JavaScript: Introduce indices for sent/received items.

2026-04-24 00:05:14 +02:00 · 2019-02-28 10:27:03 +00:00
parent b47b26ca61
commit dc614ebefe
17 changed files with 63 additions and 47 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
@@ -181,14 +181,17 @@ module SocketIO {
    /** Gets the event name associated with the data, if it can be determined. */
    string getEventName() { getArgument(0).mayHaveStringValue(result) }

-    /** Gets a data flow node representing data received from a client. */
-    DataFlow::SourceNode getAReceivedItem() {
-      exists(DataFlow::FunctionNode cb | cb = getCallback(1) and result = cb.getAParameter() |
+    /** Gets the `i`th parameter through which data is received from a client. */
+    DataFlow::SourceNode getReceivedItem(int i) {
+      exists(DataFlow::FunctionNode cb | cb = getCallback(1) and result = cb.getParameter(i) |
        // exclude last parameter if it looks like a callback
        result != cb.getLastParameter() or not exists(result.getAnInvocation())
      )
    }

+    /** Gets a data flow node representing data received from a client. */
+    DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }
+
    /** Gets the acknowledgment callback, if any. */
    DataFlow::SourceNode getAck() {
      result = getCallback(1).getLastParameter() and
@@ -251,14 +254,19 @@ module SocketIO {
      if firstDataIndex = 1 then getArgument(0).mayHaveStringValue(result) else result = "message"
    }

-    /** Gets a data flow node representing data sent to the client. */
-    DataFlow::Node getASentItem() {
-      exists(int i | result = getArgument(i) and i >= firstDataIndex |
+    /** Gets the `i`th argument through which data is sent to the client. */
+    DataFlow::Node getSentItem(int i) {
+      result = getArgument(i + firstDataIndex) and
+      i >= 0 and
+      (
        // exclude last argument if it looks like a callback
        result != getLastArgument() or not exists(getAck())
      )
    }

+    /** Gets a data flow node representing data sent to the client. */
+    DataFlow::Node getASentItem() { result = getSentItem(_) }
+
    /** Gets the acknowledgment callback, if any. */
    DataFlow::FunctionNode getAck() {
      // acknowledgments are only available when sending through a socket
@@ -383,14 +391,17 @@ module SocketIOClient {
    /** Gets the event name associated with the data, if it can be determined. */
    string getEventName() { getArgument(0).mayHaveStringValue(result) }

-    /** Gets a data flow node representing data received from the server. */
-    DataFlow::SourceNode getAReceivedItem() {
-      exists(DataFlow::FunctionNode cb | cb = getCallback(1) and result = cb.getAParameter() |
+    /** Gets the `i`th parameter through which data is received from the server. */
+    DataFlow::SourceNode getReceivedItem(int i) {
+      exists(DataFlow::FunctionNode cb | cb = getCallback(1) and result = cb.getParameter(i) |
        // exclude the last parameter if it looks like a callback
        result != cb.getLastParameter() or not exists(result.getAnInvocation())
      )
    }

+    /** Gets a data flow node representing data received from the server. */
+    DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }
+
    /** Gets the acknowledgment callback, if any. */
    DataFlow::SourceNode getAck() {
      result = getCallback(1).getLastParameter() and
@@ -433,14 +444,19 @@ module SocketIOClient {
      if firstDataIndex = 1 then getArgument(0).mayHaveStringValue(result) else result = "message"
    }

-    /** Gets a data flow node representing data sent to the server. */
-    DataFlow::Node getASentItem() {
-      exists(int i | result = getArgument(i) and i >= firstDataIndex |
+    /** Gets the `i`th argument through which data is sent to the server. */
+    DataFlow::Node getSentItem(int i) {
+      result = getArgument(i + firstDataIndex) and
+      i >= 0 and
+      (
        // exclude last argument if it looks like a callback
        result != getLastArgument() or not exists(getAck())
      )
    }

+    /** Gets a data flow node representing data sent to the server. */
+    DataFlow::Node getASentItem() { result = getSentItem(_) }
+
    /** Gets the acknowledgment callback, if any. */
    DataFlow::FunctionNode getAck() { result = getLastArgument().getALocalSource() }
  }