JS: Support accessor-calls in object literals via local flow

Author: asgerf

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -546,6 +546,16 @@ class ObjectLiteralNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   DataFlow::Node getASpreadProperty() {
     result = astNode.getAProperty().(SpreadProperty).getInit().(SpreadElement).getOperand().flow()
   }
+
+  /** Gets the property getter of the given name, installed on this object literal. */
+  DataFlow::FunctionNode getPropertyGetter(string name) {
+    result = astNode.getPropertyByName(name).(PropertyGetter).getInit().flow()
+  }
+
+  /** Gets the property setter of the given name, installed on this object literal. */
+  DataFlow::FunctionNode getPropertySetter(string name) {
+    result = astNode.getPropertyByName(name).(PropertySetter).getInit().flow()
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/dataflow/internal/CallGraphs.qll

@@ -175,5 +175,13 @@ module CallGraph {
       ref = cls.getAnInstanceReference().getAPropertyWrite(name) and
       result = cls.getInstanceMember(name, DataFlow::MemberKind::setter())
     )
+    or
+    exists(DataFlow::ObjectLiteralNode object, string name |
+      ref = object.getAPropertyRead(name) and
+      result = object.getPropertyGetter(name)
+      or
+      ref = object.getAPropertyWrite(name) and
+      result = object.getPropertySetter(name)
+    )
   }
 }

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -70,6 +70,8 @@ typeInferenceMismatch
 | getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:13:18:13:20 | c.x |
 | getters-and-setters.js:27:15:27:22 | source() | getters-and-setters.js:23:18:23:18 | v |
 | getters-and-setters.js:47:23:47:30 | source() | getters-and-setters.js:45:14:45:16 | c.x |
+| getters-and-setters.js:60:20:60:27 | source() | getters-and-setters.js:66:10:66:14 | obj.x |
+| getters-and-setters.js:67:13:67:20 | source() | getters-and-setters.js:63:18:63:22 | value |
 | importedReactComponent.jsx:4:40:4:47 | source() | exportedReactComponent.jsx:2:10:2:19 | props.text |
 | indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:5:8:5:29 | JSON.st ... source) |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -45,6 +45,8 @@
 | getters-and-setters.js:6:20:6:27 | source() | getters-and-setters.js:13:18:13:20 | c.x |
 | getters-and-setters.js:27:15:27:22 | source() | getters-and-setters.js:23:18:23:18 | v |
 | getters-and-setters.js:47:23:47:30 | source() | getters-and-setters.js:45:14:45:16 | c.x |
+| getters-and-setters.js:60:20:60:27 | source() | getters-and-setters.js:66:10:66:14 | obj.x |
+| getters-and-setters.js:67:13:67:20 | source() | getters-and-setters.js:63:18:63:22 | value |
 | indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
 | indexOf.js:4:11:4:18 | source() | indexOf.js:13:10:13:10 | x |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |

javascript/ql/test/library-tests/TaintTracking/getters-and-setters.js

@@ -53,3 +53,22 @@ function testFlowThroughGetter() {
     sink(getX(new C(source()))); // NOT OK - but not flagged
     getX(null);
 }
+
+function testFlowThroughObjectLiteralAccessors() {
+    let obj = {
+        get x() {
+            return source();
+        },
+        set y(value) {
+            sink(value); // NOT OK
+        }
+    };
+    sink(obj.x); // NOT OK
+    obj.y = source();
+
+    function indirection(c) {
+        sink(c.x); // NOT OK - but not currently flagged
+    }
+    indirection(obj);
+    indirection(null);
+}