JS: Detect more FunctionStyleClasses

asgerf · asgerf · commit a54a73c9a2d4 · 2024-03-06T11:37:20.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -1262,6 +1262,12 @@ module ClassNode {
     result.getFile() = f
   }
 
+  pragma[nomagic]
+  private DataFlow::NewNode getAnInstantiationInFile(string name, File f) {
+    result = AccessPath::getAReferenceTo(name).(DataFlow::LocalSourceNode).getAnInstantiation() and
+    result.getFile() = f
+  }
+
   /**
    * Gets a reference to the function `func`, where there exists a read/write of the "prototype" property on that reference.
    */
@@ -1273,7 +1279,7 @@ module ClassNode {
   }
 
   /**
-   * A function definition with prototype manipulation as a `ClassNode` instance.
+   * A function definition, targeted by a `new`-call or with prototype manipulation, seen as a `ClassNode` instance.
    */
   class FunctionStyleClass extends Range, DataFlow::ValueNode {
     override Function astNode;
@@ -1284,9 +1290,12 @@ module ClassNode {
       (
         exists(getAFunctionValueWithPrototype(function))
         or
-        exists(string name |
-          this = AccessPath::getAnAssignmentTo(name) and
+        function = any(NewNode new).getCalleeNode().analyze().getAValue()
+        or
+        exists(string name | this = AccessPath::getAnAssignmentTo(name) |
           exists(getAPrototypeReferenceInFile(name, this.getFile()))
+          or
+          exists(getAnInstantiationInFile(name, this.getFile()))
         )
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -1262,6 +1262,12 @@ module ClassNode {`
`1262`	`1262`	`result.getFile() = f`
`1263`	`1263`	`}`
`1264`	`1264`
	`1265`	`+ pragma[nomagic]`
	`1266`	`+ private DataFlow::NewNode getAnInstantiationInFile(string name, File f) {`
	`1267`	`+ result = AccessPath::getAReferenceTo(name).(DataFlow::LocalSourceNode).getAnInstantiation() and`
	`1268`	`+ result.getFile() = f`
	`1269`	`+ }`
	`1270`	`+`
`1265`	`1271`	`/**`
`1266`	`1272`	* Gets a reference to the function `func`, where there exists a read/write of the "prototype" property on that reference.
`1267`	`1273`	`*/`
`@@ -1273,7 +1279,7 @@ module ClassNode {`
`1273`	`1279`	`}`
`1274`	`1280`
`1275`	`1281`	`/**`
`1276`		- * A function definition with prototype manipulation as a `ClassNode` instance.
	`1282`	+ * A function definition, targeted by a `new`-call or with prototype manipulation, seen as a `ClassNode` instance.
`1277`	`1283`	`*/`
`1278`	`1284`	`class FunctionStyleClass extends Range, DataFlow::ValueNode {`
`1279`	`1285`	`override Function astNode;`
`@@ -1284,9 +1290,12 @@ module ClassNode {`
`1284`	`1290`	`(`
`1285`	`1291`	`exists(getAFunctionValueWithPrototype(function))`
`1286`	`1292`	`or`
`1287`		`- exists(string name \|`
`1288`		`- this = AccessPath::getAnAssignmentTo(name) and`
	`1293`	`+ function = any(NewNode new).getCalleeNode().analyze().getAValue()`
	`1294`	`+ or`
	`1295`	`+ exists(string name \| this = AccessPath::getAnAssignmentTo(name) \|`
`1289`	`1296`	`exists(getAPrototypeReferenceInFile(name, this.getFile()))`
	`1297`	`+ or`
	`1298`	`+ exists(getAnInstantiationInFile(name, this.getFile()))`
`1290`	`1299`	`)`
`1291`	`1300`	`)`
`1292`	`1301`	`}`