Now flags only .pipe calls which have an error somewhere down the stream, but not on the source stream.

Napalys · Napalys · commit 5bb29b6e33ce · 2025-05-28T17:17:43.000+02:00
diff --git a/javascript/ql/src/Quality/UnhandledStreamPipe.ql b/javascript/ql/src/Quality/UnhandledStreamPipe.ql
@@ -110,8 +110,11 @@ string getStreamMethodName() {
  * A call to register an event handler on a Node.js stream.
  * This includes methods like `on`, `once`, and `addListener`.
  */
-class StreamEventRegistration extends DataFlow::MethodCallNode {
-  StreamEventRegistration() { this.getMethodName() = getEventHandlerMethodName() }
+class ErrorHandlerRegistration extends DataFlow::MethodCallNode {
+  ErrorHandlerRegistration() {
+    this.getMethodName() = getEventHandlerMethodName() and
+    this.getArgument(0).getStringValue() = "error"
+  }
 }
 
 /**
@@ -136,7 +139,12 @@ predicate streamFlowStep(DataFlow::Node streamNode, DataFlow::Node relatedNode)
  * Tracks the result of a pipe call as it flows through the program.
  */
 private DataFlow::SourceNode pipeResultTracker(DataFlow::TypeTracker t, PipeCall pipe) {
-  t.start() and result = pipe
+  t.start() and result = pipe.getALocalSource()
+  or
+  exists(DataFlow::SourceNode prev |
+    prev = pipeResultTracker(t.continue(), pipe) and
+    streamFlowStep(result.getALocalUse(), prev)
+  )
   or
   exists(DataFlow::TypeTracker t2 | result = pipeResultTracker(t2, pipe).track(t2, t))
 }
@@ -166,7 +174,7 @@ predicate isPipeFollowedByNonStreamMethod(PipeCall pipeCall) {
 predicate isPipeFollowedByNonStreamProperty(PipeCall pipeCall) {
   exists(DataFlow::PropRef propRef |
     propRef = pipeResultRef(pipeCall).getAPropertyRead() and
-    not propRef.getPropertyName() = getStreamPropertyName()
+    not propRef.getPropertyName() = [getStreamPropertyName(), getStreamMethodName()]
   )
 }
 
@@ -206,9 +214,8 @@ private DataFlow::SourceNode streamRef(PipeCall pipeCall) {
  * Holds if the source stream of the given pipe call has an `error` handler registered.
  */
 predicate hasErrorHandlerRegistered(PipeCall pipeCall) {
-  exists(StreamEventRegistration handler |
-    handler = streamRef(pipeCall).getAMethodCall(getEventHandlerMethodName()) and
-    handler.getArgument(0).getStringValue() = "error"
+  exists(ErrorHandlerRegistration handler |
+    handler = streamRef(pipeCall).getAMethodCall(getEventHandlerMethodName())
   )
   or
   hasPlumber(pipeCall)
@@ -218,6 +225,8 @@ predicate hasErrorHandlerRegistered(PipeCall pipeCall) {
  * Holds if one of the arguments of the pipe call is a `gulp-plumber` monkey patch.
  */
 predicate hasPlumber(PipeCall pipeCall) {
+  pipeCall.getDestinationStream().getALocalSource() = API::moduleImport("gulp-plumber").getACall()
+  or
   streamRef+(pipeCall) = API::moduleImport("gulp-plumber").getACall()
 }
 
@@ -246,9 +255,19 @@ private predicate hasNonStreamSourceLikeUsage(PipeCall pipeCall) {
   )
 }
 
+/**
+ * Holds if the pipe call destination stream has an error handler registered.
+ */
+predicate hasErrorHandlerDownstream(PipeCall pipeCall) {
+  exists(ErrorHandlerRegistration handler |
+    handler.getReceiver().getALocalSource() = pipeResultRef(pipeCall)
+  )
+}
+
 from PipeCall pipeCall
 where
   not hasErrorHandlerRegistered(pipeCall) and
+  hasErrorHandlerDownstream(pipeCall) and
   not isPipeFollowedByNonStreamAccess(pipeCall) and
   not hasNonStreamSourceLikeUsage(pipeCall) and
   not hasNonNodeJsStreamSource(pipeCall)
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected
@@ -5,9 +5,16 @@
 | test.js:66:5:66:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:79:5:79:25 | s2.pipe ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:94:5:94:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:109:26:109:37 | s.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:116:5:116:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:125:5:125:26 | getStre ... e(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:143:5:143:62 | stream. ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:175:17:175:40 | notStre ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:185:5:185:32 | copyStr ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:110:11:110:22 | s.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:119:5:119:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:128:5:128:26 | getStre ... e(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:146:5:146:62 | stream. ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:182:17:182:40 | notStre ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:192:5:192:32 | copyStr ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:8:5:8:21 | source.pipe(gzip) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:29:5:29:40 | wrapper ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:37:21:37:56 | wrapper ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:44:5:44:40 | wrapper ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:59:18:59:39 | stream. ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:73:5:73:40 | wrapper ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| tst.js:111:5:111:26 | stream. ... Stream) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js
@@ -1,7 +1,7 @@
 function test() {
   {
     const stream = getStream();
-    stream.pipe(destination); // $Alert
+    stream.pipe(destination).on("error", e); // $Alert
   }
   {
     const stream = getStream();
@@ -16,7 +16,7 @@ function test() {
   {
     const stream = getStream();
     const s2 = stream;
-    s2.pipe(dest); // $Alert
+    s2.pipe(dest).on("error", e); // $Alert
   }
   {
     const stream = getStream();
@@ -42,7 +42,7 @@ function test() {
     const stream = getStream();
     stream.on('error', handleError);
     const stream2 = stream.pipe(destination);
-    stream2.pipe(destination2); // $Alert
+    stream2.pipe(destination2).on("error", e); // $Alert
   }
   {
     const stream = getStream();
@@ -57,13 +57,13 @@ function test() {
     const stream = getStream();
     stream.on('error', handleError);
     const stream2 = stream.pipe(destination);
-    stream2.pipe(destination2); // $Alert
+    stream2.pipe(destination2).on("error", e); // $Alert
   }
   { // Error handler on destination instead of source
     const stream = getStream();
     const dest = getDest();
     dest.on('error', handler);
-    stream.pipe(dest); // $Alert
+    stream.pipe(dest).on("error", e); // $Alert
   }
   { // Multiple aliases, error handler on one
     const stream = getStream();
@@ -76,7 +76,7 @@ function test() {
     const stream = getStream();
     const s2 = stream.pipe(destination1);
     stream.on('error', handleError);
-    s2.pipe(destination2); // $Alert
+    s2.pipe(destination2).on("error", e); // $Alert
   }
   { // Handler registered via .once
     const stream = getStream();
@@ -91,7 +91,7 @@ function test() {
   { // Handler registered for unrelated event
     const stream = getStream();
     stream.on('close', handleClose);
-    stream.pipe(dest); // $Alert
+    stream.pipe(dest).on("error", e); // $Alert
   }
   { // Error handler registered after pipe, but before error
     const stream = getStream();
@@ -106,14 +106,17 @@ function test() {
   }
   { // Pipe in a function, error handler not set
     const stream = getStream();
-    function doPipe(s) { s.pipe(dest); } // $Alert
+    function doPipe(s) { 
+      f = s.pipe(dest); // $Alert
+      f.on("error", e); 
+    }
     doPipe(stream);
   }
   { // Dynamic event assignment
     const stream = getStream();
     const event = 'error';
     stream.on(event, handleError);
-    stream.pipe(dest);  // $SPURIOUS:Alert
+    stream.pipe(dest).on("error", e);  // $SPURIOUS:Alert
   }
   { // Handler assigned via variable property
     const stream = getStream();
@@ -122,12 +125,12 @@ function test() {
     stream.pipe(dest);
   }
   { // Pipe with no intermediate variable, no error handler
-    getStream().pipe(dest); // $Alert
+    getStream().pipe(dest).on("error", e); // $Alert
   }
   { // Handler set via .addListener synonym
     const stream = getStream();
     stream.addListener('error', handleError);
-    stream.pipe(dest);
+    stream.pipe(dest).on("error", e);
   }
   { // Handler set via .once after .pipe
     const stream = getStream();
@@ -140,7 +143,11 @@ function test() {
   }
   { // Long chained pipe without error handler
     const stream = getStream();
-    stream.pause().setEncoding('utf8').resume().pipe(writable); // $Alert
+    stream.pause().setEncoding('utf8').resume().pipe(writable).on("error", e); // $Alert
+  }
+  { // Long chained pipe without error handler
+    const stream = getStream();
+    stream.pause().setEncoding('utf8').on("error", e).resume().pipe(writable).on("error", e);
   }
   { // Non-stream with pipe method that returns subscribable object (Streams do not have subscribe method)
     const notStream = getNotAStream();
@@ -172,7 +179,7 @@ function test() {
   }
   { // Member access on a stream after pipe
     const notStream = getNotAStream();
-    const val = notStream.pipe(writable).readable; // $Alert
+    const val = notStream.pipe(writable).on("error", e).readable; // $Alert
   }
   { // Method access on a non-stream after pipe
     const notStream = getNotAStream();
@@ -182,7 +189,7 @@ function test() {
     const fs = require('fs');
     const stream = fs.createReadStream('file.txt');
     const copyStream = stream;
-    copyStream.pipe(destination); // $Alert
+    copyStream.pipe(destination).on("error", e); // $Alert
   }
   {
     const notStream = getNotAStream();
@@ -211,6 +218,16 @@ function test() {
     const p = plumber();
     getStream().pipe(p).pipe(dest).pipe(dest).pipe(dest);
   }
+  {
+    const plumber = require('gulp-plumber');
+    const p = plumber();
+    getStream().pipe(p);
+  }
+  {
+    const plumber = require('gulp-plumber');
+    const p = plumber();
+    getStream().pipe(p).pipe(dest);
+  }
   {
     const notStream = getNotAStream();
     notStream.pipe(getStream(),()=>{});
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/tst.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/tst.js
@@ -0,0 +1,113 @@
+const fs = require('fs');
+const zlib = require('zlib');
+
+function foo(){
+    const source = fs.createReadStream('input.txt');
+    const gzip = zlib.createGzip();
+    const destination = fs.createWriteStream('output.txt.gz');
+    source.pipe(gzip).pipe(destination); // $Alert    
+    gzip.on('error', e);
+}
+class StreamWrapper {
+    constructor() {
+        this.outputStream = getStream();
+    }
+}
+
+function zip() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper();
+    let stream = wrapper.outputStream;
+    stream.on('error', e);
+    stream.pipe(zipStream);
+    zipStream.on('error', e);
+}
+
+function zip1() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper();
+    wrapper.outputStream.pipe(zipStream); // $SPURIOUS:Alert
+    wrapper.outputStream.on('error', e);
+    zipStream.on('error', e);
+}
+
+function zip2() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper();
+    let outStream = wrapper.outputStream.pipe(zipStream); // $Alert
+    outStream.on('error', e);
+}
+
+function zip3() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper();
+    wrapper.outputStream.pipe(zipStream); // $Alert
+    zipStream.on('error', e);
+}
+
+function zip3() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper();
+    let source = getStream();
+    source.pipe(wrapper.outputStream); // $MISSING:Alert
+    wrapper.outputStream.on('error', e);
+}
+
+function zip4() {
+    const zipStream = createWriteStream(zipPath);
+    let stream = getStream();
+    let output = stream.pipe(zipStream); // $Alert
+    output.on('error', e);
+}
+
+class StreamWrapper2 {
+    constructor() {
+        this.outputStream = getStream();
+        this.outputStream.on('error', e);
+    }
+
+}
+function zip5() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper2();
+    wrapper.outputStream.pipe(zipStream); // $SPURIOUS:Alert
+    zipStream.on('error', e);
+}
+
+class StreamWrapper3 {
+    constructor() {
+        this.stream = getStream();
+    }
+    pipeIt(dest) {
+        return this.stream.pipe(dest);
+    }
+    register_error_handler(listener) {
+        return this.stream.on('error', listener);
+    }
+}
+
+function zip5() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper3();
+    wrapper.pipeIt(zipStream); // $MISSING:Alert
+    zipStream.on('error', e);
+}
+function zip6() {
+    const zipStream = createWriteStream(zipPath);
+    let wrapper = new StreamWrapper3();
+    wrapper.pipeIt(zipStream);
+    wrapper.register_error_handler(e);
+    zipStream.on('error', e);
+}
+
+function registerErr(stream, listerner) {
+    stream.on('error', listerner);
+}
+
+function zip7() {
+    const zipStream = createWriteStream(zipPath);
+    let stream = getStream();
+    registerErr(stream, e);
+    stream.pipe(zipStream); // $SPURIOUS:Alert
+    zipStream.on('error', e);
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`function test() {`
`2`	`2`	`{`
`3`	`3`	`const stream = getStream();`
`4`		`- stream.pipe(destination); // $Alert`
	`4`	`+ stream.pipe(destination).on("error", e); // $Alert`
`5`	`5`	`}`
`6`	`6`	`{`
`7`	`7`	`const stream = getStream();`
`@@ -16,7 +16,7 @@ function test() {`
`16`	`16`	`{`
`17`	`17`	`const stream = getStream();`
`18`	`18`	`const s2 = stream;`
`19`		`- s2.pipe(dest); // $Alert`
	`19`	`+ s2.pipe(dest).on("error", e); // $Alert`
`20`	`20`	`}`
`21`	`21`	`{`
`22`	`22`	`const stream = getStream();`
`@@ -42,7 +42,7 @@ function test() {`
`42`	`42`	`const stream = getStream();`
`43`	`43`	`stream.on('error', handleError);`
`44`	`44`	`const stream2 = stream.pipe(destination);`
`45`		`- stream2.pipe(destination2); // $Alert`
	`45`	`+ stream2.pipe(destination2).on("error", e); // $Alert`
`46`	`46`	`}`
`47`	`47`	`{`
`48`	`48`	`const stream = getStream();`
`@@ -57,13 +57,13 @@ function test() {`
`57`	`57`	`const stream = getStream();`
`58`	`58`	`stream.on('error', handleError);`
`59`	`59`	`const stream2 = stream.pipe(destination);`
`60`		`- stream2.pipe(destination2); // $Alert`
	`60`	`+ stream2.pipe(destination2).on("error", e); // $Alert`
`61`	`61`	`}`
`62`	`62`	`{ // Error handler on destination instead of source`
`63`	`63`	`const stream = getStream();`
`64`	`64`	`const dest = getDest();`
`65`	`65`	`dest.on('error', handler);`
`66`		`- stream.pipe(dest); // $Alert`
	`66`	`+ stream.pipe(dest).on("error", e); // $Alert`
`67`	`67`	`}`
`68`	`68`	`{ // Multiple aliases, error handler on one`
`69`	`69`	`const stream = getStream();`
`@@ -76,7 +76,7 @@ function test() {`
`76`	`76`	`const stream = getStream();`
`77`	`77`	`const s2 = stream.pipe(destination1);`
`78`	`78`	`stream.on('error', handleError);`
`79`		`- s2.pipe(destination2); // $Alert`
	`79`	`+ s2.pipe(destination2).on("error", e); // $Alert`
`80`	`80`	`}`
`81`	`81`	`{ // Handler registered via .once`
`82`	`82`	`const stream = getStream();`
`@@ -91,7 +91,7 @@ function test() {`
`91`	`91`	`{ // Handler registered for unrelated event`
`92`	`92`	`const stream = getStream();`
`93`	`93`	`stream.on('close', handleClose);`
`94`		`- stream.pipe(dest); // $Alert`
	`94`	`+ stream.pipe(dest).on("error", e); // $Alert`
`95`	`95`	`}`
`96`	`96`	`{ // Error handler registered after pipe, but before error`
`97`	`97`	`const stream = getStream();`
`@@ -106,14 +106,17 @@ function test() {`
`106`	`106`	`}`
`107`	`107`	`{ // Pipe in a function, error handler not set`
`108`	`108`	`const stream = getStream();`
`109`		`- function doPipe(s) { s.pipe(dest); } // $Alert`
	`109`	`+ function doPipe(s) {`
	`110`	`+ f = s.pipe(dest); // $Alert`
	`111`	`+ f.on("error", e);`
	`112`	`+ }`
`110`	`113`	`doPipe(stream);`
`111`	`114`	`}`
`112`	`115`	`{ // Dynamic event assignment`
`113`	`116`	`const stream = getStream();`
`114`	`117`	`const event = 'error';`
`115`	`118`	`stream.on(event, handleError);`
`116`		`- stream.pipe(dest); // $SPURIOUS:Alert`
	`119`	`+ stream.pipe(dest).on("error", e); // $SPURIOUS:Alert`
`117`	`120`	`}`
`118`	`121`	`{ // Handler assigned via variable property`
`119`	`122`	`const stream = getStream();`
`@@ -122,12 +125,12 @@ function test() {`
`122`	`125`	`stream.pipe(dest);`
`123`	`126`	`}`
`124`	`127`	`{ // Pipe with no intermediate variable, no error handler`
`125`		`- getStream().pipe(dest); // $Alert`
	`128`	`+ getStream().pipe(dest).on("error", e); // $Alert`
`126`	`129`	`}`
`127`	`130`	`{ // Handler set via .addListener synonym`
`128`	`131`	`const stream = getStream();`
`129`	`132`	`stream.addListener('error', handleError);`
`130`		`- stream.pipe(dest);`
	`133`	`+ stream.pipe(dest).on("error", e);`
`131`	`134`	`}`
`132`	`135`	`{ // Handler set via .once after .pipe`
`133`	`136`	`const stream = getStream();`
`@@ -140,7 +143,11 @@ function test() {`
`140`	`143`	`}`
`141`	`144`	`{ // Long chained pipe without error handler`
`142`	`145`	`const stream = getStream();`
`143`		`- stream.pause().setEncoding('utf8').resume().pipe(writable); // $Alert`
	`146`	`+ stream.pause().setEncoding('utf8').resume().pipe(writable).on("error", e); // $Alert`
	`147`	`+ }`
	`148`	`+ { // Long chained pipe without error handler`
	`149`	`+ const stream = getStream();`
	`150`	`+ stream.pause().setEncoding('utf8').on("error", e).resume().pipe(writable).on("error", e);`
`144`	`151`	`}`
`145`	`152`	`{ // Non-stream with pipe method that returns subscribable object (Streams do not have subscribe method)`
`146`	`153`	`const notStream = getNotAStream();`
`@@ -172,7 +179,7 @@ function test() {`
`172`	`179`	`}`
`173`	`180`	`{ // Member access on a stream after pipe`
`174`	`181`	`const notStream = getNotAStream();`
`175`		`- const val = notStream.pipe(writable).readable; // $Alert`
	`182`	`+ const val = notStream.pipe(writable).on("error", e).readable; // $Alert`
`176`	`183`	`}`
`177`	`184`	`{ // Method access on a non-stream after pipe`
`178`	`185`	`const notStream = getNotAStream();`
`@@ -182,7 +189,7 @@ function test() {`
`182`	`189`	`const fs = require('fs');`
`183`	`190`	`const stream = fs.createReadStream('file.txt');`
`184`	`191`	`const copyStream = stream;`
`185`		`- copyStream.pipe(destination); // $Alert`
	`192`	`+ copyStream.pipe(destination).on("error", e); // $Alert`
`186`	`193`	`}`
`187`	`194`	`{`
`188`	`195`	`const notStream = getNotAStream();`
`@@ -211,6 +218,16 @@ function test() {`
`211`	`218`	`const p = plumber();`
`212`	`219`	`getStream().pipe(p).pipe(dest).pipe(dest).pipe(dest);`
`213`	`220`	`}`
	`221`	`+ {`
	`222`	`+ const plumber = require('gulp-plumber');`
	`223`	`+ const p = plumber();`
	`224`	`+ getStream().pipe(p);`
	`225`	`+ }`
	`226`	`+ {`
	`227`	`+ const plumber = require('gulp-plumber');`
	`228`	`+ const p = plumber();`
	`229`	`+ getStream().pipe(p).pipe(dest);`
	`230`	`+ }`
`214`	`231`	`{`
`215`	`232`	`const notStream = getNotAStream();`
`216`	`233`	`notStream.pipe(getStream(),()=>{});`