From d5cc4cce7ed10c6fd36c7e6026f97a2a4db42ad6 Mon Sep 17 00:00:00 2001
From: Stephan Brandauer <kaeluka@github.com>
Date: Tue, 10 May 2022 11:11:08 +0200
Subject: [PATCH] add assignedToPropName feature to try to reduce FPs from
 assignments to obj.innerHTML

---
 .../EndpointFeatures.qll                      | 22 +++++++++++-
 .../FeatureValue.expected                     | 36 ++++++++++---------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
index 01b14945925..2526c27c28c 100644
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
@@ -236,7 +236,8 @@ private newtype TEndpointFeature =
   TInputAccessPathFromCallee() or
   TInputArgumentIndex() or
   TContextFunctionInterfaces() or
-  TContextSurroundingFunctionParameters()
+  TContextSurroundingFunctionParameters() or
+  TAssignedToPropName()
 
 /**
  * An implementation of an endpoint feature: produces feature names and values for used in ML.
@@ -472,6 +473,25 @@ class ContextSurroundingFunctionParameters extends EndpointFeature,
   }
 }
 
+/**
+ * The feature that gives the name an endpoint is assigned to (if any).
+ *
+ * ### Example
+ * ```javascript
+ * const div = document.createElement('div');
+ * div.innerHTML = endpoint; // feature value is 'innerHTML'
+ * ```
+ */
+class AssignedToPropName extends EndpointFeature, TAssignedToPropName {
+  override string getName() { result = "assignedToPropName" }
+
+  override string getValue(DataFlow::Node endpoint) {
+    exists(DataFlow::PropWrite w | w.getRhs().asExpr().getUnderlyingValue().flow() = endpoint |
+      result = w.getPropertyName()
+    )
+  }
+}
+
 /**
  * The feature for the imports used in the callee of an invocation.
  *
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected b/javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected
index 487fcf65ca3..d3bf52fd516 100644
--- a/javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected
+++ b/javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected
@@ -4,7 +4,7 @@
 | test.html:2:61:2:68 | endpoint | calleeAccessPath |  |
 | test.html:2:61:2:68 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.html:2:61:2:68 | endpoint | calleeName | item |
-| test.html:2:61:2:68 | endpoint | contextFunctionInterfacesInFile |  |
+| test.html:2:61:2:68 | endpoint | contextFunctionInterfaces |  |
 | test.html:2:61:2:68 | endpoint | contextSurroundingFunctionParameters |  |
 | test.html:2:61:2:68 | endpoint | fileImports |  |
 | test.js:6:7:6:14 | endpoint | Callee_AccessPath | f |
@@ -15,7 +15,7 @@
 | test.js:6:7:6:14 | endpoint | calleeApiName | lib3 |
 | test.js:6:7:6:14 | endpoint | calleeImports | ? lib3 |
 | test.js:6:7:6:14 | endpoint | calleeName | f |
-| test.js:6:7:6:14 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:6:7:6:14 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:6:7:6:14 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:6:7:6:14 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:6:7:6:14 | endpoint | enclosingFunctionName |  |
@@ -23,10 +23,11 @@
 | test.js:7:11:7:18 | endpoint | Callee_AccessPath | f |
 | test.js:7:11:7:18 | endpoint | Input_AccessPathFromCallee | 0.p |
 | test.js:7:11:7:18 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:7:11:7:18 | endpoint | assignedToPropName | p |
 | test.js:7:11:7:18 | endpoint | calleeAccessPath |  |
 | test.js:7:11:7:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:7:11:7:18 | endpoint | calleeImports | ? lib3 |
-| test.js:7:11:7:18 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:7:11:7:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:7:11:7:18 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:7:11:7:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:7:11:7:18 | endpoint | enclosingFunctionName |  |
@@ -34,10 +35,11 @@
 | test.js:8:15:8:22 | endpoint | Callee_AccessPath | f |
 | test.js:8:15:8:22 | endpoint | Input_AccessPathFromCallee | 0.p.q |
 | test.js:8:15:8:22 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:8:15:8:22 | endpoint | assignedToPropName | q |
 | test.js:8:15:8:22 | endpoint | calleeAccessPath |  |
 | test.js:8:15:8:22 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:8:15:8:22 | endpoint | calleeImports | ? lib3 |
-| test.js:8:15:8:22 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:8:15:8:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:8:15:8:22 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:8:15:8:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:8:15:8:22 | endpoint | enclosingFunctionName |  |
@@ -50,7 +52,7 @@
 | test.js:9:9:9:16 | endpoint | calleeApiName | lib2 |
 | test.js:9:9:9:16 | endpoint | calleeImports | ? lib2 |
 | test.js:9:9:9:16 | endpoint | calleeName | m |
-| test.js:9:9:9:16 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:9:9:9:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:9:9:9:16 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:9:9:9:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:9:9:9:16 | endpoint | enclosingFunctionName |  |
@@ -59,10 +61,11 @@
 | test.js:10:13:10:20 | endpoint | Callee_AccessPath | o.m |
 | test.js:10:13:10:20 | endpoint | Input_AccessPathFromCallee | 0.p |
 | test.js:10:13:10:20 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:10:13:10:20 | endpoint | assignedToPropName | p |
 | test.js:10:13:10:20 | endpoint | calleeAccessPath |  |
 | test.js:10:13:10:20 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:10:13:10:20 | endpoint | calleeImports | ? lib2 |
-| test.js:10:13:10:20 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:10:13:10:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:10:13:10:20 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:10:13:10:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:10:13:10:20 | endpoint | enclosingFunctionName |  |
@@ -70,10 +73,11 @@
 | test.js:11:17:11:24 | endpoint | Callee_AccessPath | o.m |
 | test.js:11:17:11:24 | endpoint | Input_AccessPathFromCallee | 0.p.q |
 | test.js:11:17:11:24 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:11:17:11:24 | endpoint | assignedToPropName | q |
 | test.js:11:17:11:24 | endpoint | calleeAccessPath |  |
 | test.js:11:17:11:24 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:11:17:11:24 | endpoint | calleeImports | ? lib2 |
-| test.js:11:17:11:24 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:11:17:11:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:11:17:11:24 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:11:17:11:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:11:17:11:24 | endpoint | enclosingFunctionName |  |
@@ -83,7 +87,7 @@
 | test.js:12:11:12:18 | endpoint | calleeAccessPath |  |
 | test.js:12:11:12:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:12:11:12:18 | endpoint | calleeImports | lib1 |
-| test.js:12:11:12:18 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:12:11:12:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:12:11:12:18 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:12:11:12:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:12:11:12:18 | endpoint | enclosingFunctionName |  |
@@ -96,7 +100,7 @@
 | test.js:13:17:13:24 | endpoint | calleeApiName | lib2 |
 | test.js:13:17:13:24 | endpoint | calleeImports | ? lib2 |
 | test.js:13:17:13:24 | endpoint | calleeName | m |
-| test.js:13:17:13:24 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:13:17:13:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:13:17:13:24 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:13:17:13:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:13:17:13:24 | endpoint | enclosingFunctionName |  |
@@ -108,7 +112,7 @@
 | test.js:14:9:14:16 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn instanceorreturn |
 | test.js:14:9:14:16 | endpoint | calleeApiName | lib3 |
 | test.js:14:9:14:16 | endpoint | calleeImports | ? lib3 |
-| test.js:14:9:14:16 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:14:9:14:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:14:9:14:16 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:14:9:14:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:14:9:14:16 | endpoint | enclosingFunctionName |  |
@@ -121,7 +125,7 @@
 | test.js:15:12:15:19 | endpoint | calleeApiName | lib2 |
 | test.js:15:12:15:19 | endpoint | calleeImports | ? lib2 |
 | test.js:15:12:15:19 | endpoint | calleeName | m |
-| test.js:15:12:15:19 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:15:12:15:19 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:15:12:15:19 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:15:12:15:19 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:15:12:15:19 | endpoint | enclosingFunctionName |  |
@@ -134,7 +138,7 @@
 | test.js:16:16:16:23 | endpoint | calleeApiName | lib2 |
 | test.js:16:16:16:23 | endpoint | calleeImports | ? lib2 |
 | test.js:16:16:16:23 | endpoint | calleeName | m |
-| test.js:16:16:16:23 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:16:16:16:23 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:16:16:16:23 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:16:16:16:23 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:16:16:16:23 | endpoint | enclosingFunctionName |  |
@@ -146,7 +150,7 @@
 | test.js:17:15:17:22 | endpoint | calleeAccessPathWithStructuralInfo | lib1 member p instanceorreturn |
 | test.js:17:15:17:22 | endpoint | calleeApiName | lib1 |
 | test.js:17:15:17:22 | endpoint | calleeImports | lib1 |
-| test.js:17:15:17:22 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:17:15:17:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:17:15:17:22 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:17:15:17:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:17:15:17:22 | endpoint | enclosingFunctionName |  |
@@ -159,7 +163,7 @@
 | test.js:18:27:18:34 | endpoint | calleeApiName | foo |
 | test.js:18:27:18:34 | endpoint | calleeImports | foo |
 | test.js:18:27:18:34 | endpoint | calleeName | baz |
-| test.js:18:27:18:34 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:18:27:18:34 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:18:27:18:34 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:18:27:18:34 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:18:27:18:34 | endpoint | enclosingFunctionName |  |
@@ -172,7 +176,7 @@
 | test.js:20:13:20:20 | endpoint | calleeApiName | lib1 |
 | test.js:20:13:20:20 | endpoint | calleeImports | lib1 |
 | test.js:20:13:20:20 | endpoint | calleeName | bar |
-| test.js:20:13:20:20 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:20:13:20:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:20:13:20:20 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:20:13:20:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:20:13:20:20 | endpoint | enclosingFunctionName |  |
@@ -183,7 +187,7 @@
 | test.js:22:21:22:28 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn |
 | test.js:22:21:22:28 | endpoint | calleeApiName | lib3 |
 | test.js:22:21:22:28 | endpoint | calleeImports | ? lib2 lib3 |
-| test.js:22:21:22:28 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
+| test.js:22:21:22:28 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
 | test.js:22:21:22:28 | endpoint | contextSurroundingFunctionParameters | () |
 | test.js:22:21:22:28 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
 | test.js:22:21:22:28 | endpoint | enclosingFunctionName |  |