Merge pull request #885 from asger-semmle/async-waterfall

semmle-qlci · web-flow · commit b13c11017cbb · 2019-02-06T16:30:17.000Z
Approved by xiemaisi
diff --git a/change-notes/1.20/analysis-javascript.md b/change-notes/1.20/analysis-javascript.md
@@ -6,6 +6,7 @@
   - client-side code, for example [React](https://reactjs.org/)
   - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie)
   - server-side code, for example [hapi](https://hapijs.com/)
+  - asynchronous code, for example [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
 * File classification has been improved to recognize additional generated files, for example files from [HTML Tidy](html-tidy.org).
 
 * The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. This may give more results for the security queries.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll b/javascript/ql/src/semmle/javascript/frameworks/AsyncPackage.qll
@@ -29,7 +29,10 @@ module AsyncPackage {
    * A call to `async.waterfall`.
    */
   class Waterfall extends DataFlow::InvokeNode {
-    Waterfall() { this = member("waterfall").getACall() }
+    Waterfall() {
+      this = member("waterfall").getACall() or
+      this = DataFlow::moduleImport("a-sync-waterfall").getACall()
+    }
 
     /**
      * Gets the array of tasks, if it can be found.
diff --git a/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected b/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected
@@ -3,6 +3,8 @@
 | map.js:20:19:20:26 | source() | map.js:23:27:23:32 | result |
 | map.js:26:13:26:20 | source() | map.js:28:27:28:32 | result |
 | sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result |
-| waterfall.js:7:30:7:37 | source() | waterfall.js:10:12:10:16 | taint |
-| waterfall.js:7:30:7:37 | source() | waterfall.js:19:10:19:14 | taint |
-| waterfall.js:27:18:27:25 | source() | waterfall.js:38:10:38:12 | err |
+| waterfall.js:8:30:8:37 | source() | waterfall.js:11:12:11:16 | taint |
+| waterfall.js:8:30:8:37 | source() | waterfall.js:20:10:20:14 | taint |
+| waterfall.js:28:18:28:25 | source() | waterfall.js:39:10:39:12 | err |
+| waterfall.js:46:22:46:29 | source() | waterfall.js:49:12:49:16 | taint |
+| waterfall.js:46:22:46:29 | source() | waterfall.js:55:10:55:14 | taint |
diff --git a/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js b/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js
@@ -1,4 +1,5 @@
 let async_ = require('async');
+let waterfall = require('a-sync-waterfall');
 
 var source, sink, somethingWrong;
 
@@ -39,3 +40,18 @@ async_.waterfall([
     sink(safe); // OK
   }
 );
+
+waterfall([
+    function(callback) {
+      callback(null, source());
+    },
+    function(taint, callback) {
+      sink(taint); // NOT OK
+      callback(null, taint);
+    }
+  ],
+  function(err, taint) {
+    sink(err); // OK
+    sink(taint); // NOT OK
+  }
+);
