JS: Improve mysql2 model

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/SQL.qll

@@ -28,30 +28,52 @@ module SQL {
  * Provides classes modelling the (API compatible) `mysql` and `mysql2` packages.
  */
 private module MySql {
+  private string moduleName() { result = ["mysql", "mysql2", "mysql2/promise"] }
+
   /** Gets the package name `mysql` or `mysql2`. */
-  API::Node mysql() { result = API::moduleImport(["mysql", "mysql2"]) }
+  API::Node mysql() { result = API::moduleImport(moduleName()) }
 
   /** Gets a reference to `mysql.createConnection`. */
-  API::Node createConnection() { result = mysql().getMember("createConnection") }
+  API::Node createConnection() {
+    result = mysql().getMember(["createConnection", "createConnectionPromise"])
+  }
 
   /** Gets a reference to `mysql.createPool`. */
-  API::Node createPool() { result = mysql().getMember("createPool") }
+  API::Node createPool() { result = mysql().getMember(["createPool", "createPoolCluster"]) }
 
   /** Gets a node that contains a MySQL pool created using `mysql.createPool()`. */
-  API::Node pool() { result = createPool().getReturn() }
+  API::Node pool() {
+    result = createPool().getReturn()
+    or
+    result = pool().getMember("on").getReturn()
+    or
+    result = API::Node::ofType(moduleName(), ["Pool", "PoolCluster"])
+  }
 
   /** Gets a data flow node that contains a freshly created MySQL connection instance. */
   API::Node connection() {
     result = createConnection().getReturn()
     or
+    result = createConnection().getReturn().getPromised()
+    or
     result = pool().getMember("getConnection").getParameter(0).getParameter(1)
+    or
+    result = pool().getMember("getConnection").getPromised()
+    or
+    exists(API::CallNode call |
+      call = pool().getMember("on").getACall() and
+      call.getArgument(0).getStringValue() = ["connection", "acquire", "release"] and
+      result = call.getParameter(1).getParameter(0)
+    )
+    or
+    result = API::Node::ofType(moduleName(), ["Connection", "PoolConnection"])
   }
 
   /** A call to the MySql `query` method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
       exists(API::Node recv | recv = pool() or recv = connection() |
-        this = recv.getMember("query").getACall()
+        this = recv.getMember(["query", "execute"]).getACall()
       )
     }
 

javascript/ql/test/library-tests/frameworks/SQL/Credentials.expected

@@ -6,6 +6,7 @@
 | mysql1.js:7:14:7:21 | 'secret' | password |
 | mysql1a.js:10:9:10:12 | 'me' | user name |
 | mysql1a.js:11:13:11:20 | 'secret' | password |
+| mysql2-promise.js:8:9:8:14 | 'root' | user name |
 | mysql2.js:7:21:7:25 | 'bob' | user name |
 | mysql2.js:8:21:8:28 | 'secret' | password |
 | mysql2tst.js:8:9:8:14 | 'root' | user name |

javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected

@@ -7,10 +7,18 @@
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql1a.js:17:18:17:43 | 'SELECT ... lution' |
+| mysql2-promise.js:14:3:14:62 | 'SELECT ... ` > 45' |
+| mysql2-promise.js:23:3:23:56 | 'SELECT ... e` > ?' |
+| mysql2-promise.js:31:19:31:39 | 'SELECT ...  users' |
+| mysql2-promise.js:32:21:32:41 | 'SELECT ...  users' |
+| mysql2-types.ts:4:16:4:36 | 'SELECT ...  users' |
 | mysql2.js:12:12:12:37 | 'SELECT ... lution' |
 | mysql2tst.js:14:3:14:62 | 'SELECT ... ` > 45' |
 | mysql2tst.js:23:3:23:56 | 'SELECT ... e` > ?' |
+| mysql2tst.js:31:19:31:39 | 'SELECT ...  users' |
+| mysql2tst.js:32:21:32:41 | 'SELECT ...  users' |
 | mysql3.js:14:20:14:52 | 'SELECT ... etable' |
+| mysql3.js:26:14:26:31 | 'SELECT something' |
 | mysql4.js:14:18:14:20 | sql |
 | mysqlImport.js:3:18:5:1 | {\\n    s ... = ?',\\n} |
 | postgres1.js:37:21:37:24 | text |

javascript/ql/test/library-tests/frameworks/SQL/mysql2-promise.js

@@ -0,0 +1,32 @@
+// Adapted from the documentation of https://github.com/sidorares/node-mysql2,
+// which is licensed under the MIT license; see file node-mysql2-License.
+const mysql = require('mysql2/promise');
+ 
+// create the connection to database
+const connection = await mysql.createConnection({
+  host: 'localhost',
+  user: 'root',
+  database: 'test'
+});
+ 
+// simple query
+connection.query(
+  'SELECT * FROM `table` WHERE `name` = "Page" AND `age` > 45',
+  function(err, results, fields) {
+    console.log(results); // results contains rows returned by server
+    console.log(fields); // fields contains extra meta data about results, if available
+  }
+);
+ 
+// with placeholder
+connection.query(
+  'SELECT * FROM `table` WHERE `name` = ? AND `age` > ?',
+  ['Page', 45],
+  function(err, results) {
+    console.log(results);
+  }
+);
+
+const conn2 = await mysql.createConnectionPromise();
+await conn2.query('SELECT * FROM users');
+await conn2.execute('SELECT * FROM users');

javascript/ql/test/library-tests/frameworks/SQL/mysql2-types.ts

@@ -0,0 +1,5 @@
+import { Connection } from "mysql2";
+
+export function doSomething(conn: Connection) {
+    conn.query('SELECT * FROM users');
+}

javascript/ql/test/library-tests/frameworks/SQL/mysql2tst.js

@@ -26,3 +26,7 @@ connection.query(
     console.log(results);
   }
 );
+
+const conn2 = await mysql.createConnectionPromise();
+await conn2.query('SELECT * FROM users');
+await conn2.execute('SELECT * FROM users');

javascript/ql/test/library-tests/frameworks/SQL/mysql3.js

@@ -21,3 +21,7 @@ pool.getConnection(function(err, connection) {
     // Don't use the connection here, it has been returned to the pool. 
   });
 });
+
+pool.on('connection', conn => {
+  conn.query('SELECT something');
+});