improve precision for load/store steps with async functions

erik-krogh · erik-krogh · commit 0edb46c20d34 · 2020-08-07T17:39:59.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1034,6 +1034,25 @@ private predicate storeStep(
       receiverPropWrite(f, prop, mid)
     )
   )
+  or
+  // store in an immediately awaited function call
+  exists(Function f, DataFlow::Node mid | f.isAsync() |
+    // `f` stores its parameter `pred` in property `prop` of a value that flows back to the caller,
+    // and `succ` is an invocation of `f`
+    exists(AwaitExpr await, DataFlow::Node operand |
+      operand = await.getOperand().getUnderlyingValue().flow() and
+      succ.asExpr() = await
+    |
+      reachableFromInput(f, operand, pred, mid, cfg, summary) and
+      (
+        returnedPropWrite(f, _, prop, mid)
+        or
+        exists(DataFlow::SourceNode base | base.flowsToExpr(f.getAReturnedExpr()) |
+          isAdditionalStoreStep(mid, base, prop, cfg)
+        )
+      )
+    )
+  )
 }
 
 /**
@@ -1132,6 +1151,17 @@ private predicate loadStep(
     parameterPropRead(f, succ, pred, prop, read, cfg) and
     reachesReturn(f, read, cfg, summary)
   )
+  or
+  // load from an immediately awaited function call
+  exists(Function f, DataFlow::Node read | f.isAsync() |
+    exists(AwaitExpr await, DataFlow::Node operand |
+      operand = await.getOperand().getUnderlyingValue().flow() and
+      succ.asExpr() = await
+    |
+      parameterPropRead(f, operand, pred, prop, read, cfg) and
+      reachesReturn(f, read, cfg, summary)
+    )
+  )
 }
 
 /**
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected b/javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected
@@ -7,6 +7,9 @@
 | async.js:2:16:2:23 | "source" | async.js:36:17:36:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:41:17:41:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:54:17:54:36 | unpack(pack(source)) |
+| async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
+| async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
+| async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
@@ -9,6 +9,9 @@
 | async.js:2:16:2:23 | "source" | async.js:36:17:36:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:41:17:41:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:54:17:54:36 | unpack(pack(source)) |
+| async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
+| async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
+| async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/TrackedNodes.expected b/javascript/ql/test/library-tests/InterProceduralFlow/TrackedNodes.expected
@@ -6,6 +6,15 @@
 | missing | async.js:2:16:2:23 | "source" | async.js:26:12:26:12 | e |
 | missing | async.js:2:16:2:23 | "source" | async.js:26:12:26:12 | e |
 | missing | async.js:2:16:2:23 | "source" | async.js:27:17:27:17 | e |
+| missing | async.js:73:22:73:22 | x | async.js:80:14:80:36 | (await  ... ce))).p |
+| missing | async.js:74:12:76:5 | {\\n      p: x\\n    } | async.js:80:14:80:34 | (await  ... urce))) |
+| missing | async.js:74:12:76:5 | {\\n      p: x\\n    } | async.js:80:15:80:33 | await (foo(source)) |
+| missing | async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
+| missing | async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
+| missing | async.js:84:12:84:17 | base.p | async.js:92:15:92:30 | await (getP(o3)) |
+| missing | async.js:88:12:88:17 | base.q | async.js:93:15:93:30 | await (getQ(o3)) |
+| missing | async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
+| missing | async.js:98:12:98:16 | obj.x | async.js:101:15:101:27 | await readP() |
 | missing | callback.js:17:15:17:23 | "source2" | callback.js:8:16:8:20 | xs[i] |
 | missing | callback.js:17:15:17:23 | "source2" | callback.js:12:16:12:16 | x |
 | missing | callback.js:17:15:17:23 | "source2" | callback.js:12:16:12:16 | x |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/async.js b/javascript/ql/test/library-tests/InterProceduralFlow/async.js
@@ -69,3 +69,34 @@
   }
 })();
 
+async function props() {
+  async function foo(x) {
+    return {
+      p: x
+    };
+  }
+  
+  let source = "source";
+  let sink = (await (foo(source))).p; // NOT OK - this requires the immidiatly awaited storeStep.
+  let sink2 = foo("not a source").p;
+  
+  async function getP(base) {
+    return base.p;
+  }
+  
+  async function getQ(base) {
+    return base.q;
+  }
+  
+  let o3 = { p: source };
+  let sink6 = await (getP(o3)); // NOT OK - this requires the immidiatly awaited loadStep
+  let sink7 = await (getQ(o3));
+
+  async function readP() {
+    let source = "source";
+    var obj = {x: source};
+    return obj.x;
+  }
+
+  let sink8 = await readP(); // NOT OK
+}
diff --git a/javascript/ql/test/library-tests/Promises/flow.js b/javascript/ql/test/library-tests/Promises/flow.js
@@ -129,4 +129,29 @@
 	new Promise((resolve, reject) => resolve(resolved)).then(x => sink(x)); // NOT OK
 	
 	Promise.resolve(resolved).then(x => sink(x)); // NOT OK
-})();
+})();
+
+
+(async function () {
+	var source = "source";
+  
+	async function async() {
+	  return source;
+	}
+	sink(async()); // OK - wrapped in a promise. (NOT OK for taint-tracking configs)
+	sink(await async()); // NOT OK
+  
+	async function throwsAsync() {
+	  throw source;
+	}
+	try {
+	  throwsAsync();
+	} catch (e) {
+	  sink(e); // OK - throwsAsync just returns a promise.
+	}
+	try {
+	  await throwsAsync();
+	} catch (e) {
+	  sink(e); // NOT OK
+	}
+  })();
diff --git a/javascript/ql/test/library-tests/Promises/tests.expected b/javascript/ql/test/library-tests/Promises/tests.expected
@@ -222,6 +222,7 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:79:20:79:20 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:84:21:84:21 | e |
 | flow.js:2:15:2:22 | "source" | flow.js:89:45:89:45 | e |
+| flow.js:2:15:2:22 | "source" | flow.js:101:7:101:9 | foo |
 | flow.js:2:15:2:22 | "source" | flow.js:103:93:103:93 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:105:95:105:95 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:109:89:109:89 | x |
@@ -231,8 +232,11 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:125:59:125:59 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:129:69:129:69 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:131:43:131:43 | x |
+| flow.js:136:15:136:22 | "source" | flow.js:142:7:142:19 | await async() |
+| flow.js:136:15:136:22 | "source" | flow.js:155:9:155:9 | e |
 exclusiveTaintFlow
 | flow2.js:2:15:2:22 | "source" | flow2.js:20:7:20:14 | tainted3 |
+| flow.js:136:15:136:22 | "source" | flow.js:141:7:141:13 | async() |
 | interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |
 typetrack
 | flow2.js:4:2:4:31 | Promise ... lean"]) | flow2.js:4:14:4:30 | [source, "clean"] | copy $PromiseResolveField$ |
@@ -370,6 +374,8 @@ typetrack
 | flow.js:131:2:131:45 | Promise ... ink(x)) | flow.js:131:38:131:44 | sink(x) | copy $PromiseResolveField$ |
 | flow.js:131:2:131:45 | Promise ... ink(x)) | flow.js:131:38:131:44 | sink(x) | store $PromiseResolveField$ |
 | flow.js:131:33:131:33 | x | flow.js:131:2:131:26 | Promise ... solved) | load $PromiseResolveField$ |
+| flow.js:142:7:142:19 | await async() | flow.js:142:13:142:19 | async() | load $PromiseResolveField$ |
+| flow.js:153:4:153:22 | await throwsAsync() | flow.js:153:10:153:22 | throwsAsync() | load $PromiseResolveField$ |
 | interflow.js:6:3:9:23 | loadScr ... eError) | interflow.js:6:3:8:26 | loadScr ... () { }) | copy $PromiseResolveField$ |
 | promises.js:33:19:35:6 | new Pro ... \\n    }) | promises.js:34:17:34:22 | source | copy $PromiseResolveField$ |
 | promises.js:33:19:35:6 | new Pro ... \\n    }) | promises.js:34:17:34:22 | source | store $PromiseResolveField$ |
