JS: add DataFlow::Node.getStringValue()

asger-semmle · asger-semmle · commit 0fd9d157f846 · 2019-02-12T13:38:45.000Z
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -19,7 +19,7 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "IncompleteHostnameRegExpTracking" }
 
   override predicate isSource(DataFlow::Node source) {
-    isIncompleteHostNameRegExpPattern(source.asExpr().getStringValue(), _)
+    isIncompleteHostNameRegExpPattern(source.getStringValue(), _)
   }
 
   override predicate isSink(DataFlow::Node sink) { isInterpretedAsRegExp(sink) }
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -76,7 +76,7 @@ predicate isDerivedFromLength(DataFlow::Node length, DataFlow::Node operand) {
   exists(IndexOfCall call | operand = call.getAnOperand() |
     length = getStringSource(operand).getAPropertyRead("length")
     or
-    exists(string val | val = operand.asExpr().getStringValue() |
+    exists(string val | val = operand.getStringValue() |
       // Find a literal length with the same string constant
       exists(LiteralLengthExpr lengthExpr |
         lengthExpr.getContainer() = call.getContainer() and
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -85,7 +85,7 @@ class Replacement extends DataFlow::Node {
     exists(DataFlow::MethodCallNode mcn |
       mcn = this and
       input = getStringValue(pattern) and
-      output = mcn.getArgument(1).asExpr().getStringValue()
+      output = mcn.getArgument(1).getStringValue()
     )
   }
 
diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -111,7 +111,7 @@ module DOM {
     /**
      * Gets the value of this attribute, if it can be determined.
      */
-    string getStringValue() { result = getValueNode().asExpr().getStringValue() }
+    string getStringValue() { result = getValueNode().getStringValue() }
 
     /**
      * Gets the DOM element this attribute belongs to.
diff --git a/javascript/ql/src/semmle/javascript/StringConcatenation.qll b/javascript/ql/src/semmle/javascript/StringConcatenation.qll
@@ -104,6 +104,6 @@ module StringConcatenation {
    */
   predicate isCoercion(DataFlow::Node node) {
     getNumOperand(node) = 2 and
-    getOperand(node, _).asExpr().getStringValue() = ""
+    getOperand(node, _).getStringValue() = ""
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/StringOps.qll b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -162,7 +162,7 @@ module StringOps {
       (
         substring.getALocalSource().getAPropertyRead("length").flowsTo(call.getArgument(1))
         or
-        substring.asExpr().getStringValue().length() = call.getArgument(1).asExpr().getIntValue()
+        substring.getStringValue().length() = call.getArgument(1).asExpr().getIntValue()
       )
     }
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -97,9 +97,12 @@ module DataFlow {
      */
     predicate accessesGlobal(string g) { globalVarRef(g).flowsTo(this) }
 
-    /** Holds if this node may evaluate to the string `s`. */
+    /** Holds if this node may evaluate to the string `s`, possibly through local data flow. */
     predicate mayHaveStringValue(string s) { getAPredecessor().mayHaveStringValue(s) }
 
+    /** Gets the string value of this node, if it is a string literal or constant string concatenation. */
+    string getStringValue() { result = asExpr().getStringValue() }
+
     /** Holds if this node may evaluate to the Boolean value `b`. */
     predicate mayHaveBooleanValue(boolean b) {
       b = analyze().getAValue().(AbstractBoolean).getBooleanValue()
diff --git a/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll b/javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll
@@ -276,7 +276,7 @@ private module BrowserIdCrypto {
         mod = DataFlow::moduleImport("browserid-crypto") and
         keygen = mod.getAMemberCall("generateKeypair") and
         algorithmNameNode = keygen.getOptionArgument(0, "algorithm") and
-        algorithm.matchesName(algorithmNameNode.asExpr().getStringValue()) and
+        algorithm.matchesName(algorithmNameNode.getStringValue()) and
         callback = keygen.getCallback(1) and
         this = mod.getAMemberCall("sign").asExpr()
       )
@@ -319,7 +319,7 @@ private module NodeJSCrypto {
       |
         mod = DataFlow::moduleImport("crypto") and
         this = mod.getAMemberCall("create" + createSuffix) and
-        algorithm.matchesName(getArgument(0).asExpr().getStringValue())
+        algorithm.matchesName(getArgument(0).getStringValue())
       )
     }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UrlConcatenation.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UrlConcatenation.qll
@@ -13,7 +13,7 @@ import javascript
  * Specifically, this holds if the string contains `?` or `#`.
  */
 private predicate hasSanitizingSubstring(DataFlow::Node nd) {
-  nd.asExpr().getStringValue().regexpMatch(".*[?#].*")
+  nd.getStringValue().regexpMatch(".*[?#].*")
   or
   hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
   or
@@ -48,7 +48,7 @@ predicate sanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sink) {
  * the `//` separating the (optional) scheme from the hostname.
  */
 private predicate hasHostnameSanitizingSubstring(DataFlow::Node nd) {
-  nd.asExpr().getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*")
+  nd.getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*")
   or
   hasHostnameSanitizingSubstring(StringConcatenation::getAnOperand(nd))
   or
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -67,7 +67,7 @@ module DomBasedXss {
         // _may_ be interpreted as HTML
         not exists(DataFlow::Node prefix, string strval |
           isPrefixOfJQueryHtmlString(astNode, prefix) and
-          strval = prefix.asExpr().getStringValue() and
+          strval = prefix.getStringValue() and
           not strval.regexpMatch("\\s*<.*")
         ) and
         not isDocumentURL(astNode)

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class Configuration extends TaintTracking::Configuration {`
`19`	`19`	`Configuration() { this = "IncompleteHostnameRegExpTracking" }`
`20`	`20`
`21`	`21`	`override predicate isSource(DataFlow::Node source) {`
`22`		`- isIncompleteHostNameRegExpPattern(source.asExpr().getStringValue(), _)`
	`22`	`+ isIncompleteHostNameRegExpPattern(source.getStringValue(), _)`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`override predicate isSink(DataFlow::Node sink) { isInterpretedAsRegExp(sink) }`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ class Replacement extends DataFlow::Node {`
`85`	`85`	`exists(DataFlow::MethodCallNode mcn \|`
`86`	`86`	`mcn = this and`
`87`	`87`	`input = getStringValue(pattern) and`
`88`		`- output = mcn.getArgument(1).asExpr().getStringValue()`
	`88`	`+ output = mcn.getArgument(1).getStringValue()`
`89`	`89`	`)`
`90`	`90`	`}`
`91`	`91`
Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,6 @@ module StringConcatenation {`
`104`	`104`	`*/`
`105`	`105`	`predicate isCoercion(DataFlow::Node node) {`
`106`	`106`	`getNumOperand(node) = 2 and`
`107`		`- getOperand(node, _).asExpr().getStringValue() = ""`
	`107`	`+ getOperand(node, _).getStringValue() = ""`
`108`	`108`	`}`
`109`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ module StringOps {`
`162`	`162`	`(`
`163`	`163`	`substring.getALocalSource().getAPropertyRead("length").flowsTo(call.getArgument(1))`
`164`	`164`	`or`
`165`		`- substring.asExpr().getStringValue().length() = call.getArgument(1).asExpr().getIntValue()`
	`165`	`+ substring.getStringValue().length() = call.getArgument(1).asExpr().getIntValue()`
`166`	`166`	`)`
`167`	`167`	`}`
`168`	`168`
Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ private module BrowserIdCrypto {`
`276`	`276`	`mod = DataFlow::moduleImport("browserid-crypto") and`
`277`	`277`	`keygen = mod.getAMemberCall("generateKeypair") and`
`278`	`278`	`algorithmNameNode = keygen.getOptionArgument(0, "algorithm") and`
`279`		`- algorithm.matchesName(algorithmNameNode.asExpr().getStringValue()) and`
	`279`	`+ algorithm.matchesName(algorithmNameNode.getStringValue()) and`
`280`	`280`	`callback = keygen.getCallback(1) and`
`281`	`281`	`this = mod.getAMemberCall("sign").asExpr()`
`282`	`282`	`)`
`@@ -319,7 +319,7 @@ private module NodeJSCrypto {`
`319`	`319`	`\|`
`320`	`320`	`mod = DataFlow::moduleImport("crypto") and`
`321`	`321`	`this = mod.getAMemberCall("create" + createSuffix) and`
`322`		`- algorithm.matchesName(getArgument(0).asExpr().getStringValue())`
	`322`	`+ algorithm.matchesName(getArgument(0).getStringValue())`
`323`	`323`	`)`
`324`	`324`	`}`
`325`	`325`