add data-flow steps for when Promise handlers return other promises

erik-krogh · erik-krogh · commit fe0b6a86d7d5 · 2020-01-21T16:15:18.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -227,6 +227,11 @@ private module PromiseFlow {
       prop = rejectField() and
       pred = getReceiver() and
       succ = this
+      or
+      // read the value of a resolved/rejected promise that is returned
+      (prop = rejectField() or prop = resolveField()) and
+      pred = getCallback(0).getAReturn() and
+      succ = this
     }
     
     override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
@@ -258,6 +263,11 @@ private module PromiseFlow {
       prop = resolveField() and
       pred = getReceiver().getALocalSource() and
       succ = this
+      or
+      // read the value of a resolved/rejected promise that is returned
+      (prop = rejectField() or prop = resolveField()) and
+      pred = getCallback(0).getAReturn() and
+      succ = this
     }
 
     override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
@@ -283,9 +293,13 @@ private module PromiseFlow {
       (prop = resolveField() or prop = rejectField()) and
       pred = getReceiver() and
       succ = this
+      or
+      // read the value of a rejected promise that is returned
+      prop = rejectField() and
+      pred = getCallback(0).getAReturn() and
+      succ = this
     }
 
-    // a similar thing can also happen if a rejected promise is returned.
     override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
       prop = rejectField() and
       pred = getCallback(0).getExceptionalReturn() and
diff --git a/javascript/ql/test/library-tests/Promises/flow.js b/javascript/ql/test/library-tests/Promises/flow.js
@@ -103,4 +103,26 @@
 	new Promise((resolve, reject) => reject("BLA")).catch(x => {return source}).then(x => sink(x)); // NOT OK
 	
 	new Promise((resolve, reject) => reject("BLA")).finally(x => {throw source}).catch(x => sink(x)); // NOT OK
+	
+	var rejected = new Promise((resolve, reject) => reject(source));
+	
+	new Promise((resolve, reject) => reject("BLA")).finally(x => rejected).catch(x => sink(x)); // NOT OK
+	
+	new Promise((resolve, reject) => reject("BLA")).catch(x => rejected).then(x => sink(x)) // OK
+	
+	new Promise((resolve, reject) => reject("BLA")).catch(x => rejected).catch(x => sink(x)) // NOT OK
+	
+	var resolved = Promise.resolve(source);
+	
+	new Promise((resolve, reject) => reject("BLA")).catch(x => resolved).catch(x => sink(x)) // OK
+	
+	new Promise((resolve, reject) => reject("BLA")).catch(x => resolved).then(x => sink(x)) // NOT OK
+	
+	Promise.resolve(123).then(x => resolved).catch(x => sink(x)) // OK
+	
+	Promise.resolve(123).then(x => resolved).then(x => sink(x)) // NOT OK
+	
+	Promise.resolve(123).then(x => rejected).catch(x => sink(x)) // NOT OK
+	
+	Promise.resolve(123).then(x => rejected).then(x => sink(x)) // OK
 })();
diff --git a/javascript/ql/test/library-tests/Promises/tests.expected b/javascript/ql/test/library-tests/Promises/tests.expected
@@ -10,6 +10,11 @@ test_ResolvedPromiseDefinition
 | flow.js:46:2:46:24 | Promise ... source) | flow.js:46:18:46:23 | source |
 | flow.js:51:10:51:29 | Promise.resolve(src) | flow.js:51:26:51:28 | src |
 | flow.js:81:23:81:45 | Promise ... source) | flow.js:81:39:81:44 | source |
+| flow.js:115:17:115:39 | Promise ... source) | flow.js:115:33:115:38 | source |
+| flow.js:121:2:121:21 | Promise.resolve(123) | flow.js:121:18:121:20 | 123 |
+| flow.js:123:2:123:21 | Promise.resolve(123) | flow.js:123:18:123:20 | 123 |
+| flow.js:125:2:125:21 | Promise.resolve(123) | flow.js:125:18:125:20 | 123 |
+| flow.js:127:2:127:21 | Promise.resolve(123) | flow.js:127:18:127:20 | 123 |
 | promises.js:53:19:53:41 | Promise ... source) | promises.js:53:35:53:40 | source |
 | promises.js:62:19:62:41 | Promise ... source) | promises.js:62:35:62:40 | source |
 | promises.js:71:5:71:27 | Promise ... source) | promises.js:71:21:71:26 | source |
@@ -20,6 +25,11 @@ test_PromiseDefinition_getARejectHandler
 | flow.js:48:2:48:36 | new Pro ... urce }) | flow.js:48:44:48:55 | x => sink(x) |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) | flow.js:103:56:103:75 | x => {return source} |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:58:105:76 | x => {throw source} |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:58:109:70 | x => rejected |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) | flow.js:111:56:111:68 | x => rejected |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:56:113:68 | x => rejected |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:56:117:68 | x => resolved |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:56:119:68 | x => resolved |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:20:6:22:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:23:18:25:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
@@ -42,13 +52,20 @@ test_PromiseDefinition_getExecutor
 | flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:40:100:74 | (resolv ... source) |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) | flow.js:103:14:103:47 | (resolv ... ("BLA") |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:14:105:47 | (resolv ... ("BLA") |
+| flow.js:107:17:107:64 | new Pro ... ource)) | flow.js:107:29:107:63 | (resolv ... source) |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:14:109:47 | (resolv ... ("BLA") |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) | flow.js:111:14:111:47 | (resolv ... ("BLA") |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:14:113:47 | (resolv ... ("BLA") |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:14:117:47 | (resolv ... ("BLA") |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:14:119:47 | (resolv ... ("BLA") |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:24:15:5 | functio ... ;\\n    } |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:29:5:3 | functio ... e);\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:30:17:3 | (res, r ... e);\\n  } |
 | promises.js:33:19:35:6 | new Pro ... \\n    }) | promises.js:33:31:35:5 | functio ... ;\\n    } |
 | promises.js:43:19:45:6 | Q.Promi ... \\n    }) | promises.js:43:29:45:5 | functio ... ;\\n    } |
 test_PromiseDefinition_getAFinallyHandler
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:58:105:76 | x => {throw source} |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:58:109:70 | x => rejected |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
 test_PromiseDefinition
 | flow.js:7:11:7:59 | new Pro ... ource)) |
@@ -69,6 +86,12 @@ test_PromiseDefinition
 | flow.js:100:28:100:75 | new Pro ... ource)) |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) |
+| flow.js:107:17:107:64 | new Pro ... ource)) |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) |
@@ -84,6 +107,7 @@ test_PromiseDefinition_getAResolveHandler
 | flow.js:74:10:74:57 | new Pro ... ource)) | flow.js:74:64:74:71 | () => {} |
 | flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:75:91:82 | () => {} |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:58:105:76 | x => {throw source} |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:58:109:70 | x => rejected |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:6:16:8:3 | functio ... al;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:18:17:20:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
@@ -107,6 +131,12 @@ test_PromiseDefinition_getRejectParameter
 | flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:50:100:55 | reject |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) | flow.js:103:24:103:29 | reject |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:24:105:29 | reject |
+| flow.js:107:17:107:64 | new Pro ... ource)) | flow.js:107:39:107:44 | reject |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:24:109:29 | reject |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) | flow.js:111:24:111:29 | reject |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:24:113:29 | reject |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:24:117:29 | reject |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:24:119:29 | reject |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:43:11:48 | reject |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:48:3:53 | reject |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:36:10:38 | rej |
@@ -130,6 +160,12 @@ test_PromiseDefinition_getResolveParameter
 | flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:41:100:47 | resolve |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) | flow.js:103:15:103:21 | resolve |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:15:105:21 | resolve |
+| flow.js:107:17:107:64 | new Pro ... ource)) | flow.js:107:30:107:36 | resolve |
+| flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:15:109:21 | resolve |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) | flow.js:111:15:111:21 | resolve |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:15:113:21 | resolve |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:15:117:21 | resolve |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:15:119:21 | resolve |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:34:11:40 | resolve |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:39:3:45 | resolve |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:31:10:33 | res |
@@ -139,6 +175,10 @@ test_PromiseDefinition_getACatchHandler
 | flow.js:32:2:32:49 | new Pro ... ource)) | flow.js:32:57:32:68 | x => sink(x) |
 | flow.js:48:2:48:36 | new Pro ... urce }) | flow.js:48:44:48:55 | x => sink(x) |
 | flow.js:103:2:103:48 | new Pro ... "BLA")) | flow.js:103:56:103:75 | x => {return source} |
+| flow.js:111:2:111:48 | new Pro ... "BLA")) | flow.js:111:56:111:68 | x => rejected |
+| flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:56:113:68 | x => rejected |
+| flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:56:117:68 | x => resolved |
+| flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:56:119:68 | x => resolved |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:23:18:25:3 | (v) =>  ...  v;\\n  } |
 flow
 | flow.js:2:15:2:22 | "source" | flow.js:5:7:5:14 | await p1 |
@@ -165,4 +205,9 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:101:7:101:9 | foo |
 | flow.js:2:15:2:22 | "source" | flow.js:103:93:103:93 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:105:95:105:95 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:109:89:109:89 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:113:87:113:87 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:119:86:119:86 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:123:58:123:58 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:125:59:125:59 | x |
 | interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |
