JS: Migrate URLSearchParams model to flow summaries

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -656,7 +656,7 @@ module TaintTracking {
   /**
    * A taint propagating data flow edge arising from URL parameter parsing.
    */
-  private class UrlSearchParamsTaintStep extends DataFlow::SharedFlowStep {
+  private class UrlSearchParamsTaintStep extends DataFlow::LegacyFlowStep {
     /**
      * Holds if `succ` is a `URLSearchParams` providing access to the
      * parameters encoded in `pred`.

javascript/ql/lib/semmle/javascript/internal/flow_summaries/AllFlowSummaries.qll

@@ -11,3 +11,4 @@ private import Promises
 private import Sets
 private import Strings
 private import DynamicImportStep
+private import UrlSearchParams

javascript/ql/lib/semmle/javascript/internal/flow_summaries/UrlSearchParams.qll

@@ -0,0 +1,62 @@
+/**
+ * Contains a summary for `URLSearchParams` and `URL` objects.
+ *
+ * For now, the `URLSearchParams` object is modelled as a `Map` object.
+ */
+
+private import javascript
+
+DataFlow::SourceNode urlConstructorRef() { result = DataFlow::globalVarRef("URL") }
+
+DataFlow::SourceNode urlSearchParamsConstructorRef() {
+  result = DataFlow::globalVarRef("URLSearchParams")
+}
+
+class URLSearchParams extends DataFlow::SummarizedCallable {
+  URLSearchParams() { this = "URLSearchParams" }
+
+  override DataFlow::InvokeNode getACallSimple() {
+    result = urlSearchParamsConstructorRef().getAnInstantiation()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    // Taint the MapKey and MapValue so methods named 'get' and 'forEach' etc can extract the taint.
+    // Also taint the object itself since it has a tainted toString() value
+    input = "Argument[0]" and
+    output = ["ReturnValue", "ReturnValue.MapKey", "ReturnValue.MapValue"] and
+    preservesValue = false
+  }
+}
+
+class GetAll extends DataFlow::SummarizedCallable {
+  GetAll() { this = "getAll" }
+
+  override DataFlow::MethodCallNode getACallSimple() {
+    result.getMethodName() = "getAll" and result.getNumArgument() = 1
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[this].MapValue" and
+    output = "ReturnValue.ArrayElement" and
+    preservesValue = true
+  }
+}
+
+class URLConstructor extends DataFlow::SummarizedCallable {
+  URLConstructor() { this = "URL" }
+
+  override DataFlow::InvokeNode getACallSimple() {
+    result = urlConstructorRef().getAnInstantiation()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    input = "Argument[0]" and
+    output =
+      [
+        "ReturnValue.Member[searchParams].MapKey",
+        "ReturnValue.Member[searchParams].MapValue",
+        "ReturnValue.Member[searchParams,hash,search]",
+      ] and
+    preservesValue = false
+  }
+}

javascript/ql/test/library-tests/TripleDot/urlsearchparams.js

@@ -1,15 +1,15 @@
 function u1() {
     const searchParams = new URLSearchParams(source("u1.1"));
-    sink(searchParams.get("x")); // $ MISSING: hasTaintFlow=u1.1
-    sink(searchParams.get(unknown())); // $ MISSING: hasTaintFlow=u1.1
-    sink(searchParams.getAll("x")); // $ MISSING: hasTaintFlow=u1.1
-    sink(searchParams.getAll(unknown())); // $ MISSING: hasTaintFlow=u1.1
+    sink(searchParams.get("x")); // $ hasTaintFlow=u1.1
+    sink(searchParams.get(unknown())); // $ hasTaintFlow=u1.1
+    sink(searchParams.getAll("x")); // $ hasTaintFlow=u1.1
+    sink(searchParams.getAll(unknown())); // $ hasTaintFlow=u1.1
 }
 
 function u2() {
     const url = new URL(source("u2.1"));
-    sink(url.searchParams.get("x")); // $ MISSING: hasTaintFlow=u2.1
-    sink(url.searchParams.get(unknown())); // $ MISSING: hasTaintFlow=u2.1
-    sink(url.searchParams.getAll("x")); // $ MISSING: hasTaintFlow=u2.1
-    sink(url.searchParams.getAll(unknown())); // $ MISSING: hasTaintFlow=u2.1
+    sink(url.searchParams.get("x")); // $ hasTaintFlow=u2.1
+    sink(url.searchParams.get(unknown())); // $ hasTaintFlow=u2.1
+    sink(url.searchParams.getAll("x")); // $ hasTaintFlow=u2.1
+    sink(url.searchParams.getAll(unknown())); // $ hasTaintFlow=u2.1
 }