 +410,6 @@ module Express { */ class RequestInputAccess extends HTTP::RequestInputAccess { RouteHandler rh; - string kind; RequestInputAccess() { @@ -593,7 +583,6 @@ module Express { */ class SetMultipleHeaders extends ExplicitHeader, DataFlow::ValueNode { override MethodCallExpr astNode; - RouteHandler rh; SetMultipleHeaders() { @@ -704,9 +693,7 @@ module Express { t.start() and result = DataFlow::exprNode(this) or - exists(string name | - result = ref(t.continue()).getAMethodCall(name) - | + exists(string name | result = ref(t.continue()).getAMethodCall(name) | name = "route" or name = routeSetupMethodName() ) @@ -717,9 +704,7 @@ module Express { /** * Holds if `sink` may refer to this router. */ - predicate flowsTo(Expr sink) { - ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) - } + predicate flowsTo(Expr sink) { ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) } /** * Gets a `RouteSetup` that was used for setting up a route on this router. diff --git a/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll b/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll index c1671f778af..d1ced246694 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll @@ -1,6 +1,7 @@ /** * Provides classes and predicates for reasoning about code using the Firebase API. */ + import javascript module Firebase { @@ -15,15 +16,11 @@ module Firebase { result = DataFlow::globalVarRef("firebase") ) or - exists (DataFlow::TypeTracker t2 | - result = firebase(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = firebase(t2).track(t2, t)) } /** Gets a reference to the `firebase/app` or `firebase-admin` API object. */ - DataFlow::SourceNode firebase() { - result = firebase(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode firebase() { result = firebase(DataFlow::TypeTracker::end()) } /** Gets a reference to a Firebase app created with `initializeApp`. */ private DataFlow::SourceNode initApp(DataFlow::TypeTracker t) { @@ -33,9 +30,7 @@ module Firebase { t.start() and result.hasUnderlyingType("firebase", "app.App") or - exists (DataFlow::TypeTracker t2 | - result = initApp(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = initApp(t2).track(t2, t)) } /** @@ -43,11 +38,11 @@ module Firebase { * app created explicitly with `initializeApp()`. */ DataFlow::SourceNode app() { - result = firebase(DataFlow::TypeTracker::end()) or result = initApp(DataFlow::TypeTracker::end()) + result = firebase(DataFlow::TypeTracker::end()) or + result = initApp(DataFlow::TypeTracker::end()) } module Database { - /** Gets a reference to a Firebase database object, such as `firebase.database()`. */ private DataFlow::SourceNode database(DataFlow::TypeTracker t) { result = app().getAMethodCall("database") and t.start() @@ -55,31 +50,27 @@ module Firebase { t.start() and result.hasUnderlyingType("firebase", "database.Database") or - exists (DataFlow::TypeTracker t2 | - result = database(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = database(t2).track(t2, t)) } /** Gets a reference to a Firebase database object, such as `firebase.database()`. */ - DataFlow::SourceNode database() { - result = database(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode database() { result = database(DataFlow::TypeTracker::end()) } /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */ private DataFlow::SourceNode ref(DataFlow::TypeTracker t) { t.start() and ( - exists (string name | result = database().getAMethodCall(name) | + exists(string name | result = database().getAMethodCall(name) | name = "ref" or name = "refFromURL" ) or - exists (string name | result = ref().getAMethodCall(name) | + exists(string name | result = ref().getAMethodCall(name) | name = "push" or name = "child" ) or - exists (string name | result = ref().getAPropertyRead(name) | + exists(string name | result = ref().getAPropertyRead(name) | name = "parent" or name = "root" ) @@ -89,15 +80,11 @@ module Firebase { result.hasUnderlyingType("firebase", "database.Reference") ) or - exists (DataFlow::TypeTracker t2 | - result = ref(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t)) } /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */ - DataFlow::SourceNode ref() { - result = ref(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) } /** Gets a node that refers to a `Query` or `Reference` object. */ private DataFlow::SourceNode query(DataFlow::TypeTracker t) { @@ -105,7 +92,7 @@ module Firebase { ( result = ref(t) // a Reference can be used as a Query or - exists (string name | result = query().getAMethodCall(name) | + exists(string name | result = query().getAMethodCall(name) | name = "endAt" or name = "limitTo" + any(string s) or name = "orderBy" + any(string s) or @@ -115,15 +102,11 @@ module Firebase { result.hasUnderlyingType("firebase", "database.Query") ) or - exists (DataFlow::TypeTracker t2 | - result = query(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = query(t2).track(t2, t)) } /** Gets a node that refers to a `Query` or `Reference` object. */ - DataFlow::SourceNode query() { - result = query(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode query() { result = query(DataFlow::TypeTracker::end()) } /** * A call of form `query.on(...)` or `query.once(...)`. @@ -137,9 +120,7 @@ module Firebase { /** * Gets the argument in which the callback is passed. */ - DataFlow::Node getCallbackNode() { - result = getArgument(1) - } + DataFlow::Node getCallbackNode() { result = getArgument(1) } } /** @@ -149,9 +130,7 @@ module Firebase { t.start() and result = ref().getAMethodCall("transaction").getArgument(0).getALocalSource() or - exists (DataFlow::TypeBackTracker t2 | - result = transactionCallback(t2).backtrack(t2, t) - ) + exists(DataFlow::TypeBackTracker t2 | result = transactionCallback(t2).backtrack(t2, t)) } /** @@ -172,45 +151,33 @@ module Firebase { t.start() and result = DataFlow::moduleImport("firebase-functions") or - exists (DataFlow::TypeTracker t2 | - result = namespace(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = namespace(t2).track(t2, t)) } /** Gets a reference to the Cloud Functions namespace. */ - DataFlow::SourceNode namespace() { - result = namespace(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode namespace() { result = namespace(DataFlow::TypeTracker::end()) } /** Gets a reference to a Cloud Functions database object. */ private DataFlow::SourceNode database(DataFlow::TypeTracker t) { t.start() and result = namespace().getAPropertyRead("database") or - exists (DataFlow::TypeTracker t2 | - result = database(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = database(t2).track(t2, t)) } /** Gets a reference to a Cloud Functions database object. */ - DataFlow::SourceNode database() { - result = database(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode database() { result = database(DataFlow::TypeTracker::end()) } /** Gets a data flow node holding a `RefBuilder` object. */ private DataFlow::SourceNode refBuilder(DataFlow::TypeTracker t) { t.start() and result = database().getAMethodCall("ref") or - exists (DataFlow::TypeTracker t2 | - result = refBuilder(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = refBuilder(t2).track(t2, t)) } /** Gets a data flow node holding a `RefBuilder` object. */ - DataFlow::SourceNode ref() { - result = refBuilder(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode ref() { result = refBuilder(DataFlow::TypeTracker::end()) } /** Gets a call that registers a listener on a `RefBuilder`, such as `ref.onCreate(...)`. */ class RefBuilderListenCall extends DataFlow::MethodCallNode { @@ -222,16 +189,16 @@ module Firebase { /** * Gets the data flow node holding the listener callback. */ - DataFlow::Node getCallbackNode() { - result = getArgument(0) - } + DataFlow::Node getCallbackNode() { result = getArgument(0) } } /** * A call to a Firebase method that sets up a route. */ private class RouteSetup extends HTTP::Servers::StandardRouteSetup, CallExpr { - RouteSetup() { this = namespace().getAPropertyRead("https").getAMemberCall("onRequest").asExpr() } + RouteSetup() { + this = namespace().getAPropertyRead("https").getAMemberCall("onRequest").asExpr() + } override DataFlow::SourceNode getARouteHandler() { result = getARouteHandler(DataFlow::TypeBackTracker::end()) @@ -251,15 +218,15 @@ module Firebase { * A function used as a route handler. */ private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler, - DataFlow::ValueNode { + DataFlow::ValueNode { RouteHandler() { this = any(RouteSetup setup).getARouteHandler() } override SimpleParameter getRouteHandlerParameter(string kind) { - kind = "request" and result = this.(DataFlow::FunctionNode).getParameter(0).getParameter() or + kind = "request" and result = this.(DataFlow::FunctionNode).getParameter(0).getParameter() + or kind = "response" and result = this.(DataFlow::FunctionNode).getParameter(1).getParameter() } } - } /** @@ -273,9 +240,7 @@ module Firebase { result = any(CloudFunctions::RefBuilderListenCall call).getCallbackNode().getALocalSource() ) or - exists (DataFlow::TypeBackTracker t2 | - result = snapshotCallback(t2).backtrack(t2, t) - ) + exists(DataFlow::TypeBackTracker t2 | result = snapshotCallback(t2).backtrack(t2, t)) } /** @@ -300,7 +265,7 @@ module Firebase { or result = snapshot().getAMethodCall("forEach").getCallback(0).getParameter(0) or - exists (string prop | result = snapshot().getAPropertyRead(prop) | + exists(string prop | result = snapshot().getAPropertyRead(prop) | prop = "before" or // only defined on Change objects prop = "after" ) @@ -310,25 +275,21 @@ module Firebase { or promiseTaintStep(snapshot(t), result) or - exists (DataFlow::TypeTracker t2 | - result = snapshot(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = snapshot(t2).track(t2, t)) } /** * Gets a node that refers to a `DataSnapshot` value, such as `x` in * `firebase.database().ref().on('value', x => {...})`. */ - DataFlow::SourceNode snapshot() { - result = snapshot(DataFlow::TypeTracker::end()) - } + DataFlow::SourceNode snapshot() { result = snapshot(DataFlow::TypeTracker::end()) } /** * A reference to a value obtained from a Firebase database. */ class FirebaseVal extends RemoteFlowSource { FirebaseVal() { - exists (string name | this = snapshot().getAMethodCall(name) | + exists(string name | this = snapshot().getAMethodCall(name) | name = "val" or name = "exportVal" ) @@ -336,8 +297,6 @@ module Firebase { this = Database::transactionCallback().(DataFlow::FunctionNode).getParameter(0) } - override string getSourceType() { - result = "Firebase database" - } + override string getSourceType() { result = "Firebase database" } } } diff --git a/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll b/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll index 2ace343d6ff..a04cb79c73b 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll @@ -82,7 +82,6 @@ module Hapi { */ private class RequestInputAccess extends HTTP::RequestInputAccess { RouteHandler rh; - string kind; RequestInputAccess() { @@ -176,7 +175,6 @@ module Hapi { */ class RouteSetup extends MethodCallExpr, HTTP::Servers::StandardRouteSetup { ServerDefinition server; - Expr handler; RouteSetup() { @@ -200,9 +198,7 @@ module Hapi { t.start() and result = handler.flow().getALocalSource() or - exists(DataFlow::TypeBackTracker t2 | - result = getARouteHandler(t2).backtrack(t2, t) - ) + exists(DataFlow::TypeBackTracker t2 | result = getARouteHandler(t2).backtrack(t2, t)) } Expr getRouteHandlerExpr() { result = handler } @@ -236,8 +232,6 @@ module Hapi { */ private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler, HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode { - TrackedRouteHandlerCandidateWithSetup() { - this = any(RouteSetup s).getARouteHandler() - } + TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() } } } diff --git a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll index d8998eadb0d..ca38db8429e 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll @@ -1,4 +1,3 @@ - /** * Provides classes for working with [Koa](https://koajs.com) applications. */ @@ -91,17 +90,13 @@ module Koa { */ RouteHandler getRouteHandler() { result = rh } - predicate flowsTo(DataFlow::Node nd) { - ref(DataFlow::TypeTracker::end()).flowsTo(nd) - } + predicate flowsTo(DataFlow::Node nd) { ref(DataFlow::TypeTracker::end()).flowsTo(nd) } private DataFlow::SourceNode ref(DataFlow::TypeTracker t) { t.start() and result = this or - exists(DataFlow::TypeTracker t2 | - result = ref(t2).track(t2, t) - ) + exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t)) } } @@ -168,7 +163,6 @@ module Koa { */ private class RequestInputAccess extends HTTP::RequestInputAccess { RouteHandler rh; - string kind; RequestInputAccess() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll b/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll index 8037572385f..b900af99d1f 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll @@ -366,15 +366,12 @@ module LodashUnderscore { */ private class ExceptionStep extends DataFlow::CallNode, DataFlow::AdditionalFlowStep { ExceptionStep() { - exists(string name | - this = member(name).getACall() - | + exists(string name | this = member(name).getACall() | // Members ending with By, With, or While indicate that they are a variant of // another function that takes a callback. name.matches("%By") or name.matches("%With") or name.matches("%While") or - // Other members that don't fit the above pattern. name = "each" or name = "eachRight" or diff --git a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll index ee919f00817..7703ea617d9 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll @@ -53,7 +53,6 @@ private module MongoDB { /** A call to a MongoDB query method. */ private class QueryCall extends DatabaseAccess, DataFlow::ValueNode { override MethodCallExpr astNode; - int queryArgIdx; QueryCall() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll index 39858e229ac..8c74ef277df 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll @@ -136,7 +136,6 @@ module NodeJSLib { */ private class RequestInputAccess extends HTTP::RequestInputAccess { RequestExpr request; - string kind; RequestInputAccess() { @@ -190,7 +189,6 @@ module NodeJSLib { class RouteSetup extends CallExpr, HTTP::Servers::StandardRouteSetup { ServerDefinition server; - Expr handler; RouteSetup() { @@ -527,7 +525,6 @@ module NodeJSLib { */ private class FileStreamRead extends FileSystemReadAccess, DataFlow::CallNode { NodeJSFileSystemAccess stream; - string method; FileStreamRead() { @@ -773,7 +770,6 @@ module NodeJSLib { */ class ClientRequestHandler extends DataFlow::FunctionNode { string handledEvent; - NodeJSClientRequest clientRequest; ClientRequestHandler() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll b/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll index e05522a8ee1..8f031c81c33 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll @@ -70,9 +70,7 @@ deprecated class CustomPropertyProjection = PropertyProjection::Range; */ private class SimplePropertyProjection extends PropertyProjection::Range { int objectIndex; - int selectorIndex; - boolean singleton; SimplePropertyProjection() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/React.qll b/javascript/ql/src/semmle/javascript/frameworks/React.qll index 742f0d969ea..ec2f01f800d 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/React.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/React.qll @@ -463,7 +463,6 @@ private class CreateElementDefinition extends ReactElementDefinition { */ private class FactoryDefinition extends ReactElementDefinition { DataFlow::MethodCallNode factory; - DataFlow::CallNode call; FactoryDefinition() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/Restify.qll b/javascript/ql/src/semmle/javascript/frameworks/Restify.qll index e42f19bf42a..98751256f24 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Restify.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Restify.qll @@ -87,7 +87,6 @@ module Restify { */ private class RequestInputAccess extends HTTP::RequestInputAccess { RequestExpr request; - string kind; RequestInputAccess() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll index 0bdc8e9036e..e598352cacd 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll @@ -14,7 +14,6 @@ module SQL { */ abstract class SqlSanitizer extends Expr { Expr input; - Expr output; /** Gets the input expression being sanitized. */ diff --git a/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll b/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll index fffe01abdb1..257663a244d 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll @@ -1,6 +1,7 @@ /** * Models the `shelljs` library in terms of `FileSystemAccess` and `SystemCommandExecution`. */ + import javascript module ShellJS { @@ -171,12 +172,8 @@ module ShellJS { ) } - override DataFlow::Node getAPathArgument() { - result = getArgument(0) - } + override DataFlow::Node getAPathArgument() { result = getArgument(0) } - override DataFlow::Node getADataNode() { - result = getReceiver() - } + override DataFlow::Node getADataNode() { result = getReceiver() } } } diff --git a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll index 6ae4b12675e..6b443a1eaf3 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll @@ -212,9 +212,7 @@ module SocketIO { string getEventName() { getArgument(0).mayHaveStringValue(result) } /** Gets the callback that handles data received from a client. */ - private DataFlow::FunctionNode getListener() { - result = getCallback(1) - } + private DataFlow::FunctionNode getListener() { result = getCallback(1) } /** Gets the `i`th parameter through which data is received from a client. */ DataFlow::SourceNode getReceivedItem(int i) { @@ -256,7 +254,6 @@ module SocketIO { */ class SendNode extends DataFlow::MethodCallNode { DataFlow::SourceNode base; - int firstDataIndex; SendNode() { @@ -370,7 +367,6 @@ module SocketIO { /** A socket.io namespace. */ class NamespaceObject extends TNamespace { ServerObject srv; - string path; NamespaceObject() { this = MkNamespace(srv, path) } @@ -488,9 +484,7 @@ module SocketIOClient { t.start() and result = getArgument(1).getALocalSource() or - exists(DataFlow::TypeBackTracker t2 | - result = getListener(t2).backtrack(t2, t) - ) + exists(DataFlow::TypeBackTracker t2 | result = getListener(t2).backtrack(t2, t)) } /** Gets the callback that handles data received from the server. */ @@ -527,7 +521,6 @@ module SocketIOClient { */ class SendNode extends DataFlow::MethodCallNode { SocketNode base; - int firstDataIndex; SendNode() { @@ -605,7 +598,6 @@ private module EventEmitter { /** A data flow step through socket.io sockets. */ private class SocketIoStep extends DataFlow::AdditionalFlowStep { DataFlow::Node pred; - DataFlow::Node succ; SocketIoStep() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll b/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll index fb93d866d07..42d8ce2f1b7 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll @@ -26,7 +26,6 @@ abstract class PrintfStyleCall extends DataFlow::CallNode { private class LibraryFormatter extends PrintfStyleCall { int formatIndex; - boolean returns; LibraryFormatter() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll index 9a67085c373..f02dabbeea6 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll @@ -377,7 +377,6 @@ private module ClosureLibraryUri { */ private class SetterCall extends DataFlow::MethodCallNode, UriLibraryStep { DataFlow::NewNode uri; - string name; SetterCall() { diff --git a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll index b4dc2940e31..fdcddcedf9b 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Vue.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Vue.qll @@ -280,7 +280,6 @@ module Vue { */ class ExtendedInstance extends Instance, MkExtendedInstance { VueExtend extend; - DataFlow::NewNode sub; ExtendedInstance() { this = MkExtendedInstance(extend, sub) } diff --git a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll index 67773551466..f5c7bd1a1bb 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll @@ -108,7 +108,6 @@ private class JQueryParseXmlCall extends XML::ParserInvocation { */ private class JQueryDomElementDefinition extends DOM::ElementDefinition, @callexpr { string tagName; - CallExpr call; JQueryDomElementDefinition() { @@ -147,7 +146,6 @@ abstract private class JQueryAttributeDefinition extends DOM::AttributeDefinitio */ private class JQueryAttributeDefinitionInElement extends JQueryAttributeDefinition { JQueryDomElementDefinition elt; - DataFlow::PropWrite pwn; JQueryAttributeDefinitionInElement() { @@ -205,7 +203,6 @@ private predicate bulkAttributeInit( */ private class JQueryAttrCall extends JQueryAttributeDefinition, @callexpr { JQueryDomElementDefinition elt; - DataFlow::PropWrite pwn; JQueryAttrCall() { diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll index d81bd9e439a..0436578b4b7 100644 --- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll +++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll @@ -69,6 +69,7 @@ module HeuristicNames { result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?