JS: Type track sequelize model

asgerf · asgerf · commit 3e9849b7c4fc · 2020-05-15T17:27:24.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -311,10 +311,22 @@ private module MsSql {
  */
 private module Sequelize {
   /** Gets an import of the `sequelize` module. */
-  DataFlow::ModuleImportNode sequelize() { result.getPath() = "sequelize" }
+  DataFlow::SourceNode sequelize() { result = DataFlow::moduleImport("sequelize") }
 
   /** Gets an expression that creates an instance of the `Sequelize` class. */
-  DataFlow::SourceNode newSequelize() { result = sequelize().getAnInstantiation() }
+  private DataFlow::SourceNode newSequelize(DataFlow::TypeTracker t) {
+    t.start() and
+    result = sequelize().getAnInstantiation()
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = newSequelize(t2).track(t2, t)
+    )
+  }
+
+  /** Gets an expression that creates an instance of the `Sequelize` class. */
+  DataFlow::SourceNode newSequelize() {
+    result = newSequelize(DataFlow::TypeTracker::end())
+  }
 
   /** A call to `Sequelize.query`. */
   private class QueryCall extends DatabaseAccess, DataFlow::ValueNode {
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -15,6 +15,7 @@
 | postgres5.js:8:21:8:25 | query |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
+| sequelizeImport.js:3:17:3:118 | 'SELECT ... Y name' |
 | spanner2.js:5:26:5:35 | "SQL code" |
 | spanner2.js:7:35:7:44 | "SQL code" |
 | spanner.js:6:8:6:17 | "SQL code" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sequelize.js b/javascript/ql/test/library-tests/frameworks/SQL/sequelize.js
@@ -7,3 +7,5 @@ const sequelize = new Sequelize('database', 'username', 'password', {
 });
 sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');
 
+
+exports.sequelize = sequelize;
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sequelizeImport.js b/javascript/ql/test/library-tests/frameworks/SQL/sequelizeImport.js
@@ -0,0 +1,3 @@
+const { sequelize } = require("./sequelize");
+
+sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+const { sequelize } = require("./sequelize");`
	`2`	`+`
	`3`	`+sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');`