JS: Refactor aliasing relation

asgerf · asgerf · commit baa3c35d6f46 · 2024-02-13T09:24:00.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/endpoints/EndpointNaming.qll b/javascript/ql/lib/semmle/javascript/endpoints/EndpointNaming.qll
@@ -168,7 +168,7 @@ predicate sinkHasPrimaryName(API::Node sink, string package, string name) {
  *
  * This means it is a valid name for it, but was not chosen as the primary name.
  */
-predicate sinkHasAlias(API::Node sink, string package, string name) {
+private predicate sinkHasAlias(API::Node sink, string package, string name) {
   not sinkHasPrimaryName(sink, package, name) and
   (
     exists(string baseName, string step |
@@ -239,15 +239,6 @@ predicate classObjectHasPrimaryName(DataFlow::ClassNode cls, string package, str
   classObjectHasPrimaryName(cls, package, name, _)
 }
 
-/** Holds if `(package, name)` is an alias for the class object of `cls`. */
-predicate classObjectHasAlias(DataFlow::ClassNode cls, string package, string name) {
-  not classObjectHasPrimaryName(cls, package, name) and
-  exists(int badness |
-    classObjectHasNameCandidate(cls, package, name, badness) and
-    badness < 100
-  )
-}
-
 /** Holds if an instance of `cls` can be exposed to client code. */
 private predicate hasEscapingInstance(DataFlow::ClassNode cls) {
   cls.getAnInstanceReference().flowsTo(any(API::Node n).asSink())
@@ -362,14 +353,28 @@ predicate functionHasPrimaryName(DataFlow::FunctionNode function, string package
 }
 
 /**
- * Holds if `(package, name)` is an alias for the given `function`.
+ * Holds if `(aliasPackage, aliasName)` is an alias for `(primaryPackage, primaryName)`,
+ * defined at `aliasDef`.
  */
-predicate functionHasAlias(DataFlow::FunctionNode function, string package, string name) {
-  not functionHasPrimaryName(function, package, name) and
-  exists(int badness |
-    functionHasNameCandidate(function, package, name, badness) and
-    badness < 100
+predicate aliasDefinition(
+  string primaryPackage, string primaryName, string aliasPackage, string aliasName,
+  API::Node aliasDef
+) {
+  exists(DataFlow::SourceNode source |
+    classObjectHasPrimaryName(source, primaryPackage, primaryName)
+    or
+    functionHasPrimaryName(source, primaryPackage, primaryName)
+  |
+    aliasDef.getAValueReachingSink() = source and
+    sinkHasPrimaryName(aliasDef, aliasPackage, aliasName, _) and
+    not (
+      primaryPackage = aliasPackage and
+      primaryName = aliasName
+    )
   )
+  or
+  sinkHasPrimaryName(aliasDef, primaryPackage, primaryName) and
+  sinkHasAlias(aliasDef, aliasPackage, aliasName)
 }
 
 /**
diff --git a/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.ql b/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.ql
@@ -12,6 +12,8 @@ module TestConfig implements TestSig {
     result = "class"
     or
     result = "method"
+    or
+    result = "alias"
   }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
@@ -27,14 +29,26 @@ module TestConfig implements TestSig {
         EndpointNaming::classInstanceHasPrimaryName(cls, package, name)
       )
       or
-      element = "" and
       exists(DataFlow::FunctionNode function |
         not function.getFunction() = any(ConstructorDeclaration decl | decl.isSynthetic()).getBody() and
         location = function.getFunction().getLocation() and
         tag = "method" and
         EndpointNaming::functionHasPrimaryName(function, package, name)
       )
     )
+    or
+    element = "" and
+    tag = "alias" and
+    exists(
+      API::Node aliasDef, string primaryPackage, string primaryName, string aliasPackage,
+      string aliasName
+    |
+      EndpointNaming::aliasDefinition(primaryPackage, primaryName, aliasPackage, aliasName, aliasDef) and
+      value =
+        EndpointNaming::renderName(aliasPackage, aliasName) + "==" +
+          EndpointNaming::renderName(primaryPackage, primaryName) and
+      location = aliasDef.asSink().asExpr().getLocation()
+    )
   }
 }
 
diff --git a/javascript/ql/test/library-tests/EndpointNaming/pack2/lib.js b/javascript/ql/test/library-tests/EndpointNaming/pack2/lib.js
@@ -2,5 +2,5 @@ class AmbiguousClass {
     instanceMethod(foo) {} // $ method=(pack2).lib.LibClass.prototype.instanceMethod
 } // $ class=(pack2).lib.LibClass instance=(pack2).lib.LibClass.prototype
 
-export default AmbiguousClass;
+export default AmbiguousClass; // $ alias=(pack2).lib.default==(pack2).lib.LibClass
 export { AmbiguousClass as LibClass }
diff --git a/javascript/ql/test/library-tests/EndpointNaming/pack2/main.js b/javascript/ql/test/library-tests/EndpointNaming/pack2/main.js
@@ -2,7 +2,7 @@ class AmbiguousClass {
     instanceMethod() {} // $ method=(pack2).MainClass.prototype.instanceMethod
 } // $ class=(pack2).MainClass instance=(pack2).MainClass.prototype
 
-export default AmbiguousClass;
+export default AmbiguousClass; // $ alias=(pack2).default==(pack2).MainClass
 export { AmbiguousClass as MainClass }
 
 import * as lib from "./lib";
diff --git a/javascript/ql/test/library-tests/EndpointNaming/pack3/lib.js b/javascript/ql/test/library-tests/EndpointNaming/pack3/lib.js
@@ -1 +1 @@
-export default function(x,y,z) {} // $ method=(pack3).libFunction
+export default function(x,y,z) {} // $ method=(pack3).libFunction alias=(pack3).libFunction.default==(pack3).libFunction
diff --git a/javascript/ql/test/library-tests/EndpointNaming/pack3/main.js b/javascript/ql/test/library-tests/EndpointNaming/pack3/main.js
@@ -1,6 +1,6 @@
 function ambiguousFunction(x, y, z) {} // $ method=(pack3).namedFunction
 
-export default ambiguousFunction;
+export default ambiguousFunction; // $ alias=(pack3).default==(pack3).namedFunction
 export { ambiguousFunction as namedFunction };
 
 import libFunction from "./lib";
diff --git a/javascript/ql/test/library-tests/EndpointNaming/pack8/foo.js b/javascript/ql/test/library-tests/EndpointNaming/pack8/foo.js
@@ -1,5 +1,5 @@
 class Foo {} // $ class=(pack8).Foo instance=(pack8).Foo.prototype
 
 module.exports = Foo;
-module.exports.default = Foo;
-module.exports.Foo = Foo;
+module.exports.default = Foo; // $ alias=(pack8).Foo.default==(pack8).Foo
+module.exports.Foo = Foo; // $ alias=(pack8).Foo.Foo==(pack8).Foo

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,8 @@ module TestConfig implements TestSig {`
`12`	`12`	`result = "class"`
`13`	`13`	`or`
`14`	`14`	`result = "method"`
	`15`	`+ or`
	`16`	`+ result = "alias"`
`15`	`17`	`}`
`16`	`18`
`17`	`19`	`predicate hasActualResult(Location location, string element, string tag, string value) {`
`@@ -27,14 +29,26 @@ module TestConfig implements TestSig {`
`27`	`29`	`EndpointNaming::classInstanceHasPrimaryName(cls, package, name)`
`28`	`30`	`)`
`29`	`31`	`or`
`30`		`- element = "" and`
`31`	`32`	`exists(DataFlow::FunctionNode function \|`
`32`	`33`	`not function.getFunction() = any(ConstructorDeclaration decl \| decl.isSynthetic()).getBody() and`
`33`	`34`	`location = function.getFunction().getLocation() and`
`34`	`35`	`tag = "method" and`
`35`	`36`	`EndpointNaming::functionHasPrimaryName(function, package, name)`
`36`	`37`	`)`
`37`	`38`	`)`
	`39`	`+ or`
	`40`	`+ element = "" and`
	`41`	`+ tag = "alias" and`
	`42`	`+ exists(`
	`43`	`+ API::Node aliasDef, string primaryPackage, string primaryName, string aliasPackage,`
	`44`	`+ string aliasName`
	`45`	`+ \|`
	`46`	`+ EndpointNaming::aliasDefinition(primaryPackage, primaryName, aliasPackage, aliasName, aliasDef) and`
	`47`	`+ value =`
	`48`	`+ EndpointNaming::renderName(aliasPackage, aliasName) + "==" +`
	`49`	`+ EndpointNaming::renderName(primaryPackage, primaryName) and`
	`50`	`+ location = aliasDef.asSink().asExpr().getLocation()`
	`51`	`+ )`
`38`	`52`	`}`
`39`	`53`	`}`
`40`	`54`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-export default function(x,y,z) {} // $ method=(pack3).libFunction`
	`1`	`+export default function(x,y,z) {} // $ method=(pack3).libFunction alias=(pack3).libFunction.default==(pack3).libFunction`