Merge branch 'main' into js/shared-dataflow

2026-05-03 04:39:29 +02:00 · 2024-06-25 11:48:41 +02:00
parent bd3fccd1a8 e0e5bdec8a
commit ecf418b8f6
2477 changed files with 100491 additions and 79725 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -1003,7 +1003,7 @@ module NodeJSLib {
      exists(ClientRequestLoginCallback callback | this = callback.getACall().getArgument(0))
    }

-    override string getCredentialsKind() { result = "Node.js http(s) client login username" }
+    override string getCredentialsKind() { result = "user name" }
  }

  /**
@@ -1014,7 +1014,7 @@ module NodeJSLib {
      exists(ClientRequestLoginCallback callback | this = callback.getACall().getArgument(1))
    }

-    override string getCredentialsKind() { result = "Node.js http(s) client login password" }
+    override string getCredentialsKind() { result = "password" }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll
@@ -1,15 +1,29 @@
 /**
 * Models the `shelljs` library in terms of `FileSystemAccess` and `SystemCommandExecution`.
+ *
+ * https://www.npmjs.com/package/shelljs
 */

 import javascript

 module ShellJS {
+  private API::Node shellJSMember() {
+    result = API::moduleImport("shelljs")
+    or
+    result =
+      shellJSMember()
+          .getMember([
+              "exec", "cd", "cp", "touch", "chmod", "pushd", "find", "ls", "ln", "mkdir", "mv",
+              "rm", "cat", "head", "sort", "tail", "uniq", "grep", "sed", "to", "toEnd", "echo"
+            ])
+          .getReturn()
+  }
+
  /**
-   * Gets an import of the `shelljs` or `async-shelljs` module.
+   * Gets a function that can execute a shell command using the `shelljs` or `async-shelljs` modules.
   */
  DataFlow::SourceNode shelljs() {
-    result = DataFlow::moduleImport("shelljs") or
+    result = shellJSMember().asSource() or
    result = DataFlow::moduleImport("async-shelljs")
  }

@@ -39,7 +53,10 @@ module ShellJS {

    /** The `shelljs.exec` library modeled as a `shelljs` member. */
    private class ShellJsExec extends Range {
-      ShellJsExec() { this = DataFlow::moduleImport("shelljs.exec") }
+      ShellJsExec() {
+        this = DataFlow::moduleImport("shelljs.exec") or
+        this = shellJSMember().getMember("exec").asSource()
+      }

      override string getName() { result = "exec" }
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
@@ -168,9 +168,20 @@ module ModelInput {
   * A unit class for adding additional type model rows from CodeQL models.
   */
  class TypeModel extends Unit {
+    /**
+     * Holds if any of the other predicates in this class might have a result
+     * for the given `type`.
+     *
+     * The implementation of this predicate should not depend on `DataFlow::Node`.
+     */
+    bindingset[type]
+    predicate isTypeUsed(string type) { none() }
+
    /**
     * Gets a data-flow node that is a source of the given `type`.
     *
+     * Note that `type` should also be included in `isTypeUsed`.
+     *
     * This must not depend on API graphs, but ensures that an API node is generated for
     * the source.
     */
@@ -180,6 +191,8 @@ module ModelInput {
     * Gets a data-flow node that is a sink of the given `type`,
     * usually because it is an argument passed to a parameter of that type.
     *
+     * Note that `type` should also be included in `isTypeUsed`.
+     *
     * This must not depend on API graphs, but ensures that an API node is generated for
     * the sink.
     */
@@ -188,6 +201,8 @@ module ModelInput {
    /**
     * Gets an API node that is a source or sink of the given `type`.
     *
+     * Note that `type` should also be included in `isTypeUsed`.
+     *
     * Unlike `getASource` and `getASink`, this may depend on API graphs.
     */
    API::Node getAnApiNode(string type) { none() }
@@ -354,6 +369,28 @@ private predicate typeVariableModel(string name, string path) {
  Extensions::typeVariableModel(name, path)
 }

+/**
+ * Holds if the given extension tuple `madId` should pretty-print as `model`.
+ *
+ * This predicate should only be used in tests.
+ */
+predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
+  exists(string type, string path, string kind |
+    Extensions::sourceModel(type, path, kind, madId) and
+    model = "Source: " + type + "; " + path + "; " + kind
+  )
+  or
+  exists(string type, string path, string kind |
+    Extensions::sinkModel(type, path, kind, madId) and
+    model = "Sink: " + type + "; " + path + "; " + kind
+  )
+  or
+  exists(string type, string path, string input, string output, string kind |
+    Extensions::summaryModel(type, path, input, output, kind, madId) and
+    model = "Summary: " + type + "; " + path + "; " + input + "; " + output + "; " + kind
+  )
+}
+
 /**
 * Holds if rows involving `type` might be relevant for the analysis of this database.
 */
@@ -367,6 +404,8 @@ predicate isRelevantType(string type) {
  (
    Specific::isTypeUsed(type)
    or
+    any(TypeModel model).isTypeUsed(type)
+    or
    exists(TestAllModels t)
  )
  or