Merge pull request github#5237 from erik-krogh/moreInf

Approved by asgerf

Author: codeql-ci

javascript/ql/src/semmle/javascript/Arrays.qll

@@ -25,7 +25,7 @@ module ArrayTaintTracking {
     // `array.map(function (elt, i, ary) { ... })`: if `array` is tainted, then so are
     // `elt` and `ary`; similar for `forEach`
     exists(Function f |
-      call.getArgument(0).analyze().getAValue().(AbstractFunction).getFunction() = f and
+      call.getArgument(0).getAFunctionValue(0).getFunction() = f and
       call.(DataFlow::MethodCallNode).getMethodName() = ["map", "forEach"] and
       pred = call.getReceiver() and
       succ = DataFlow::parameterNode(f.getParameter([0, 2]))

javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll

@@ -106,7 +106,11 @@ module DataFlow {
 
     /** Holds if this node may evaluate to the Boolean value `b`. */
     predicate mayHaveBooleanValue(boolean b) {
-      b = analyze().getAValue().(AbstractBoolean).getBooleanValue()
+      getAPredecessor().mayHaveBooleanValue(b)
+      or
+      b = true and asExpr().(BooleanLiteral).getValue() = "true"
+      or
+      b = false and asExpr().(BooleanLiteral).getValue() = "false"
     }
 
     /** Gets the integer value of this node, if it is an integer constant. */

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -168,7 +168,13 @@ class InvokeNode extends DataFlow::SourceNode {
   private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
 
   /** Gets an abstract value representing possible callees of this call site. */
-  final AbstractValue getACalleeValue() { result = getCalleeNode().analyze().getAValue() }
+  final AbstractValue getACalleeValue() {
+    exists(DataFlow::Node callee, DataFlow::AnalyzedNode analyzed |
+      pragma[only_bind_into](callee) = getCalleeNode() and
+      pragma[only_bind_into](analyzed) = callee.analyze() and
+      pragma[only_bind_into](result) = analyzed.getAValue()
+    )
+  }
 
   /**
    * Gets a potential callee of this call site.
@@ -1166,6 +1172,16 @@ module ClassNode {
     result.getFile() = f
   }
 
+  /**
+   * Gets a reference to the function `func`, where there exists a read/write of the "prototype" property on that reference.
+   */
+  pragma[noinline]
+  private DataFlow::SourceNode getAFunctionValueWithPrototype(AbstractValue func) {
+    exists(result.getAPropertyReference("prototype")) and
+    result.analyze().getAValue() = pragma[only_bind_into](func) and
+    func instanceof AbstractFunction // the join-order goes bad if `func` has type `AbstractFunction`.
+  }
+
   /**
    * A function definition with prototype manipulation as a `ClassNode` instance.
    */
@@ -1176,10 +1192,7 @@ module ClassNode {
     FunctionStyleClass() {
       function.getFunction() = astNode and
       (
-        exists(DataFlow::PropRef read |
-          read.getPropertyName() = "prototype" and
-          read.getBase().analyze().getAValue() = function
-        )
+        exists(getAFunctionValueWithPrototype(function))
         or
         exists(string name |
           this = AccessPath::getAnAssignmentTo(name) and
@@ -1240,7 +1253,7 @@ module ClassNode {
      * Gets a reference to the prototype of this class.
      */
     DataFlow::SourceNode getAPrototypeReference() {
-      exists(DataFlow::SourceNode base | base.analyze().getAValue() = function |
+      exists(DataFlow::SourceNode base | base = getAFunctionValueWithPrototype(function) |
         result = base.getAPropertyRead("prototype")
         or
         result = base.getAPropertySource("prototype")

javascript/ql/src/semmle/javascript/frameworks/Testing.qll

@@ -33,7 +33,7 @@ class BDDTest extends Test, @call_expr {
     exists(CallExpr call | call = this |
       call.getCallee().(VarAccess).getName() = "it" and
       exists(call.getArgument(0).getStringValue()) and
-      call.getArgument(1).analyze().getAValue() instanceof AbstractFunction
+      exists(call.getArgument(1).flow().getAFunctionValue(0))
     )
   }
 }
@@ -60,7 +60,7 @@ class JestTest extends Test, @call_expr {
     exists(CallExpr call | call = this |
       call.getCallee().(GlobalVarAccess).getName() = "test" and
       exists(call.getArgument(0).getStringValue()) and
-      call.getArgument(1).analyze().getAValue() instanceof AbstractFunction
+      exists(call.getArgument(1).flow().getAFunctionValue(0))
     ) and
     getFile() = getTestFile(any(File f), "test")
   }
@@ -94,7 +94,7 @@ class CucumberTest extends Test, @call_expr {
     exists(DataFlow::ModuleImportNode m, CallExpr call |
       m.getPath() = "cucumber" and
       call = m.getAnInvocation().asExpr() and
-      call.getArgument(0).analyze().getAValue() instanceof AbstractFunction and
+      exists(call.getArgument(0).flow().getAFunctionValue()) and
       this = call
     )
   }