JS: Address comments

asger-semmle · asger-semmle · commit 4fb3fd992d2f · 2019-08-06T15:28:53.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -43,20 +43,19 @@ class ClientRequest extends DataFlow::InvokeNode {
    * wrapped in a promise object.
    *
    * The `responseType` describes how the response is represented as a JavaScript value
-   * (after resolving promises).
-   *
-   * The response type may be any of the values supported by
-   * [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/responseType),
-   * namely `arraybuffer`, `blob`, `document`, `json`, or `text`.
-   *
-   * Additionally, the `responseType` may have one of the following values:
-   * - `fetch.response`: The result is a `Response` object as defined by the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Response).
-   * - `stream`: The result is a Node.js stream
-   * - `error`: The result is an error in an unspecified format, possibly containing information from the response
-   *
-   *
-   * Custom implementations of `ClientRequest` may use other formats.
-   * If the responseType is not known the convention is to use an empty string.
+   * (after resolving promises), and may assume the following values:
+   * - Any response type defined by [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/responseType):
+   *    - `text`: The result is a string
+   *    - `json`: The result is a deserialized JSON object
+   *    - `arraybuffer`: The result is an `ArrayBuffer` object
+   *    - `blob`: The result is a `Blob` object
+   *    - `document`: The result is a deserialized HTML or XML document
+   * - Any of the following additional response types defined by this library:
+   *  - `fetch.response`: The result is a `Response` object from [fetch](https://developer.mozilla.org/en-US/docs/Web/API/Response).
+   *  - `stream`: The result is a Node.js stream and `http.IncomingMessage` object
+   *  - `error`: The result is an error in an unspecified format, possibly containing information from the response
+   *  - An empty string, indicating an unknown response type.
+   * - Any value provided by custom implementations of `ClientRequest::Range`.
    */
   DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
     result = self.getAResponseDataNode(responseType, promise)
@@ -99,7 +98,7 @@ module ClientRequest {
      * Gets a data flow node that refers to some representation of the response, possibly
      * wrapped in a promise object.
      *
-     * See the decription of `responseType` in the corresponding predicate in `ClientRequest`.
+     * See the decription of `responseType` in `ClientRequest::getAResponseDataNode`.
      */
     DataFlow::Node getAResponseDataNode(string responseType, boolean promise) { none() }
   }
@@ -192,9 +191,19 @@ module ClientRequest {
       )
     }
 
+    private int getOptionsArgIndex() {
+      method = "request" and
+      result = 0
+      or
+      (method = "get" or method = "delete" or method = "head") and
+      result = 1
+      or
+      (method = "post" or method = "put" or method = "patch") and
+      result = 2
+    }
+
     private DataFlow::Node getOptionArgument(string name) {
-      // depends on the method name and the call arity, over-approximating slightly in the name of simplicity
-      result = getOptionArgument([0 .. 2], name)
+      result = getOptionArgument(getOptionsArgIndex(), name)
     }
 
     override DataFlow::Node getUrl() {
@@ -218,15 +227,18 @@ module ClientRequest {
 
     /** Gets the response type from the options passed in. */
     string getResponseType() {
-      exists(DataFlow::Node option | option = getOptionArgument([0 .. 2], "responseType") |
-        result = option.getStringValue()
+      exists(DataFlow::Node option | option = getOptionArgument("responseType") |
+        option.mayHaveStringValue(result)
         or
-        not exists(option.getStringValue()) and
+        option.analyze().getAValue().isIndefinite(_) and
         result = ""
       )
       or
-      not exists(getOptionArgument([0 .. 2], "responseType")) and
+      not exists(getOptionArgument("responseType")) and
       result = "json"
+      or
+      getArgument(getOptionsArgIndex()).analyze().getAValue().isIndefinite(_) and
+      result = ""
     }
 
     override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -43,7 +43,7 @@ test_ClientRequest
 | tst.js:123:5:127:6 | request ... \\n    }) |
 | tst.js:129:5:129:37 | request ...  true}) |
 | tst.js:133:5:133:18 | axios.get(url) |
-| tst.js:134:5:134:48 | axios.g ... json'}) |
+| tst.js:134:5:134:44 | axios({ ... json'}) |
 | tst.js:139:5:139:14 | fetch(url) |
 | tst.js:143:5:143:12 | got(url) |
 | tst.js:144:5:144:28 | got(url ... true }) |
@@ -132,8 +132,8 @@ test_getUrl
 | tst.js:123:5:127:6 | request ... \\n    }) | tst.js:123:13:123:15 | url |
 | tst.js:129:5:129:37 | request ...  true}) | tst.js:129:20:129:22 | url |
 | tst.js:133:5:133:18 | axios.get(url) | tst.js:133:15:133:17 | url |
-| tst.js:134:5:134:48 | axios.g ... json'}) | tst.js:134:15:134:47 | { url:  ... 'json'} |
-| tst.js:134:5:134:48 | axios.g ... json'}) | tst.js:134:22:134:24 | url |
+| tst.js:134:5:134:44 | axios({ ... json'}) | tst.js:134:11:134:43 | { url:  ... 'json'} |
+| tst.js:134:5:134:44 | axios({ ... json'}) | tst.js:134:18:134:20 | url |
 | tst.js:139:5:139:14 | fetch(url) | tst.js:139:11:139:13 | url |
 | tst.js:143:5:143:12 | got(url) | tst.js:143:9:143:11 | url |
 | tst.js:144:5:144:28 | got(url ... true }) | tst.js:144:9:144:11 | url |
@@ -143,6 +143,7 @@ test_getUrl
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
+| tst.js:25:5:25:14 | axios(url) | tst.js:25:5:25:14 | axios(url) |  | true |
 | tst.js:25:5:25:14 | axios(url) | tst.js:25:5:25:14 | axios(url) | json | true |
 | tst.js:27:5:27:18 | axios.get(url) | tst.js:27:5:27:18 | axios.get(url) | json | true |
 | tst.js:29:5:29:23 | axios({ url: url }) | tst.js:29:5:29:23 | axios({ url: url }) | json | true |
@@ -175,7 +176,7 @@ test_getAResponseDataNode
 | tst.js:123:5:127:6 | request ... \\n    }) | tst.js:125:9:125:21 | response.body | json | false |
 | tst.js:129:5:129:37 | request ...  true}) | tst.js:129:5:129:37 | request ...  true}) | json | true |
 | tst.js:133:5:133:18 | axios.get(url) | tst.js:133:5:133:18 | axios.get(url) | json | true |
-| tst.js:134:5:134:48 | axios.g ... json'}) | tst.js:134:5:134:48 | axios.g ... json'}) | json | true |
+| tst.js:134:5:134:44 | axios({ ... json'}) | tst.js:134:5:134:44 | axios({ ... json'}) | json | true |
 | tst.js:139:5:139:14 | fetch(url) | tst.js:139:5:139:14 | fetch(url) | fetch.response | true |
 | tst.js:143:5:143:12 | got(url) | tst.js:143:5:143:12 | got(url) | text | true |
 | tst.js:144:5:144:28 | got(url ... true }) | tst.js:144:5:144:28 | got(url ... true }) | json | true |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -131,7 +131,7 @@ import {ClientRequest, net} from 'electron';
 
 (function() {
     axios.get(url).then(response => response.data);
-    axios.get({ url: url, responseType: 'json'}).then(response => response.data);
+    axios({ url: url, responseType: 'json'}).then(response => response.data);
 })
 
 
