JS: deduplicate promiseTaintStep

asger-semmle · asger-semmle · commit b6fdbdcf84cc · 2019-01-17T13:04:16.000Z
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -4,42 +4,6 @@
 
 import javascript
 
-/**
- * Holds if taint propagates from `pred` to `succ` through promises.
- */
-private predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-  // from `x` to `new Promise((res, rej) => res(x))`
-  pred = succ.(PromiseDefinition).getResolveParameter().getACall().getArgument(0)
-  or
-  // from `x` to `Promise.resolve(x)`
-  pred = succ.(ResolvedPromiseDefinition).getValue()
-  or
-  exists(DataFlow::MethodCallNode thn, DataFlow::FunctionNode cb |
-    thn.getMethodName() = "then" and cb = thn.getCallback(0)
-  |
-    // from `p` to `x` in `p.then(x => ...)`
-    pred = thn.getReceiver() and
-    succ = cb.getParameter(0)
-    or
-    // from `v` to `p.then(x => return v)`
-    pred = cb.getFunction().getAReturnedExpr().flow() and
-    succ = thn
-  )
-}
-
-/**
- * An additional taint step that involves promises.
- */
-private class PromiseTaintStep extends TaintTracking::AdditionalTaintStep {
-  DataFlow::Node source;
-
-  PromiseTaintStep() { promiseTaintStep(source, this) }
-
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = source and succ = this
-  }
-}
-
 /**
  * Provides classes for working with the `bluebird` library (http://bluebirdjs.com).
  */
diff --git a/javascript/ql/src/semmle/javascript/StandardLibrary.qll b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -185,8 +185,7 @@ private predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
   pred = succ.(PromiseDefinition).getResolveParameter().getACall().getArgument(0)
   or
   // from `x` to `Promise.resolve(x)`
-  succ = DataFlow::globalVarRef("Promise").getAMemberCall("resolve") and
-  pred = succ.(DataFlow::CallNode).getArgument(0)
+  pred = succ.(ResolvedPromiseDefinition).getValue()
   or
   exists(DataFlow::MethodCallNode thn, DataFlow::FunctionNode cb |
     thn.getMethodName() = "then" and cb = thn.getCallback(0)
@@ -204,7 +203,7 @@ private predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
 /**
  * An additional taint step that involves promises.
  */
-private class PromiseTaintStep extends TaintTracking::AdditionalTaintStep {
+private class PromiseTaintStep extends TaintTracking::AdditionalTaintStep {  
   DataFlow::Node source;
 
   PromiseTaintStep() { promiseTaintStep(source, this) }
