JS: Type track spanner model

asgerf · asgerf · commit 5249e8435920 · 2020-05-15T17:27:30.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -439,25 +439,79 @@ private module Spanner {
     result = DataFlow::moduleMember("@google-cloud/spanner", "Spanner")
   }
 
-  /**
-   * Gets a node that refers to an instance of the `Database` class.
-   */
+  /** Gets a data flow node referring to the result of `Spanner()` or `new Spanner()`. */
+  private DataFlow::SourceNode spannerNew(DataFlow::TypeTracker t) {
+    t.start() and
+    result = spanner().getAnInvocation()
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = spannerNew(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a data flow node referring to the result of `Spanner()` or `new Spanner()`. */
+  DataFlow::SourceNode spannerNew() {
+    result = spannerNew(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a data flow node referring to the result of `.instance()`. */
+  private DataFlow::SourceNode instance(DataFlow::TypeTracker t) {
+    t.start() and
+    result = spannerNew().getAMethodCall("instance")
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = instance(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a data flow node referring to the result of `.instance()`. */
+  DataFlow::SourceNode instance() {
+    result = instance(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a node that refers to an instance of the `Database` class. */
+  private DataFlow::SourceNode database(DataFlow::TypeTracker t) {
+    t.start() and
+    result = instance().getAMethodCall("database")
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = database(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a node that refers to an instance of the `Database` class. */
   DataFlow::SourceNode database() {
-    result = spanner().getAnInvocation().getAMethodCall("instance").getAMethodCall("database")
+    result = database(DataFlow::TypeTracker::end())
   }
 
-  /**
-   * Gets a node that refers to an instance of the `v1.SpannerClient` class.
-   */
-  DataFlow::SourceNode v1SpannerClient() {
+  /** Gets a node that refers to an instance of the `v1.SpannerClient` class. */
+  private DataFlow::SourceNode v1SpannerClient(DataFlow::TypeTracker t) {
+    t.start() and
     result = spanner().getAPropertyRead("v1").getAPropertyRead("SpannerClient").getAnInstantiation()
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = v1SpannerClient(t2).track(t2, t)
+    )
   }
 
-  /**
-   * Gets a node that refers to a transaction object.
-   */
+  /** Gets a node that refers to an instance of the `v1.SpannerClient` class. */
+  DataFlow::SourceNode v1SpannerClient() {
+    result = v1SpannerClient(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a node that refers to a transaction object. */
+  private DataFlow::SourceNode transaction(DataFlow::TypeTracker t) {
+    t.start() and
+    result = database().getAMethodCall("runTransaction").getABoundCallbackParameter(0, 1)
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = transaction(t2).track(t2, t)
+    )
+  }
+
+  /** Gets a node that refers to a transaction object. */
   DataFlow::SourceNode transaction() {
-    result = database().getAMethodCall("runTransaction").getCallback(0).getParameter(1)
+    result = transaction(DataFlow::TypeTracker::end())
   }
 
   /**
@@ -481,9 +535,7 @@ private module Spanner {
    */
   class DatabaseRunCall extends SqlExecution {
     DatabaseRunCall() {
-      exists(string run | run = "run" or run = "runPartitionedUpdate" or run = "runStream" |
-        this = database().getAMethodCall(run)
-      )
+      this = database().getAMethodCall(["run", "runPartitionedUpdate", "runStream"])
     }
   }
 
@@ -492,9 +544,7 @@ private module Spanner {
    */
   class TransactionRunCall extends SqlExecution {
     TransactionRunCall() {
-      exists(string run | run = "run" or run = "runStream" or run = "runUpdate" |
-        this = transaction().getAMethodCall(run)
-      )
+      this = transaction().getAMethodCall(["run", "runStream", "runUpdate"])
     }
   }
 
@@ -503,9 +553,7 @@ private module Spanner {
    */
   class ExecuteSqlCall extends SqlExecution {
     ExecuteSqlCall() {
-      exists(string exec | exec = "executeSql" or exec = "executeStreamingSql" |
-        this = v1SpannerClient().getAMethodCall(exec)
-      )
+      this = v1SpannerClient().getAMethodCall(["executeSql", "executeStreamingSql"])
     }
 
     override DataFlow::Node getAQueryArgument() {
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -39,5 +39,6 @@
 | spanner.js:18:16:18:25 | "SQL code" |
 | spanner.js:19:16:19:34 | { sql: "SQL code" } |
 | spanner.js:19:23:19:32 | "SQL code" |
+| spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/spanner.js b/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
@@ -17,4 +17,6 @@ db.runTransaction((err, tx) => {
   tx.runStream({ sql: "SQL code" });
   tx.runUpdate("SQL code");
   tx.runUpdate({ sql: "SQL code" });
-});
+});
+
+exports.instance = instance;
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/spannerImport.js b/javascript/ql/test/library-tests/frameworks/SQL/spannerImport.js
@@ -0,0 +1,4 @@
+const { instance } = require('./spanner');
+const db = instance.database('db');
+
+db.run("SQL code", (err, rows) => {});
