Merge pull request #6652 from asgerf/js/type-tracking-through-callback

codeql-ci · web-flow · commit 27f2d417c1aa · 2021-09-10T04:11:14.000-07:00
Approved by erik-krogh
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
@@ -947,7 +947,7 @@ private predicate exploratoryFlowStep(
   isAdditionalLoadStoreStep(pred, succ, _, _, cfg) or
   // the following three disjuncts taken together over-approximate flow through
   // higher-order calls
-  callback(pred, succ) or
+  exploratoryCallbackStep(pred, succ) or
   succ = pred.(DataFlow::FunctionNode).getAParameter() or
   exploratoryBoundInvokeStep(pred, succ)
 }
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TrackedNodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/TrackedNodes.qll
@@ -154,7 +154,7 @@ private module NodeTracking {
       or
       basicLoadStep(mid, nd, _)
       or
-      callback(mid, nd)
+      exploratoryCallbackStep(mid, nd)
       or
       nd = mid.(DataFlow::FunctionNode).getAParameter()
     )
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -434,7 +434,7 @@ private module CachedSteps {
    * invocation.
    */
   cached
-  predicate callback(DataFlow::Node arg, DataFlow::SourceNode cb) {
+  predicate exploratoryCallbackStep(DataFlow::Node arg, DataFlow::SourceNode cb) {
     Stages::TypeTracking::ref() and
     exists(DataFlow::InvokeNode invk, DataFlow::ParameterNode cbParm, DataFlow::Node cbArg |
       arg = invk.getAnArgument() and
@@ -444,12 +444,24 @@ private module CachedSteps {
     )
     or
     exists(DataFlow::ParameterNode cbParm, DataFlow::Node cbArg |
-      callback(arg, cbParm) and
+      exploratoryCallbackStep(arg, cbParm) and
       callStep(cbArg, cbParm) and
       cb.flowsTo(cbArg)
     )
   }
 
+  /** Gets a function that flows to `parameter` via one or more parameter-passing steps. */
+  cached
+  DataFlow::FunctionNode getACallbackSource(DataFlow::ParameterNode parameter) {
+    Stages::TypeTracking::ref() and
+    callStep(result.getALocalUse(), parameter)
+    or
+    exists(DataFlow::ParameterNode mid |
+      callStep(mid.getALocalUse(), parameter) and
+      result = getACallbackSource(mid)
+    )
+  }
+
   /**
    * Holds if `f` may return `base`, which has a write of property `prop` with right-hand side `rhs`.
    */
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -156,6 +156,13 @@ private module Cached {
         succ = fun.getAnInvocation()
       )
     )
+    or
+    // Add 'return' steps from callback arguments to callback parameters
+    exists(DataFlow::ParameterNode parameter, int i |
+      pred = parameter.getAnInvocation().getArgument(i) and
+      succ = getACallbackSource(parameter).getParameter(i) and
+      summary = ReturnStep()
+    )
   }
 }
 
diff --git a/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected b/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected
@@ -38,6 +38,9 @@ test_Connection
 | tst.js:112:10:112:14 | obj.x |
 | tst.js:114:1:114:28 | getX({  ... on() }) |
 | tst.js:114:11:114:25 | getConnection() |
+| tst.js:118:12:118:26 | getConnection() |
+| tst.js:120:21:120:24 | conn |
+| tst.js:126:22:126:25 | conn |
 | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 test_DataCallback
 | client.js:3:28:3:34 | x => {} |
diff --git a/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected b/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected
@@ -40,6 +40,9 @@ connection
 | type tracker without call steps | tst.js:108:8:108:22 | getConnection() |
 | type tracker without call steps | tst.js:114:1:114:28 | getX({  ... on() }) |
 | type tracker without call steps | tst.js:114:11:114:25 | getConnection() |
+| type tracker without call steps | tst.js:118:12:118:26 | getConnection() |
+| type tracker without call steps | tst.js:120:21:120:24 | conn |
+| type tracker without call steps | tst.js:126:22:126:25 | conn |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property MyApplication.namespace.connection | file://:0:0:0:0 | global access path |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |
diff --git a/javascript/ql/test/library-tests/TypeTracking/tst.js b/javascript/ql/test/library-tests/TypeTracking/tst.js
@@ -113,3 +113,15 @@ function getX(obj) {
 }
 getX({ x: getConnection() });
 getX({ x: somethingElse() });
+
+function makeConnectionAsync(callback) {
+  callback(getConnection());
+}
+makeConnectionAsync(conn => {});
+makeConnectionAsync(); // suppress single-call precision gains
+
+function makeConnectionAsync2(callback) {
+  makeConnectionAsync(callback);
+}
+makeConnectionAsync2(conn => {});
+makeConnectionAsync2(); // suppress single-call precision gains

Original file line number	Diff line number	Diff line change
`@@ -947,7 +947,7 @@ private predicate exploratoryFlowStep(`
`947`	`947`	`isAdditionalLoadStoreStep(pred, succ, _, _, cfg) or`
`948`	`948`	`// the following three disjuncts taken together over-approximate flow through`
`949`	`949`	`// higher-order calls`
`950`		`- callback(pred, succ) or`
	`950`	`+ exploratoryCallbackStep(pred, succ) or`
`951`	`951`	`succ = pred.(DataFlow::FunctionNode).getAParameter() or`
`952`	`952`	`exploratoryBoundInvokeStep(pred, succ)`
`953`	`953`	`}`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ private module NodeTracking {`
`154`	`154`	`or`
`155`	`155`	`basicLoadStep(mid, nd, _)`
`156`	`156`	`or`
`157`		`- callback(mid, nd)`
	`157`	`+ exploratoryCallbackStep(mid, nd)`
`158`	`158`	`or`
`159`	`159`	`nd = mid.(DataFlow::FunctionNode).getAParameter()`
`160`	`160`	`)`
Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,13 @@ private module Cached {`
`156`	`156`	`succ = fun.getAnInvocation()`
`157`	`157`	`)`
`158`	`158`	`)`
	`159`	`+ or`
	`160`	`+ // Add 'return' steps from callback arguments to callback parameters`
	`161`	`+ exists(DataFlow::ParameterNode parameter, int i \|`
	`162`	`+ pred = parameter.getAnInvocation().getArgument(i) and`
	`163`	`+ succ = getACallbackSource(parameter).getParameter(i) and`
	`164`	`+ summary = ReturnStep()`
	`165`	`+ )`
`159`	`166`	`}`
`160`	`167`	`}`
`161`	`168`