JS: Add dedicated API graph label for receiver, instead of parameter -1

asgerf · asgerf · commit 6bef5a70b318 · 2022-03-23T10:42:51.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -561,9 +561,10 @@ module API {
           rhs = f.getExceptionalReturn()
         )
         or
-        exists(int i |
-          lbl = Label::parameter(i) and
-          argumentPassing(base, i, rhs)
+        exists(int i | argumentPassing(base, i, rhs) |
+          lbl = Label::parameter(i)
+          or
+          i = -1 and lbl = Label::receiver()
         )
         or
         exists(DataFlow::SourceNode src, DataFlow::PropWrite pw |
@@ -1096,8 +1097,8 @@ module API {
      */
     LabelParameter parameter(int i) { result.getIndex() = i }
 
-    /** Gets the `parameter` edge label for the receiver. */
-    LabelParameter receiver() { result = parameter(-1) }
+    /** Gets the edge label for the receiver. */
+    LabelReceiver receiver() { any() }
 
     /** Gets the `return` edge label. */
     LabelReturn return() { any() }
@@ -1132,12 +1133,13 @@ module API {
         MkLabelUnknownMember() or
         MkLabelParameter(int i) {
           i =
-            [-1 .. max(int args |
+            [0 .. max(int args |
                 args = any(InvokeExpr invk).getNumArgument() or
                 args = any(Function f).getNumParameter()
               )] or
           i = [0 .. 10]
         } or
+        MkLabelReceiver() or
         MkLabelReturn() or
         MkLabelPromised() or
         MkLabelPromisedError() or
@@ -1225,6 +1227,11 @@ module API {
         /** Gets the index of the parameter for this label. */
         int getIndex() { result = i }
       }
+
+      /** A label for the receiver of call, that is, the value passed as `this`. */
+      class LabelReceiver extends ApiLabel, MkLabelReceiver {
+        override string toString() { result = "receiver" }
+      }
     }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -219,7 +219,6 @@ module ExternalApiUsedWithUntrustedData {
         or
         exists(string callbackName, int index |
           node = getNamedParameter(base.getParameter(index).getMember(callbackName), paramName) and
-          index != -1 and // ignore receiver
           result =
             basename + ".[callback " + index + " '" + callbackName + "'].[param '" + paramName +
               "']"
diff --git a/javascript/ql/test/ApiGraphs/bound-args/index.js b/javascript/ql/test/ApiGraphs/bound-args/index.js
@@ -1,15 +1,15 @@
 import bar from 'foo';
 
 let boundbar = bar.bind(
-    "receiver", // def (parameter -1 (member default (member exports (module foo))))
+    "receiver", // def (receiver (member default (member exports (module foo))))
     "firstarg"  // def (parameter 0 (member default (member exports (module foo))))
 );
 boundbar(
     "secondarg" // def (parameter 1 (member default (member exports (module foo))))
 )
 
 let boundbar2 = boundbar.bind(
-    "ignored", // !def (parameter -1 (member default (member exports (module foo))))
+    "ignored", // !def (receiver (member default (member exports (module foo))))
     "othersecondarg" // def (parameter 1 (member default (member exports (module foo))))
 )
 boundbar2(
diff --git a/javascript/ql/test/ApiGraphs/partial-invoke/index.js b/javascript/ql/test/ApiGraphs/partial-invoke/index.js
@@ -2,7 +2,7 @@ const cp = require('child_process');
 
 module.exports = function () {
     return cp.spawn.bind(
-        cp,   // def (parameter -1 (member spawn (member exports (module child_process))))
+        cp,   // def (receiver (member spawn (member exports (module child_process))))
         "cat" // def (parameter 0 (member spawn (member exports (module child_process))))
     );
 };
