add model for chrome-remote-interface as a ClientRequest

erik-krogh · erik-krogh · commit d6afd438ba02 · 2020-02-13T10:58:07.000+01:00
diff --git a/change-notes/1.24/analysis-javascript.md b/change-notes/1.24/analysis-javascript.md
@@ -25,6 +25,7 @@
   - [for-in](https://www.npmjs.com/package/for-in)
   - [for-own](https://www.npmjs.com/package/for-own)
   - [send](https://www.npmjs.com/package/send)
+  - [chrome-remote-interface](https://www.npmjs.com/package/chrome-remote-interface)
 
 ## New queries
 
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -549,4 +549,72 @@ module ClientRequest {
       )
     }
   }
+
+  /**
+   * Gets a reference to a instance of `chrome-remote-interface`.
+   *
+   * An instantiation of `chrome-remote-interface` either accepts a callback or returns a promise. 
+   * 
+   * The `isPromise` parameter reflects whether the reference is a promise containing 
+   * an instance of `chrome-remote-interface`, or an instance of `chrome-remote-interface`. 
+   */
+  private DataFlow::SourceNode chromeRemoteInterface(DataFlow::TypeTracker t, boolean isPromise) {
+    t.start() and
+    exists(DataFlow::CallNode call |
+      call = DataFlow::moduleImport("chrome-remote-interface").getAnInvocation()
+    |
+      result = call and isPromise = true
+      or
+      result = call.getCallback([0 .. 1]).getParameter(0) and isPromise = false
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = chromeRemoteInterface(t2, isPromise).track(t2, t))
+    or
+    // Simple promise tracking.
+    exists(DataFlow::TypeTracker t2, DataFlow::SourceNode pred |
+      pred = chromeRemoteInterface(t2, true) and
+      isPromise = false and
+      (
+        t2 = t and
+        exists(AwaitExpr await | DataFlow::valueNode(await.getOperand()).getALocalSource() = pred |
+          result.getEnclosingExpr() = await
+        )
+        or
+        t2 = t and
+        exists(DataFlow::MethodCallNode thenCall |
+          thenCall.getMethodName() = "then" and pred = thenCall.getReceiver().getALocalSource()
+        |
+          result = thenCall.getCallback(0).getParameter(0)
+        )
+      )
+    )
+  }
+
+  /**
+   * A call to navigate a browser controlled by `chrome-remote-interface` to a specific URL.
+   */
+  class ChromeRemoteInterfaceRequest extends ClientRequest::Range, DataFlow::CallNode {
+    int optionsArg;
+
+    ChromeRemoteInterfaceRequest() {
+      exists(DataFlow::SourceNode instance |
+        instance = chromeRemoteInterface(DataFlow::TypeTracker::end(), false)
+      |
+        optionsArg = 0 and
+        this = instance.getAPropertyRead("Page").getAMemberCall("navigate")
+        or
+        optionsArg = 1 and
+        this = instance.getAMemberCall("send") and
+        this.getArgument(0).mayHaveStringValue("Page.navigate")
+      )
+    }
+
+    override DataFlow::Node getUrl() {
+      result = getArgument(optionsArg).getALocalSource().getAPropertyWrite("url").getRhs()
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
 }
