Merge commit '7c35309732dd2aa4dc0b4e2949922272ad448854' into js-cg-tests

RasmusWL · RasmusWL · commit 28c3d35e9b1b · 2024-03-18T13:08:46.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -1262,6 +1262,12 @@ module ClassNode {
     result.getFile() = f
   }
 
+  pragma[nomagic]
+  private DataFlow::NewNode getAnInstantiationInFile(string name, File f) {
+    result = AccessPath::getAReferenceTo(name).(DataFlow::LocalSourceNode).getAnInstantiation() and
+    result.getFile() = f
+  }
+
   /**
    * Gets a reference to the function `func`, where there exists a read/write of the "prototype" property on that reference.
    */
@@ -1273,7 +1279,7 @@ module ClassNode {
   }
 
   /**
-   * A function definition with prototype manipulation as a `ClassNode` instance.
+   * A function definition, targeted by a `new`-call or with prototype manipulation, seen as a `ClassNode` instance.
    */
   class FunctionStyleClass extends Range, DataFlow::ValueNode {
     override Function astNode;
@@ -1284,9 +1290,12 @@ module ClassNode {
       (
         exists(getAFunctionValueWithPrototype(function))
         or
-        exists(string name |
-          this = AccessPath::getAnAssignmentTo(name) and
+        function = any(NewNode new).getCalleeNode().analyze().getAValue()
+        or
+        exists(string name | this = AccessPath::getAnAssignmentTo(name) |
           exists(getAPrototypeReferenceInFile(name, this.getFile()))
+          or
+          exists(getAnInstantiationInFile(name, this.getFile()))
         )
       )
     }
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -241,24 +241,25 @@ module CallGraph {
     )
   }
 
-  private DataFlow::FunctionNode getAMethodOnPlainObject(DataFlow::SourceNode node) {
+  private DataFlow::FunctionNode getAMethodOnObject(DataFlow::SourceNode node) {
     (
-      (
-        node instanceof DataFlow::ObjectLiteralNode
-        or
-        node instanceof DataFlow::FunctionNode
-      ) and
       result = node.getAPropertySource()
       or
       result = node.(DataFlow::ObjectLiteralNode).getPropertyGetter(_)
       or
       result = node.(DataFlow::ObjectLiteralNode).getPropertySetter(_)
     ) and
-    not node.getTopLevel().isExterns()
+    not node.getTopLevel().isExterns() and
+    // Ignore writes to `this` inside a constructor, since this is already handled by instance method tracking
+    not exists(DataFlow::ClassNode cls |
+      node = cls.getConstructor().getReceiver()
+      or
+      node = cls.(DataFlow::ClassNode::FunctionStyleClass).getAPrototypeReference()
+    )
   }
 
   private predicate shouldTrackObjectWithMethods(DataFlow::SourceNode node) {
-    exists(getAMethodOnPlainObject(node))
+    exists(getAMethodOnObject(node))
   }
 
   /**
@@ -292,7 +293,7 @@ module CallGraph {
   predicate impliedReceiverStep(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {
     exists(DataFlow::SourceNode host |
       pred = getAnAllocationSiteRef(host) and
-      succ = getAMethodOnPlainObject(host).getReceiver()
+      succ = getAMethodOnObject(host).getReceiver()
     )
   }
 }
diff --git a/javascript/ql/src/change-notes/2024-03-07-lift-cg-restriction.md b/javascript/ql/src/change-notes/2024-03-07-lift-cg-restriction.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The call graph has been improved, leading to more alerts for data flow based queries.
diff --git a/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected b/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected
@@ -135,20 +135,31 @@ test_getAFunctionValue
 | tst.js:3:1:3:1 | h | tst.js:3:5:3:17 | function() {} |
 | tst.js:3:1:3:17 | h = function() {} | tst.js:3:5:3:17 | function() {} |
 | tst.js:3:5:3:17 | function() {} | tst.js:3:5:3:17 | function() {} |
+| tst.js:4:1:4:1 | k | tst.js:2:9:2:21 | function() {} |
 | tst.js:4:1:4:5 | k = g | tst.js:2:9:2:21 | function() {} |
 | tst.js:4:5:4:5 | g | tst.js:2:9:2:21 | function() {} |
 | tst.js:6:1:6:1 | f | tst.js:1:1:1:15 | function f() {} |
 | tst.js:7:1:7:1 | g | tst.js:2:9:2:21 | function() {} |
 | tst.js:8:1:8:1 | h | tst.js:3:5:3:17 | function() {} |
 | tst.js:9:1:9:1 | k | tst.js:2:9:2:21 | function() {} |
 | tst.js:11:1:20:1 | functio ... \\tf();\\n} | tst.js:11:1:20:1 | functio ... \\tf();\\n} |
+| tst.js:11:12:11:12 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:11:12:11:12 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:12:6:12:6 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:12:6:12:27 | n | tst.js:2:9:2:21 | function() {} |
 | tst.js:12:6:12:27 | n | tst.js:12:15:12:27 | function() {} |
+| tst.js:12:10:12:10 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:12:10:12:10 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:12:10:12:10 | m | tst.js:2:9:2:21 | function() {} |
+| tst.js:12:10:12:27 | m \|\| function() {} | tst.js:2:9:2:21 | function() {} |
 | tst.js:12:10:12:27 | m \|\| function() {} | tst.js:12:15:12:27 | function() {} |
 | tst.js:12:15:12:27 | function() {} | tst.js:12:15:12:27 | function() {} |
 | tst.js:13:2:13:16 | function p() {} | tst.js:13:2:13:16 | function p() {} |
 | tst.js:13:11:13:11 | p | tst.js:13:2:13:16 | function p() {} |
+| tst.js:14:2:14:2 | m | tst.js:2:9:2:21 | function() {} |
 | tst.js:15:2:15:2 | l | tst.js:11:1:20:1 | functio ... \\tf();\\n} |
 | tst.js:16:2:16:17 | arguments.callee | tst.js:11:1:20:1 | functio ... \\tf();\\n} |
+| tst.js:17:2:17:2 | n | tst.js:2:9:2:21 | function() {} |
 | tst.js:17:2:17:2 | n | tst.js:12:15:12:27 | function() {} |
 | tst.js:18:2:18:2 | p | tst.js:13:2:13:16 | function p() {} |
 | tst.js:19:2:19:2 | f | tst.js:1:1:1:15 | function f() {} |
@@ -463,8 +474,10 @@ test_getACallee
 | tst.js:7:1:7:3 | g() | tst.js:2:9:2:21 | function() {} |
 | tst.js:8:1:8:3 | h() | tst.js:3:5:3:17 | function() {} |
 | tst.js:9:1:9:3 | k() | tst.js:2:9:2:21 | function() {} |
+| tst.js:14:2:14:4 | m() | tst.js:2:9:2:21 | function() {} |
 | tst.js:15:2:15:4 | l() | tst.js:11:1:20:1 | functio ... \\tf();\\n} |
 | tst.js:16:2:16:19 | arguments.callee() | tst.js:11:1:20:1 | functio ... \\tf();\\n} |
+| tst.js:17:2:17:4 | n() | tst.js:2:9:2:21 | function() {} |
 | tst.js:17:2:17:4 | n() | tst.js:12:15:12:27 | function() {} |
 | tst.js:18:2:18:4 | p() | tst.js:13:2:13:16 | function p() {} |
 | tst.js:19:2:19:4 | f() | tst.js:1:1:1:15 | function f() {} |

Original file line number	Diff line number	Diff line change
`@@ -1262,6 +1262,12 @@ module ClassNode {`
`1262`	`1262`	`result.getFile() = f`
`1263`	`1263`	`}`
`1264`	`1264`
	`1265`	`+ pragma[nomagic]`
	`1266`	`+ private DataFlow::NewNode getAnInstantiationInFile(string name, File f) {`
	`1267`	`+ result = AccessPath::getAReferenceTo(name).(DataFlow::LocalSourceNode).getAnInstantiation() and`
	`1268`	`+ result.getFile() = f`
	`1269`	`+ }`
	`1270`	`+`
`1265`	`1271`	`/**`
`1266`	`1272`	* Gets a reference to the function `func`, where there exists a read/write of the "prototype" property on that reference.
`1267`	`1273`	`*/`
`@@ -1273,7 +1279,7 @@ module ClassNode {`
`1273`	`1279`	`}`
`1274`	`1280`
`1275`	`1281`	`/**`
`1276`		- * A function definition with prototype manipulation as a `ClassNode` instance.
	`1282`	+ * A function definition, targeted by a `new`-call or with prototype manipulation, seen as a `ClassNode` instance.
`1277`	`1283`	`*/`
`1278`	`1284`	`class FunctionStyleClass extends Range, DataFlow::ValueNode {`
`1279`	`1285`	`override Function astNode;`
`@@ -1284,9 +1290,12 @@ module ClassNode {`
`1284`	`1290`	`(`
`1285`	`1291`	`exists(getAFunctionValueWithPrototype(function))`
`1286`	`1292`	`or`
`1287`		`- exists(string name \|`
`1288`		`- this = AccessPath::getAnAssignmentTo(name) and`
	`1293`	`+ function = any(NewNode new).getCalleeNode().analyze().getAValue()`
	`1294`	`+ or`
	`1295`	`+ exists(string name \| this = AccessPath::getAnAssignmentTo(name) \|`
`1289`	`1296`	`exists(getAPrototypeReferenceInFile(name, this.getFile()))`
	`1297`	`+ or`
	`1298`	`+ exists(getAnInstantiationInFile(name, this.getFile()))`
`1290`	`1299`	`)`
`1291`	`1300`	`)`
`1292`	`1301`	`}`
Original file line number	Diff line number	Diff line change
`@@ -241,24 +241,25 @@ module CallGraph {`
`241`	`241`	`)`
`242`	`242`	`}`
`243`	`243`
`244`		`- private DataFlow::FunctionNode getAMethodOnPlainObject(DataFlow::SourceNode node) {`
	`244`	`+ private DataFlow::FunctionNode getAMethodOnObject(DataFlow::SourceNode node) {`
`245`	`245`	`(`
`246`		`- (`
`247`		`- node instanceof DataFlow::ObjectLiteralNode`
`248`		`- or`
`249`		`- node instanceof DataFlow::FunctionNode`
`250`		`- ) and`
`251`	`246`	`result = node.getAPropertySource()`
`252`	`247`	`or`
`253`	`248`	`result = node.(DataFlow::ObjectLiteralNode).getPropertyGetter(_)`
`254`	`249`	`or`
`255`	`250`	`result = node.(DataFlow::ObjectLiteralNode).getPropertySetter(_)`
`256`	`251`	`) and`
`257`		`- not node.getTopLevel().isExterns()`
	`252`	`+ not node.getTopLevel().isExterns() and`
	`253`	+ // Ignore writes to `this` inside a constructor, since this is already handled by instance method tracking
	`254`	`+ not exists(DataFlow::ClassNode cls \|`
	`255`	`+ node = cls.getConstructor().getReceiver()`
	`256`	`+ or`
	`257`	`+ node = cls.(DataFlow::ClassNode::FunctionStyleClass).getAPrototypeReference()`
	`258`	`+ )`
`258`	`259`	`}`
`259`	`260`
`260`	`261`	`private predicate shouldTrackObjectWithMethods(DataFlow::SourceNode node) {`
`261`		`- exists(getAMethodOnPlainObject(node))`
	`262`	`+ exists(getAMethodOnObject(node))`
`262`	`263`	`}`
`263`	`264`
`264`	`265`	`/**`
`@@ -292,7 +293,7 @@ module CallGraph {`
`292`	`293`	`predicate impliedReceiverStep(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {`
`293`	`294`	`exists(DataFlow::SourceNode host \|`
`294`	`295`	`pred = getAnAllocationSiteRef(host) and`
`295`		`- succ = getAMethodOnPlainObject(host).getReceiver()`
	`296`	`+ succ = getAMethodOnObject(host).getReceiver()`
`296`	`297`	`)`
`297`	`298`	`}`
`298`	`299`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The call graph has been improved, leading to more alerts for data flow based queries.