JavaScript: Add a convenience method to SourceNode and use it in a few places.

Max Schaefer · Max Schaefer · commit 6f6b3b0d5e8d · 2018-11-14T11:58:45.000Z
diff --git a/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql b/javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql
@@ -22,10 +22,9 @@ private predicate isBoundInMethod(MethodDeclaration method) {
     or
     exists (string name |
       name = method.getName() |
-      exists (DataFlow::Node rhs, DataFlow::MethodCallNode bind |
+      exists (DataFlow::MethodCallNode bind |
         // this.<methodName> = <expr>.bind(...)
-        thiz.hasPropertyWrite(name, rhs) and
-        bind.flowsTo(rhs) and
+        bind = thiz.getAPropertySource(name) and
         bind.getMethodName() = "bind"
       )
       or
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
@@ -178,6 +178,13 @@ abstract class SourceNode extends DataFlow::Node {
   DataFlow::NewNode getAnInstantiation() {
     result = getAnInvocation()
   }
+
+  /**
+   * Gets a source node whose value is stored in property `prop` of this node.
+   */
+  DataFlow::SourceNode getAPropertySource(string prop) {
+    result.flowsTo(getAPropertyWrite(prop).getRhs())
+  }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
@@ -439,9 +439,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
     result = getMember("link")
     or
     // { link: { pre: function preLink() { ... }, post: function postLink() { ... } } }
-    exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-      pwn = getMember("link").getAPropertyWrite(kind) and
-      result.flowsTo(pwn.getRhs())
+    (
+      (kind = "pre" or kind = "post") and
+      result = getMember("link").getAPropertySource(kind)
     )
     or
     // { compile: function() { ... return link; } }
@@ -453,9 +453,9 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
       result = compileReturnSrc
       or
       // link = { pre: function preLink() { ... }, post: function postLink() { ... } }
-      exists (DataFlow::PropWrite pwn | kind = "pre" or kind = "post" |
-        pwn = compileReturnSrc.getAPropertyWrite(kind) and
-        result.flowsTo(pwn.getRhs())
+      (
+        (kind = "pre" or kind = "post") and
+        result = compileReturnSrc.getAPropertySource(kind)
       )
     )
   }
diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll
@@ -718,11 +718,10 @@ class ProviderRecipeDefinition extends RecipeDefinition {
     method set to your factory function is automatically created
     under the hood.  */
 
-    exists(DataFlow::ThisNode thiz, DataFlow::Node rhs, InjectableFunction f |
+    exists(DataFlow::ThisNode thiz, InjectableFunction f |
       f = getAFactoryFunction() and
       thiz.getBinder().getFunction() = f.asFunction() and
-      thiz.hasPropertyWrite("$get", rhs) and
-      result.flowsTo(rhs)
+      result = thiz.getAPropertySource("$get")
     )
   }
 
diff --git a/javascript/ql/test/library-tests/PropWrite/getAPropertySource.expected b/javascript/ql/test/library-tests/PropWrite/getAPropertySource.expected
@@ -0,0 +1,4 @@
+| tst.js:2:11:10:1 | {\\n    x ...     }\\n} | f | tst.js:7:6:9:5 | () {\\n   ... ;\\n    } |
+| tst.js:2:11:10:1 | {\\n    x ...     }\\n} | func | tst.js:4:11:6:5 | functio ... ;\\n    } |
+| tst.js:12:1:19:1 | class C ... ;\\n  }\\n} | func | tst.js:13:14:15:3 | (x) {\\n  ... x);\\n  } |
+| tst.js:24:8:24:57 | <div on ... }</div> | onClick | tst.js:24:22:24:26 | click |
diff --git a/javascript/ql/test/library-tests/PropWrite/getAPropertySource.ql b/javascript/ql/test/library-tests/PropWrite/getAPropertySource.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from DataFlow::SourceNode nd, string prop
+select nd, prop, nd.getAPropertySource(prop)

Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,13 @@ abstract class SourceNode extends DataFlow::Node {`
`178`	`178`	`DataFlow::NewNode getAnInstantiation() {`
`179`	`179`	`result = getAnInvocation()`
`180`	`180`	`}`
	`181`	`+`
	`182`	`+ /**`
	`183`	+ * Gets a source node whose value is stored in property `prop` of this node.
	`184`	`+ */`
	`185`	`+ DataFlow::SourceNode getAPropertySource(string prop) {`
	`186`	`+ result.flowsTo(getAPropertyWrite(prop).getRhs())`
	`187`	`+ }`
`181`	`188`	`}`
`182`	`189`
`183`	`190`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -718,11 +718,10 @@ class ProviderRecipeDefinition extends RecipeDefinition {`
`718`	`718`	`method set to your factory function is automatically created`
`719`	`719`	`under the hood. */`
`720`	`720`
`721`		`- exists(DataFlow::ThisNode thiz, DataFlow::Node rhs, InjectableFunction f \|`
	`721`	`+ exists(DataFlow::ThisNode thiz, InjectableFunction f \|`
`722`	`722`	`f = getAFactoryFunction() and`
`723`	`723`	`thiz.getBinder().getFunction() = f.asFunction() and`
`724`		`- thiz.hasPropertyWrite("$get", rhs) and`
`725`		`- result.flowsTo(rhs)`
	`724`	`+ result = thiz.getAPropertySource("$get")`
`726`	`725`	`)`
`727`	`726`	`}`
`728`	`727`