Merge pull request github#6114 from erik-krogh/promisify

Approved by esbena

Author: codeql-ci

javascript/change-notes/2021-06-21-promisify.md

@@ -0,0 +1,6 @@
+lgtm,codescanning
+* Support for libraries modeling `promisify` and `promisifyAll` functions have been improved. 
+  Affected packages are
+    [pify](https://www.npmjs.com/package/pify),
+    [util.promisify](https://www.npmjs.com/package/util.promisify),
+    [thenify](https://www.npmjs.com/package/thenify)

javascript/ql/src/semmle/javascript/ApiGraphs.qll

@@ -686,9 +686,7 @@ module API {
       promisified = false and
       boundArgs = 0
       or
-      exists(DataFlow::CallNode promisify |
-        promisify = DataFlow::moduleImport(["util", "bluebird"]).getAMemberCall("promisify")
-      |
+      exists(Promisify::PromisifyCall promisify |
         trackUseNode(nd, false, boundArgs, t.continue()).flowsTo(promisify.getArgument(0)) and
         promisified = true and
         result = promisify

javascript/ql/src/semmle/javascript/Promises.qll

@@ -659,3 +659,39 @@ private module DynamicImportSteps {
     }
   }
 }
+
+/**
+ * Provides classes modeling libraries implementing `promisify` functions.
+ * That is, functions that convert callback style functions to functions that return a promise.
+ */
+module Promisify {
+  /**
+   * Gets a call to a `promisifyAll` function.
+   * E.g. `require("bluebird").promisifyAll(...)`.
+   */
+  class PromisifyAllCall extends DataFlow::CallNode {
+    PromisifyAllCall() {
+      this =
+        [
+          DataFlow::moduleMember("bluebird", "promisifyAll"),
+          DataFlow::moduleImport(["util-promisifyall", "pify"])
+        ].getACall()
+    }
+  }
+
+  /**
+   * Gets a call to a `promisify` function.
+   * E.g. `require("util").promisify(...)`.
+   */
+  class PromisifyCall extends DataFlow::CallNode {
+    PromisifyCall() {
+      this = DataFlow::moduleImport(["util", "bluebird"]).getAMemberCall("promisify")
+      or
+      this = DataFlow::moduleImport(["pify", "util.promisify"]).getACall()
+      or
+      this = DataFlow::moduleImport("thenify").getACall()
+      or
+      this = DataFlow::moduleMember("thenify", "withCallback").getACall()
+    }
+  }
+}

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -472,14 +472,9 @@ module NodeJSLib {
         result = pred.track(t2, t)
         or
         t.continue() = t2 and
-        exists(DataFlow::CallNode promisifyAllCall |
+        exists(Promisify::PromisifyAllCall promisifyAllCall |
           result = promisifyAllCall and
-          pred.flowsTo(promisifyAllCall.getArgument(0)) and
-          promisifyAllCall =
-            [
-              DataFlow::moduleMember("bluebird", "promisifyAll"),
-              DataFlow::moduleImport("util-promisifyall")
-            ].getACall()
+          pred.flowsTo(promisifyAllCall.getArgument(0))
         )
         or
         // const fs = require('fs');
@@ -648,9 +643,7 @@ module NodeJSLib {
   private DataFlow::SourceNode maybePromisified(DataFlow::SourceNode callback) {
     result = callback
     or
-    exists(DataFlow::CallNode promisify |
-      promisify = DataFlow::moduleMember(["util", "bluebird"], "promisify").getACall()
-    |
+    exists(Promisify::PromisifyCall promisify |
       result = promisify and promisify.getArgument(0).getALocalSource() = callback
     )
   }