add support for private fields in classes

erik-krogh · erik-krogh · commit b8834ffcad1e · 2020-01-29T13:10:45.000+01:00
diff --git a/javascript/extractor/src/com/semmle/jcorn/Parser.java b/javascript/extractor/src/com/semmle/jcorn/Parser.java
@@ -5,6 +5,7 @@
 
 import com.semmle.jcorn.Identifiers.Dialect;
 import com.semmle.jcorn.Options.AllowReserved;
+import com.semmle.jcorn.TokenType.Properties;
 import com.semmle.js.ast.ArrayExpression;
 import com.semmle.js.ast.ArrayPattern;
 import com.semmle.js.ast.ArrowFunctionExpression;
@@ -44,6 +45,7 @@
 import com.semmle.js.ast.IPattern;
 import com.semmle.js.ast.Identifier;
 import com.semmle.js.ast.IfStatement;
+import com.semmle.js.ast.FieldDefinition;
 import com.semmle.js.ast.ImportDeclaration;
 import com.semmle.js.ast.ImportDefaultSpecifier;
 import com.semmle.js.ast.ImportNamespaceSpecifier;
@@ -124,6 +126,7 @@ public class Parser {
   private boolean inModule;
   protected boolean inFunction;
   protected boolean inGenerator;
+  protected boolean inClass;
   protected boolean inAsync;
   protected boolean inTemplateElement;
   protected int pos;
@@ -240,8 +243,8 @@ public Parser(Options options, String input, int startPos) {
     // Used to signify the start of a potential arrow function
     this.potentialArrowAt = -1;
 
-    // Flags to track whether we are in a function, a generator, an async function.
-    this.inFunction = this.inGenerator = this.inAsync = false;
+    // Flags to track whether we are in a function, a generator, an async function, a class.
+    this.inFunction = this.inGenerator = this.inAsync = this.inClass = false;
     // Positions to delayed-check that yield/await does not exist in default parameters.
     this.yieldPos = this.awaitPos = 0;
     // Labels in scope.
@@ -651,6 +654,9 @@ protected Token getTokenFromCode(int code) {
       case 58:
         ++this.pos;
         return this.finishToken(TokenType.colon);
+      case 35: 
+        ++this.pos;
+        return this.finishToken(TokenType.pound);
       case 63:
         return this.readToken_question();
 
@@ -2191,6 +2197,7 @@ protected Expression processExprListItem(Expression e) {
   // identifiers.
   protected Identifier parseIdent(boolean liberal) {
     Position startLoc = this.startLoc;
+    boolean isPrivateField = liberal && this.eat(TokenType.pound);
     if (liberal && this.options.allowReserved() == AllowReserved.NEVER) liberal = false;
     String name = null;
     if (this.type == TokenType.name) {
@@ -2199,9 +2206,9 @@ protected Identifier parseIdent(boolean liberal) {
           && (this.options.ecmaVersion() >= 6
               || inputSubstring(this.start, this.end).indexOf("\\") == -1))
         this.raiseRecoverable(this.start, "The keyword '" + this.value + "' is reserved");
-      if (this.inGenerator && this.value.equals("yield"))
+      if (!isPrivateField && this.inGenerator && this.value.equals("yield"))
         this.raiseRecoverable(this.start, "Can not use 'yield' as identifier inside a generator");
-      if (this.inAsync && this.value.equals("await"))
+      if (!isPrivateField && this.inAsync && this.value.equals("await"))
         this.raiseRecoverable(
             this.start, "Can not use 'await' as identifier inside an async function");
       name = String.valueOf(this.value);
@@ -2213,6 +2220,12 @@ protected Identifier parseIdent(boolean liberal) {
       this.unexpected();
     }
     this.next();
+    if (isPrivateField) {
+      if (!this.inClass) {
+        this.raiseRecoverable(this.start, "Cannot use private fields outside a class");
+      }
+      name = "#" + name;
+    }
     Identifier node = new Identifier(new SourceLocation(startLoc), name);
     return this.finishNode(node);
   }
@@ -3127,6 +3140,8 @@ protected List<Expression> parseFunctionParams() {
   // Parse a class declaration or literal (depending on the
   // `isStatement` parameter).
   protected Node parseClass(Position startLoc, boolean isStatement) {
+    boolean oldInClass = this.inClass;
+    this.inClass = true;
     SourceLocation loc = new SourceLocation(startLoc);
     this.next();
     Identifier id = this.parseClassId(isStatement);
@@ -3145,6 +3160,8 @@ protected Node parseClass(Position startLoc, boolean isStatement) {
     Node node;
     if (isStatement) node = new ClassDeclaration(loc, id, superClass, classBody);
     else node = new ClassExpression(loc, id, superClass, classBody);
+
+    this.inClass = oldInClass;
     return this.finishNode(node);
   }
 
diff --git a/javascript/extractor/src/com/semmle/jcorn/TokenType.java b/javascript/extractor/src/com/semmle/jcorn/TokenType.java
@@ -85,6 +85,7 @@ public void updateContext(Parser parser, TokenType prevType) {
       dot = new TokenType(new Properties(".")),
       questiondot = new TokenType(new Properties("?.")),
       question = new TokenType(new Properties("?").beforeExpr()),
+      pound = new TokenType(kw("#")),
       arrow = new TokenType(new Properties("=>").beforeExpr()),
       template = new TokenType(new Properties("template")),
       invalidTemplate = new TokenType(new Properties("invalidTemplate")),
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -535,6 +535,10 @@ module DataFlow {
      */
     pragma[noinline]
     predicate accesses(Node base, string p) { getBase() = base and getPropertyName() = p }
+    
+    predicate isPrivateField() {
+      getPropertyName().charAt(0) = "#" and getPropertyNameExpr() instanceof Label
+    }
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/Classes/ClassFlow.qll b/javascript/ql/test/library-tests/Classes/ClassFlow.qll
@@ -0,0 +1,17 @@
+import javascript
+
+class Configuration extends DataFlow::Configuration {
+  Configuration() { this = "ClassDataFlowTestingConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.getEnclosingExpr().(StringLiteral).getValue().toLowerCase() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument() = sink
+  }
+}
+
+query predicate dataflow(DataFlow::Node pred, DataFlow::Node succ) {
+  any(Configuration c).hasFlow(pred, succ)
+}
diff --git a/javascript/ql/test/library-tests/Classes/PrivateField.qll b/javascript/ql/test/library-tests/Classes/PrivateField.qll
@@ -0,0 +1,9 @@
+import javascript
+
+query string getAccessModifier(DataFlow::PropRef ref, Expr prop) {
+  prop = ref.getPropertyNameExpr() and
+  if ref.isPrivateField() then
+    result = "Private"
+  else 
+    result = "Public"
+}
diff --git a/javascript/ql/test/library-tests/Classes/dataflow.js b/javascript/ql/test/library-tests/Classes/dataflow.js
@@ -0,0 +1,17 @@
+(function () {
+	var source = "source";
+	
+	class Foo {
+		#priv = source;
+		getPriv() {
+			return this.#priv;
+		}
+		
+		getFalsePrivate() {
+			return this["#priv"]; // not the same field as above. But we currently don't distinguish private and "public" fields.  
+		}
+	}
+	sink(new Foo().getPriv()); // NOT OK.
+	
+	sink(new Foo().getFalsePrivate()); // OK [FP: Is FP because we do nothing special about dataflow for private fields.]
+})();
diff --git a/javascript/ql/test/library-tests/Classes/privateFields.js b/javascript/ql/test/library-tests/Classes/privateFields.js
@@ -0,0 +1,22 @@
+class Foo {
+	#privDecl = 3;
+	#if = "if"; // "keywords" are ok.
+	reads() {
+		var foo = this.#privUse;
+		var bar = this["#publicComputed"]
+		var baz = this.#if;
+	}
+	
+	equals(o) {
+		return this.#privDecl === o.#privDecl;
+	}
+	
+	writes() {
+		this.#privDecl = 4;		
+		this["#public"] = 5;
+	}
+	
+	#privSecond; // is a PropNode, not a PropRef. Doesn't matter.
+	
+	["#publicField"] = 6;
+}
diff --git a/javascript/ql/test/library-tests/Classes/tests.expected b/javascript/ql/test/library-tests/Classes/tests.expected
diff --git a/javascript/ql/test/library-tests/Classes/tests.ql b/javascript/ql/test/library-tests/Classes/tests.ql
