JS: Add nodes for static/dynamic argument/parameter arrays

asgerf · asgerf · commit 6c7d745a2bc7 · 2024-08-27T11:35:12.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowNode.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowNode.qll
@@ -33,6 +33,12 @@ private module Cached {
     } or
     TThisNode(StmtContainer f) { f.(Function).getThisBinder() = f or f instanceof TopLevel } or
     TFunctionSelfReferenceNode(Function f) or
+    TStaticArgumentArrayNode(InvokeExpr node) or
+    TDynamicArgumentArrayNode(InvokeExpr node) { node.isSpreadArgument(_) } or
+    TStaticParameterArrayNode(Function f) {
+      f.getAParameter().isRestParameter() or f.usesArgumentsObject()
+    } or
+    TDynamicParameterArrayNode(Function f) or
     TDestructuredModuleImportNode(ImportDeclaration decl) {
       exists(decl.getASpecifier().getImportedName())
     } or
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -81,6 +81,73 @@ class GenericSynthesizedNode extends DataFlow::Node, TGenericSynthesizedNode {
   string getTag() { result = tag }
 }
 
+/**
+ * An argument containing an array of all positional arguments with an obvious index, i.e. not affected by a spread argument.
+ */
+class StaticArgumentArrayNode extends DataFlow::Node, TStaticArgumentArrayNode {
+  private InvokeExpr invoke;
+
+  StaticArgumentArrayNode() { this = TStaticArgumentArrayNode(invoke) }
+
+  override StmtContainer getContainer() { result = invoke.getContainer() }
+
+  override string toString() { result = "[static argument array]" }
+
+  override Location getLocation() { result = invoke.getLocation() }
+}
+
+/**
+ * An argument containing an array of all positional arguments with non-obvious index, i.e. affected by a spread argument.
+ *
+ * Only exists for call sites with a spread argument.
+ */
+class DynamicArgumentArrayNode extends DataFlow::Node, TDynamicArgumentArrayNode {
+  private InvokeExpr invoke;
+
+  DynamicArgumentArrayNode() { this = TDynamicArgumentArrayNode(invoke) }
+
+  override StmtContainer getContainer() { result = invoke.getContainer() }
+
+  override string toString() { result = "[dynamic argument array]" }
+
+  override Location getLocation() { result = invoke.getLocation() }
+}
+
+/**
+ * A parameter containing an array of all positional arguments with an obvious index, i.e. not affected by spread or `.apply()`.
+ *
+ * These are read and stored in the function's rest parameter and `arguments` array.
+ * The node only exists for functions with a rest parameter or which uses the `arguments` array.
+ */
+class StaticParameterArrayNode extends DataFlow::Node, TStaticParameterArrayNode {
+  private Function function;
+
+  StaticParameterArrayNode() { this = TStaticParameterArrayNode(function) }
+
+  override StmtContainer getContainer() { result = function }
+
+  override string toString() { result = "[static parameter array]" }
+
+  override Location getLocation() { result = function.getLocation() }
+}
+
+/**
+ * A parameter containing an array of all positional argument values with non-obvious index, i.e. affected by spread or `.apply()`.
+ *
+ * These are read and assigned into regular positional parameters and stored into rest parameters and the `arguments` array.
+ */
+class DynamicParameterArrayNode extends DataFlow::Node, TDynamicParameterArrayNode {
+  private Function function;
+
+  DynamicParameterArrayNode() { this = TDynamicParameterArrayNode(function) }
+
+  override StmtContainer getContainer() { result = function }
+
+  override string toString() { result = "[dynamic parameter array]" }
+
+  override Location getLocation() { result = function.getLocation() }
+}
+
 cached
 newtype TReturnKind =
   MkNormalReturnKind() or
