JS: Make API-graphs use Content internally, and use steps from flow summaries

Author: asgerf

javascript/ql/lib/semmle/javascript/ApiGraphs.qll

@@ -8,6 +8,8 @@
 import javascript
 private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
+private import semmle.javascript.dataflow.internal.StepSummary
+private import semmle.javascript.dataflow.internal.sharedlib.SummaryTypeTracker as SummaryTypeTracker
 private import internal.CachedStages
 
 /**
@@ -229,6 +231,40 @@ module API {
       result = this.getASuccessor(Label::unknownMember())
     }
 
+    cached
+    private Node getContentRaw(DataFlow::Content content) {
+      Stages::ApiStage::ref() and
+      result = this.getASuccessor(Label::content(content))
+    }
+
+    /**
+     * Gets a representative for the `content` of this value.
+     *
+     * When possible, it is preferrable to use one of the specialized variants of this predicate, such as `getMember`.
+     */
+    pragma[inline]
+    Node getContent(DataFlow::Content content) {
+      result = this.getContentRaw(content)
+      or
+      result = this.getMember(content.asPropertyName())
+    }
+
+    /**
+     * Gets a representative for the `contents` of this value.
+     */
+    bindingset[this, contents]
+    pragma[inline_late]
+    Node getContents(DataFlow::ContentSet contents) {
+      // We always use getAStoreContent when generating content edges, and we always use getAReadContent when querying the graph.
+      result = this.getContent(contents.getAReadContent())
+    }
+
+    /**
+     * Gets a node representing an arbitrary array element in the array represented by this node.
+     */
+    cached
+    Node getArrayElement() { result = this.getContents(DataFlow::ContentSet::arrayElement()) }
+
     /**
      * Gets a node representing a member of this API component where the name of the member may
      * or may not be known statically.
@@ -790,6 +826,11 @@ module API {
             not DataFlow::PseudoProperties::isPseudoProperty(prop)
           )
           or
+          exists(DataFlow::ContentSet contents |
+            SummaryTypeTracker::basicStoreStep(rhs, pred.getALocalUse(), contents) and
+            lbl = Label::content(contents.getAStoreContent())
+          )
+          or
           exists(DataFlow::FunctionNode fn |
             fn = pred and
             lbl = Label::return()
@@ -982,6 +1023,11 @@ module API {
             // avoid generating member edges like "$arrayElement$"
             not DataFlow::PseudoProperties::isPseudoProperty(prop)
           )
+          or
+          exists(DataFlow::ContentSet contents |
+            SummaryTypeTracker::basicLoadStep(pred.getALocalUse(), ref, contents) and
+            lbl = Label::content(contents.getAStoreContent())
+          )
         )
         or
         exists(DataFlow::Node def, DataFlow::FunctionNode fn |
@@ -1199,8 +1245,6 @@ module API {
       t = useStep(nd, promisified, boundArgs, prop, result)
     }
 
-    private import semmle.javascript.dataflow.internal.StepSummary
-
     /**
      * Holds if `nd`, which is a use of an API-graph node, flows in zero or more potentially
      * inter-procedural steps to some intermediate node, and then from that intermediate node to
@@ -1458,8 +1502,11 @@ module API {
     bindingset[result]
     LabelMember member(string m) { result.getProperty() = m }
 
+    /** Gets the `content` edge label for content `c`. */
+    LabelContent content(ContentPrivate::Content c) { result.getContent() = c }
+
     /** Gets the `member` edge label for the unknown member. */
-    LabelUnknownMember unknownMember() { any() }
+    LabelContent unknownMember() { result.getContent().isUnknownArrayElement() }
 
     /**
      * Gets a property name referred to by the given dynamic property access,
@@ -1516,10 +1563,10 @@ module API {
     LabelForwardingFunction forwardingFunction() { any() }
 
     /** Gets the `promised` edge label connecting a promise to its contained value. */
-    LabelPromised promised() { any() }
+    LabelContent promised() { result.getContent() = ContentPrivate::MkPromiseValue() }
 
     /** Gets the `promisedError` edge label connecting a promise to its rejected value. */
-    LabelPromisedError promisedError() { any() }
+    LabelContent promisedError() { result.getContent() = ContentPrivate::MkPromiseError() }
 
     /** Gets the label for an edge leading from a value `D` to any class that has `D` as a decorator. */
     LabelDecoratedClass decoratedClass() { any() }
@@ -1533,6 +1580,7 @@ module API {
     /** Gets an entry-point label for the entry-point `e`. */
     LabelEntryPoint entryPoint(API::EntryPoint e) { result.getEntryPoint() = e }
 
+    private import semmle.javascript.dataflow.internal.Contents::Private as ContentPrivate
     private import LabelImpl
 
     private module LabelImpl {
@@ -1542,18 +1590,12 @@ module API {
           exists(Impl::MkModuleImport(mod))
         } or
         MkLabelInstance() or
-        MkLabelMember(string prop) {
-          exports(_, prop, _) or
-          exists(any(DataFlow::ClassNode c).getInstanceMethod(prop)) or
-          prop = "exports" or
-          prop = any(CanonicalName c).getName() or
-          prop = any(DataFlow::PropRef p).getPropertyName() or
-          exists(Impl::MkTypeUse(_, prop)) or
-          exists(any(Module m).getAnExportedValue(prop)) or
-          PreCallGraphStep::loadStep(_, _, prop) or
-          PreCallGraphStep::storeStep(_, _, prop)
+        MkLabelContent(DataFlow::Content content) or
+        MkLabelMember(string name) {
+          name instanceof PropertyName
+          or
+          exists(Impl::MkTypeUse(_, name))
         } or
-        MkLabelUnknownMember() or
         MkLabelParameter(int i) {
           i =
             [0 .. max(int args |
@@ -1564,8 +1606,6 @@ module API {
         } or
         MkLabelReceiver() or
         MkLabelReturn() or
-        MkLabelPromised() or
-        MkLabelPromisedError() or
         MkLabelDecoratedClass() or
         MkLabelDecoratedMember() or
         MkLabelDecoratedParameter() or
@@ -1585,13 +1625,13 @@ module API {
       }
 
       /** A label that gets a promised value. */
-      class LabelPromised extends ApiLabel, MkLabelPromised {
-        override string toString() { result = "getPromised()" }
+      deprecated class LabelPromised extends ApiLabel {
+        LabelPromised() { this = MkLabelContent(ContentPrivate::MkPromiseValue()) }
       }
 
       /** A label that gets a rejected promise. */
-      class LabelPromisedError extends ApiLabel, MkLabelPromisedError {
-        override string toString() { result = "getPromisedError()" }
+      deprecated class LabelPromisedError extends ApiLabel {
+        LabelPromisedError() { this = MkLabelContent(ContentPrivate::MkPromiseError()) }
       }
 
       /** A label that gets the return value of a function. */
@@ -1617,9 +1657,39 @@ module API {
         override string toString() { result = "getInstance()" }
       }
 
+      /** A label for a content. */
+      class LabelContent extends ApiLabel, MkLabelContent {
+        private DataFlow::Content content;
+
+        LabelContent() {
+          this = MkLabelContent(content) and
+          // Property names are represented by LabelMember to ensure additional property
+          // names from PreCallGraph step are included, as well as those from MkTypeUse.
+          not content instanceof ContentPrivate::MkPropertyContent
+        }
+
+        /** Gets the content associated with this label. */
+        DataFlow::Content getContent() { result = content }
+
+        private string specialisedToString() {
+          content instanceof ContentPrivate::MkPromiseValue and result = "getPromised()"
+          or
+          content instanceof ContentPrivate::MkPromiseError and result = "getPromisedError()"
+          or
+          content instanceof ContentPrivate::MkArrayElementUnknown and result = "getUnknownMember()"
+        }
+
+        override string toString() {
+          result = this.specialisedToString()
+          or
+          not exists(this.specialisedToString()) and
+          result = "getContent(" + content + ")"
+        }
+      }
+
       /** A label for the member named `prop`. */
       class LabelMember extends ApiLabel, MkLabelMember {
-        string prop;
+        private string prop;
 
         LabelMember() { this = MkLabelMember(prop) }
 
@@ -1630,10 +1700,8 @@ module API {
       }
 
       /** A label for a member with an unknown name. */
-      class LabelUnknownMember extends ApiLabel, MkLabelUnknownMember {
-        LabelUnknownMember() { this = MkLabelUnknownMember() }
-
-        override string toString() { result = "getUnknownMember()" }
+      deprecated class LabelUnknownMember extends LabelContent {
+        LabelUnknownMember() { this.getContent().isUnknownArrayElement() }
       }
 
       /** A label for parameter `i`. */

javascript/ql/lib/semmle/javascript/dataflow/internal/Contents.qll

@@ -57,6 +57,16 @@ module Private {
       this = getAPreciseArrayIndex().toString()
       or
       isAccessPathTokenPresent("Member", this)
+      or
+      this = any(ImportSpecifier spec).getImportedName()
+      or
+      this = any(ExportSpecifier n).getExportedName()
+      or
+      this = any(ExportNamedDeclaration d).getAnExportedDecl().getName()
+      or
+      this = any(MemberDefinition m).getName()
+      or
+      this = ["exports", "default"]
     }
 
     /** Gets the array index corresponding to this property name. */

javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -162,8 +162,8 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathTokenBase token) {
   token.getName() = "Awaited" and
   result = node.getPromised()
   or
-  token.getName() = "ArrayElement" and
-  result = node.getMember(DataFlow::PseudoProperties::arrayElement())
+  token.getName() = ["ArrayElement", "Element"] and
+  result = node.getArrayElement()
   or
   token.getName() = "Element" and
   result = node.getMember(DataFlow::PseudoProperties::arrayLikeElement())
@@ -172,11 +172,6 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathTokenBase token) {
   token.getName() = "MapValue" and
   result = node.getMember(DataFlow::PseudoProperties::mapValueAll())
   or
-  // Currently we need to include the "unknown member" for ArrayElement and Element since
-  // API graphs do not use store/load steps for arrays
-  token.getName() = ["ArrayElement", "Element"] and
-  result = node.getUnknownMember()
-  or
   token.getName() = "Parameter" and
   token.getAnArgument() = "this" and
   result = node.getReceiver()

javascript/ql/test/library-tests/frameworks/data/test.expected

@@ -81,6 +81,10 @@ taintFlow
 | test.js:272:6:272:40 | new MyS ... ource() | test.js:272:6:272:40 | new MyS ... ource() |
 | test.js:274:6:274:39 | testlib ... eName() | test.js:274:6:274:39 | testlib ... eName() |
 | test.js:277:8:277:31 | "danger ... .danger | test.js:277:8:277:31 | "danger ... .danger |
+| test.js:284:8:284:16 | source[0] | test.js:284:8:284:16 | source[0] |
+| test.js:285:8:285:19 | source.pop() | test.js:285:8:285:19 | source.pop() |
+| test.js:286:18:286:18 | e | test.js:286:28:286:28 | e |
+| test.js:287:14:287:14 | e | test.js:287:24:287:24 | e |
 isSink
 | test.js:54:18:54:25 | source() | test-sink |
 | test.js:55:22:55:29 | source() | test-sink |

javascript/ql/test/library-tests/frameworks/data/test.js

@@ -281,8 +281,8 @@ function dangerConstant() {
 
 function arraySource() {
   const source = testlib.getSourceArray();
-  sink(source[0]); // NOT OK [INCONSISTENCY]
-  sink(source.pop()); // NOT OK [INCONSISTENCY]
-  source.forEach(e => sink(e)); // NOT OK [INCONSISTENCY]
-  source.map(e => sink(e)); // NOT OK [INCONSISTENCY]
+  sink(source[0]); // NOT OK
+  sink(source.pop()); // NOT OK
+  source.forEach(e => sink(e)); // NOT OK
+  source.map(e => sink(e)); // NOT OK
 }

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected

@@ -16,6 +16,7 @@
 | testReactUseQueries.jsx:37:25:37:38 | repoQuery.data | testReactUseQueries.jsx:4:26:4:53 | fetch(' ... e.com') | testReactUseQueries.jsx:37:25:37:38 | repoQuery.data | Cross-site scripting vulnerability due to $@. | testReactUseQueries.jsx:4:26:4:53 | fetch(' ... e.com') | user-provided value |
 | testUseQueries2.vue:40:10:40:23 | v-html=data3 | testUseQueries2.vue:6:28:6:63 | fetch(" ... ntent") | testUseQueries2.vue:40:10:40:23 | v-html=data3 | Cross-site scripting vulnerability due to $@. | testUseQueries2.vue:6:28:6:63 | fetch(" ... ntent") | user-provided value |
 | testUseQueries2.vue:40:10:40:23 | v-html=data3 | testUseQueries2.vue:12:28:12:41 | fetch("${id}") | testUseQueries2.vue:40:10:40:23 | v-html=data3 | Cross-site scripting vulnerability due to $@. | testUseQueries2.vue:12:28:12:41 | fetch("${id}") | user-provided value |
+| testUseQueries.vue:25:10:25:23 | v-html=data2 | testUseQueries.vue:11:36:11:49 | fetch("${id}") | testUseQueries.vue:25:10:25:23 | v-html=data2 | Cross-site scripting vulnerability due to $@. | testUseQueries.vue:11:36:11:49 | fetch("${id}") | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -88,6 +89,12 @@ edges
 | testUseQueries2.vue:13:12:13:19 | response | testUseQueries2.vue:13:12:13:26 | response.json() | provenance |  |
 | testUseQueries2.vue:13:12:13:26 | response.json() | testUseQueries2.vue:33:22:33:36 | results[0].data | provenance |  |
 | testUseQueries2.vue:33:22:33:36 | results[0].data | testUseQueries2.vue:40:10:40:23 | v-html=data3 | provenance |  |
+| testUseQueries.vue:11:19:11:49 | response | testUseQueries.vue:12:20:12:27 | response | provenance |  |
+| testUseQueries.vue:11:30:11:49 | await fetch("${id}") | testUseQueries.vue:11:19:11:49 | response | provenance |  |
+| testUseQueries.vue:11:36:11:49 | fetch("${id}") | testUseQueries.vue:11:30:11:49 | await fetch("${id}") | provenance |  |
+| testUseQueries.vue:12:20:12:27 | response | testUseQueries.vue:12:20:12:34 | response.json() | provenance |  |
+| testUseQueries.vue:12:20:12:34 | response.json() | testUseQueries.vue:18:22:18:36 | results[0].data | provenance |  |
+| testUseQueries.vue:18:22:18:36 | results[0].data | testUseQueries.vue:25:10:25:23 | v-html=data2 | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -174,4 +181,11 @@ nodes
 | testUseQueries2.vue:13:12:13:26 | response.json() | semmle.label | response.json() |
 | testUseQueries2.vue:33:22:33:36 | results[0].data | semmle.label | results[0].data |
 | testUseQueries2.vue:40:10:40:23 | v-html=data3 | semmle.label | v-html=data3 |
+| testUseQueries.vue:11:19:11:49 | response | semmle.label | response |
+| testUseQueries.vue:11:30:11:49 | await fetch("${id}") | semmle.label | await fetch("${id}") |
+| testUseQueries.vue:11:36:11:49 | fetch("${id}") | semmle.label | fetch("${id}") |
+| testUseQueries.vue:12:20:12:27 | response | semmle.label | response |
+| testUseQueries.vue:12:20:12:34 | response.json() | semmle.label | response.json() |
+| testUseQueries.vue:18:22:18:36 | results[0].data | semmle.label | results[0].data |
+| testUseQueries.vue:25:10:25:23 | v-html=data2 | semmle.label | v-html=data2 |
 subpaths

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testUseQueries.vue

@@ -8,7 +8,7 @@ export default {
     queries: ids.map((id) => ({
         queryKey: ['post', id],
         queryFn: async () => {
-            const response = await fetch("${id}"); // $ MISSING: Source
+            const response = await fetch("${id}"); // $ Source
             return response.json();
         },
         staleTime: Infinity,
@@ -22,6 +22,6 @@ export default {
 
 <template>
   <VueQueryClientProvider :client="queryClient">
-    <div v-html="data2"></div> <!--$ MISSING: Alert -->
+    <div v-html="data2"></div> <!--$ Alert -->
   </VueQueryClientProvider>
 </template>