JavaScript: Add type tracking to Postgres model.

2025-12-16 16:53:25 +01:00 · 2020-03-23 17:10:26 +00:00
parent ce0b72f949
commit efbcec09ef
4 changed files with 23 additions and 5 deletions
--- a/change-notes/1.24/analysis-javascript.md
+++ b/change-notes/1.24/analysis-javascript.md
@@ -42,6 +42,7 @@
  - [ncp](https://www.npmjs.com/package/ncp)
  - [node-dir](https://www.npmjs.com/package/node-dir)
  - [path-exists](https://www.npmjs.com/package/path-exists)
+  - [pg](https://www.npmjs.com/package/pg)
  - [react](https://www.npmjs.com/package/react)
  - [recursive-readdir](https://www.npmjs.com/package/recursive-readdir)
  - [request](https://www.npmjs.com/package/request)
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -132,15 +132,22 @@ private module Postgres {
    result = DataFlow::moduleImport("pg-pool").getAnInstantiation()
  }

+  private DataFlow::SourceNode clientOrPool(DataFlow::TypeTracker t) {
+    t.start() and
+    (result = client() or result = newPool())
+    or
+    exists(DataFlow::TypeTracker t2 | result = clientOrPool(t2).track(t2, t))
+  }
+
+  private DataFlow::SourceNode clientOrPool() {
+    result = clientOrPool(DataFlow::TypeTracker::end())
+  }
+
  /** A call to the Postgres `query` method. */
  private class QueryCall extends DatabaseAccess, DataFlow::ValueNode {
    override MethodCallExpr astNode;

-    QueryCall() {
-      exists(DataFlow::SourceNode recv | recv = client() or recv = newPool() |
-        this = recv.getAMethodCall("query")
-      )
-    }
+    QueryCall() { this = clientOrPool().getAMethodCall("query") }

    override DataFlow::Node getAQueryArgument() {
      result = DataFlow::valueNode(astNode.getArgument(0))
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -12,6 +12,7 @@
 | postgres1.js:37:21:37:24 | text |
 | postgres2.js:30:16:30:41 | 'SELECT ... number' |
 | postgres3.js:15:16:15:40 | 'SELECT ... s name' |
+| postgres5.js:8:21:8:25 | query |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
 | spanner2.js:5:26:5:35 | "SQL code" |
--- a/javascript/ql/test/library-tests/frameworks/SQL/postgres5.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/postgres5.js
@@ -0,0 +1,9 @@
+const pg = require('pg');
+
+function PgWrapper() {
+    this.pool = new pg.Pool({});
+}
+
+PgWrapper.prototype.query = function (query, params, cb) {
+    this.pool.query(query, params || [], cb);
+};