add support for fromJS in the Immutable model

erik-krogh · erik-krogh · commit a5c9492c872c · 2021-02-04T12:05:44.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -29,29 +29,26 @@ private module Immutable {
   }
 
   /**
-   * An instance of an immutable map.
+   * An instance of any immutable collection.
    */
-  API::Node immutableMap() {
-    result = immutableImport().getMember("Map").getReturn()
+  API::Node immutableCollection() {
+    result = immutableImport().getMember(["Map", "fromJS"]).getReturn()
     or
-    result = immutableMap().getMember("set").getReturn()
+    result.getAnImmediateUse() = step(immutableCollection().getAUse())
   }
 
-  /**
-   * An instance of any immutable collection.
-   */
-  API::Node immutableCollection() { result = immutableMap() }
-
   /**
    * Gets the immutable collection where `pred` has been stored using the name `prop`.
    */
   DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
-    exists(DataFlow::CallNode call | call = immutableImport().getMember("Map").getACall() |
+    exists(DataFlow::CallNode call |
+      call = immutableImport().getMember(["Map", "fromJS"]).getACall()
+    |
       pred = call.getOptionArgument(0, prop) and
       result = call
     )
     or
-    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
       call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getArgument(1) and
       result = call
@@ -63,7 +60,9 @@ private module Immutable {
    */
   DataFlow::Node loadStep(DataFlow::Node pred, string prop) {
     // map.get()
-    exists(DataFlow::MethodCallNode call | call = immutableMap().getMember("get").getACall() |
+    exists(DataFlow::MethodCallNode call |
+      call = immutableCollection().getMember("get").getACall()
+    |
       call.getArgument(0).mayHaveStringValue(prop) and
       pred = call.getReceiver() and
       result = call
@@ -73,14 +72,14 @@ private module Immutable {
   /**
    * Gets an immutable collection that contains all the elements from `pred`.
    */
-  DataFlow::Node step(DataFlow::Node pred) {
+  DataFlow::SourceNode step(DataFlow::Node pred) {
     // map.set() copies all existing values
-    exists(DataFlow::CallNode call | call = immutableMap().getMember("set").getACall() |
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
       pred = call.getReceiver() and
       result = call
     )
     or
-    // toJS() or any immutable collection converts it to a plain JavaScript object/array.
+    // toJS() or any immutable collection converts it to a plain JavaScript object/array (and vice versa for `fromJS`).
     exists(DataFlow::CallNode call | call = immutableCollection().getMember("toJS").getACall() |
       pred = call.getReceiver() and
       result = call
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map } = require('immutable');
+const { Map, fromJS } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -17,4 +17,6 @@ sink(map1.get("d")); // OK
 sink(map3.get("d")); // NOT OK
 
 
-sink(map3.toJS()["a"]); // NOT OK
+sink(map3.toJS()["a"]); // NOT OK
+
+sink(fromJS({"e": source("e")}).get("e")); // NOT OK
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -5,3 +5,4 @@
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
 | immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
 | immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |
+| immutable.js:22:19:22:29 | source("e") | immutable.js:22:6:22:40 | fromJS( ... et("e") |
