JS: Improve pg model

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/SQL.qll

@@ -134,7 +134,20 @@ private module Postgres {
     // pool.connect(function(err, client) { ... })
     result = pool().getMember("connect").getParameter(0).getParameter(1)
     or
+    // await pool.connect()
+    result = pool().getMember("connect").getReturn().getPromised()
+    or
     result = pgpConnection().getMember("client")
+    or
+    exists(API::CallNode call |
+      call = pool().getMember("on").getACall() and
+      call.getArgument(0).getStringValue() = ["connect", "acquire"] and
+      result = call.getParameter(1).getParameter(0)
+    )
+    or
+    result = client().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", ["Client", "PoolClient"])
   }
 
   /** Gets a constructor that when invoked constructs a new connection pool. */
@@ -151,6 +164,10 @@ private module Postgres {
     result = newPool().getInstance()
     or
     result = pgpDatabase().getMember("$pool")
+    or
+    result = pool().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", "Pool")
   }
 
   /** A call to the Postgres `query` method. */
@@ -162,7 +179,11 @@ private module Postgres {
 
   /** An expression that is passed to the `query` method and hence interpreted as SQL. */
   class QueryString extends SQL::SqlString {
-    QueryString() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+    QueryString() {
+      this = any(QueryCall qc).getAQueryArgument().asExpr()
+      or
+      this = API::moduleImport("pg-cursor").getParameter(0).getARhs().asExpr()
+    }
   }
 
   /** An expression that is passed as user name or password when creating a client or a pool. */

javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected

@@ -23,8 +23,12 @@
 | mysqlImport.js:3:18:5:1 | {\\n    s ... = ?',\\n} |
 | postgres1.js:37:21:37:24 | text |
 | postgres2.js:30:16:30:41 | 'SELECT ... number' |
+| postgres2.js:43:15:43:26 | 'SELECT 123' |
+| postgres2.js:46:15:46:47 | new Cur ... users') |
+| postgres2.js:46:26:46:46 | 'SELECT ...  users' |
 | postgres3.js:15:16:15:40 | 'SELECT ... s name' |
 | postgres5.js:8:21:8:25 | query |
+| postgres-types.ts:4:18:4:29 | 'SELECT 123' |
 | postgresImport.js:4:18:4:43 | 'SELECT ... number' |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |

javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts

@@ -0,0 +1,5 @@
+import { Client } from "pg";
+
+function submitSomething(client: Client) {
+    client.query('SELECT 123');
+}

javascript/ql/test/library-tests/frameworks/SQL/postgres2.js

@@ -38,3 +38,9 @@ pool.connect(function(err, client, done) {
     //output: 1 
   });
 });
+
+let client2 = await pool.connect();
+client2.query('SELECT 123');
+
+const Cursor = require('pg-cursor');
+client2.query(new Cursor('SELECT * from users'));