JS: Add decorator edges in API graphs and corresponding MaD tokens

2025-12-17 01:03:14 +01:00 · 2022-03-23 18:05:44 +01:00
parent e5f2b830f3
commit cf596a1856
7 changed files with 404 additions and 4 deletions
--- a/javascript/ql/test/library-tests/frameworks/data/test.js
+++ b/javascript/ql/test/library-tests/frameworks/data/test.js
@@ -104,3 +104,102 @@ function testFlowThroughReceiver() {
  sink(source.continue()); // NOT OK
  sink(source.blah()); // OK
 }
+
+@testlib.ClassDecorator
+class DecoratedClass {
+  returnValueIsSink() {
+    return source(); // NOT OK
+  }
+  inputIsSource(x) {
+    sink(x); // NOT OK
+  }
+}
+
+class OtherClass {
+  @testlib.FieldDecoratorSink
+  fieldSink;
+
+  @testlib.FieldDecoratorSink
+  static staticFieldSink;
+
+  @testlib.FieldDecoratorSource
+  fieldSource;
+
+  @testlib.FieldDecoratorSource
+  static staticFieldSource;
+
+  useFields() {
+    sink(this.fieldSource); // NOT OK
+    sink(OtherClass.staticFieldSource); // NOT OK
+    this.fieldSink = source(); // NOT OK
+    OtherClass.staticFieldSink = source(); // NOT OK
+
+    sink(this.staticFieldSource); // OK - not a valid field access
+    sink(OtherClass.fieldSource); // OK - not a valid field access
+    this.staticFieldSink = source(); // OK - not a valid field access
+    OtherClass.fieldSink = source(); // OK - not a valid field access
+  }
+
+  @testlib.FieldDecoratorSink
+  fieldSink2 = source(); // NOT OK
+
+  @testlib.FieldDecoratorSink
+  static staticFieldSink2 = source(); // NOT OK
+
+  @testlib.MethodDecorator
+  decoratedMethod(x) {
+    sink(x); // NOT OK
+    return source(); // NOT OK
+  }
+
+  @testlib.MethodDecorator
+  static decoratedStaticMethod(x) {
+    sink(x); // NOT OK
+    return source(); // NOT OK
+  }
+
+  @testlib.MethodDecoratorWithArgs({ something: true })
+  decoratedMethod2(x) {
+    sink(x); // NOT OK
+    return source(); // NOT OK
+  }
+
+  @testlib.FieldDecoratorSink
+  get sinkViaGetter() {
+    // If a field with this decorator should be seen as a sink it generally means the framework
+    // will read it and pass it to an underlying sink. Therefore the return value of its getter
+    // should be seen as a sink as well.
+    return source(); // NOT OK
+  }
+
+  @testlib.FieldDecoratorSource
+  set sourceViaSetter(x) {
+    sink(x); // NOT OK
+  }
+
+  get sinkViaGetterIndirect() {
+    // Same as 'sinkViaGetter', but where the decorator is placed on the corresponding setter
+    return source(); // NOT OK
+  }
+  @testlib.FieldDecoratorSink // indirectly decorate the getter above
+  set sinkViaGetterIndirect(x) {}
+
+  set sourceViaSetterIndirect(x) {
+    // Same as 'sourceViaSetter', but where the decorator is placed on the corresponding getter
+    sink(x); // NOT OK
+  }
+  @testlib.FieldDecoratorSource // indirectly decorate the setter above
+  get sourceViaSetterIndirect() {}
+
+  @testlib.FieldDecoratorSink
+  get accessorAroundField() {
+    return this._wrappedField; // OK - the alert occurs at the assignment to 'accessorAroundField'
+  }
+  set accessorAroundField(x) {
+    this._wrappedField = x;
+  }
+
+  useWrappedField() {
+    this.accessorAroundField = source(); // NOT OK
+  }
+}