Merge pull request github#3932 from max-schaefer/portals-additions

semmle-qlci · web-flow · commit e167b8715029 · 2020-07-09T11:43:45.000+01:00
Approved by esbena
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Portals.qll b/javascript/ql/src/semmle/javascript/dataflow/Portals.qll
@@ -15,6 +15,7 @@
 import javascript
 
 private newtype TPortal =
+  MkGlobalObjectPortal() or
   MkNpmPackagePortal(string pkgName) {
     NpmPackagePortal::imports(_, pkgName) or
     NpmPackagePortal::imports(_, pkgName, _) or
@@ -96,6 +97,20 @@ class Portal extends TPortal {
   cached
   ReturnPortal getReturn() { result.getBasePortal() = this }
 
+  /**
+   * Gets the `i`th base portal of this portal.
+   *
+   * The `0`th base portal is the portal itself, the `n+1`st base portal is the `n`th base portal
+   * of the portal `p` of which this is a member, instance, parameter, or return portal.
+   */
+  cached
+  Portal getBasePortal(int i) {
+    i = 0 and
+    result = this
+    or
+    result = this.(CompoundPortal).getBasePortal().getBasePortal(i - 1)
+  }
+
   /**
    * Gets a textual representation of this portal.
    *
@@ -115,6 +130,22 @@ class Portal extends TPortal {
   abstract int depth();
 }
 
+/**
+ * A portal representing the global object.
+ */
+private class GlobalObjectPortal extends Portal, MkGlobalObjectPortal {
+  override DataFlow::SourceNode getAnExitNode(boolean isRemote) {
+    result = DataFlow::globalObjectRef() and
+    isRemote = true
+  }
+
+  override DataFlow::Node getAnEntryNode(boolean escapes) { none() }
+
+  override string toString() { result = "(global)" }
+
+  override int depth() { result = 1 }
+}
+
 /**
  * A portal representing the exports value of the main module of an npm
  * package (that is, a value of `module.exports` for CommonJS modules, or
@@ -167,15 +198,15 @@ private module NpmPackagePortal {
   predicate imports(DataFlow::SourceNode imp, string pkgName) {
     exists(NPMPackage pkg |
       imp = getAModuleImport(pkg, pkgName) and
-      pkg.declaresDependency(pkgName, _)
+      pkgName.regexpMatch("[^./].*")
     )
   }
 
   /** Holds if `imp` imports `member` from package `pkgName`. */
   predicate imports(DataFlow::SourceNode imp, string pkgName, string member) {
     exists(NPMPackage pkg |
       imp = getAModuleMemberImport(pkg, pkgName, member) and
-      pkg.declaresDependency(pkgName, _)
+      pkgName.regexpMatch("[^./].*")
     )
   }
 
@@ -275,6 +306,11 @@ private module MemberPortal {
       base = MkNpmPackagePortal(pkg) and
       isRemote = false
     )
+    or
+    // global variable reads are a kind of property read
+    base instanceof GlobalObjectPortal and
+    read = DataFlow::globalVarRef(prop) and
+    isRemote = true
   }
 
   /** Holds if the main module of `pkgName` exports `rhs` under the name `prop`. */
@@ -300,6 +336,14 @@ private module MemberPortal {
       base = MkNpmPackagePortal(pkgName) and
       escapes = true
     )
+    or
+    // global variable writes are a kind of property write
+    base instanceof GlobalObjectPortal and
+    exists(AssignExpr assgn |
+      assgn.getLhs() = DataFlow::globalVarRef(prop).asExpr() and
+      rhs = assgn.getRhs().flow()
+    ) and
+    escapes = true
   }
 }
 
diff --git a/javascript/ql/test/library-tests/Portals/PortalEntry.expected b/javascript/ql/test/library-tests/Portals/PortalEntry.expected
@@ -707,16 +707,22 @@
 | (member x (parameter 0 (member foo (root https://www.npmjs.com/package/m2)))) | src/m3/tst2.js:5:10:5:10 | o | false |
 | (member y (member x (parameter 0 (member foo (root https://www.npmjs.com/package/m2))))) | src/m3/tst2.js:3:6:3:8 | "?" | false |
 | (member z (parameter 0 (member foo (root https://www.npmjs.com/package/m2)))) | src/m2/main.js:3:9:3:12 | "hi" | true |
+| (parameter 0 (member String (global))) | src/m5/index.js:5:33:5:50 | fs.readFileSync(f) | true |
 | (parameter 0 (member default (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:4:7:4:10 | "me" | false |
 | (parameter 0 (member default (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:5:7:5:10 | "me" | false |
+| (parameter 0 (member encode (root https://www.npmjs.com/package/base-64/base64.js))) | src/m5/index.js:5:26:5:51 | String( ... ync(f)) | false |
 | (parameter 0 (member foo (root https://www.npmjs.com/package/m2))) | src/m3/tst2.js:5:5:5:12 | { x: o } | false |
+| (parameter 0 (member log (member console (global)))) | src/m2/main.js:2:15:2:19 | p.x.y | true |
+| (parameter 0 (member log (member console (global)))) | src/m2/main.js:12:17:12:35 | x + " " + this.name | true |
+| (parameter 0 (member log (member console (global)))) | src/m3/index.js:3:43:3:61 | m1("Hello, world!") | true |
 | (parameter 0 (member m (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:15:4:18 | "hi" | false |
 | (parameter 0 (member m (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:15:4:18 | "hi" | true |
 | (parameter 0 (member m (instance (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:15:4:18 | "hi" | false |
 | (parameter 0 (member m (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:2:5:2:8 | "hi" | false |
 | (parameter 0 (member m (return (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:15:4:18 | "hi" | false |
 | (parameter 0 (member m (return (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:15:4:18 | "hi" | false |
 | (parameter 0 (member m (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:2:5:2:8 | "hi" | false |
+| (parameter 0 (member readFileSync (root https://www.npmjs.com/package/fs))) | src/m5/index.js:5:49:5:49 | f | false |
 | (parameter 0 (member s (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:5:15:5:21 | "there" | false |
 | (parameter 0 (member s (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:5:15:5:21 | "there" | true |
 | (parameter 0 (member s (instance (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:5:15:5:21 | "there" | false |
diff --git a/javascript/ql/test/library-tests/Portals/PortalExit.expected b/javascript/ql/test/library-tests/Portals/PortalExit.expected
@@ -1,3 +1,14 @@
+| (global) | src/bluebird/index.js:1:1:1:0 | this | true |
+| (global) | src/bluebird/tst.js:1:1:1:0 | this | true |
+| (global) | src/cyclic/index.js:1:1:1:0 | this | true |
+| (global) | src/m1/index.js:1:1:1:0 | this | true |
+| (global) | src/m2/main.js:1:1:1:0 | this | true |
+| (global) | src/m3/index.js:1:1:1:0 | this | true |
+| (global) | src/m3/tst2.js:1:1:1:0 | this | true |
+| (global) | src/m3/tst3.js:1:1:1:0 | this | true |
+| (global) | src/m3/tst.js:1:1:1:0 | this | true |
+| (global) | src/m4/index.js:1:1:1:0 | this | true |
+| (global) | src/m5/index.js:1:1:1:0 | this | true |
 | (instance (member Promise (root https://www.npmjs.com/package/bluebird))) | src/bluebird/index.js:1:1:1:0 | this | true |
 | (instance (member Promise (root https://www.npmjs.com/package/bluebird))) | src/bluebird/index.js:5:1:5:17 | Promise.prototype | true |
 | (instance (member Promise (root https://www.npmjs.com/package/bluebird))) | src/bluebird/index.js:5:26:5:25 | this | true |
@@ -11,8 +22,16 @@
 | (instance (member default (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:5:1:5:11 | new A("me") | true |
 | (instance (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:4:1:4:11 | new A("me") | false |
 | (instance (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:5:1:5:11 | new A("me") | false |
+| (member String (global)) | src/m5/index.js:5:26:5:31 | String | true |
+| (member console (global)) | src/m2/main.js:2:3:2:9 | console | true |
+| (member console (global)) | src/m2/main.js:12:5:12:11 | console | true |
+| (member console (global)) | src/m3/index.js:3:31:3:37 | console | true |
 | (member default (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:1:8:1:8 | A | false |
+| (member encode (root https://www.npmjs.com/package/base-64/base64.js)) | src/m5/index.js:5:12:5:24 | base64.encode | false |
 | (member foo (root https://www.npmjs.com/package/m2)) | src/m3/tst2.js:1:10:1:12 | foo | false |
+| (member log (member console (global))) | src/m2/main.js:2:3:2:13 | console.log | true |
+| (member log (member console (global))) | src/m2/main.js:12:5:12:15 | console.log | true |
+| (member log (member console (global))) | src/m3/index.js:3:31:3:41 | console.log | true |
 | (member m (instance (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:1:4:13 | new A("me").m | false |
 | (member m (instance (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:1:4:13 | new A("me").m | true |
 | (member m (instance (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:4:1:4:13 | new A("me").m | false |
@@ -21,6 +40,7 @@
 | (member m (return (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:4:1:4:13 | new A("me").m | false |
 | (member m (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:2:1:2:3 | A.m | false |
 | (member name (instance (member default (root https://www.npmjs.com/package/m2)))) | src/m2/main.js:12:27:12:35 | this.name | true |
+| (member readFileSync (root https://www.npmjs.com/package/fs)) | src/m5/index.js:5:33:5:47 | fs.readFileSync | false |
 | (member s (instance (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:5:1:5:13 | new A("me").s | false |
 | (member s (instance (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:5:1:5:13 | new A("me").s | true |
 | (member s (instance (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:5:1:5:13 | new A("me").s | false |
@@ -734,16 +754,22 @@
 | (parameter 0 (return (return (return (return (return (return (return (member foo (root https://www.npmjs.com/package/cyclic)))))))))) | src/cyclic/index.js:1:14:1:15 | cb | true |
 | (parameter 0 (root https://www.npmjs.com/package/m1)) | src/m1/index.js:1:19:1:19 | x | true |
 | (parameter 1 (member then (instance (member Promise (root https://www.npmjs.com/package/bluebird))))) | src/bluebird/index.js:5:46:5:53 | rejected | true |
+| (return (member String (global))) | src/m5/index.js:5:26:5:51 | String( ... ync(f)) | true |
 | (return (member default (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:4:1:4:11 | new A("me") | false |
 | (return (member default (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:5:1:5:11 | new A("me") | false |
+| (return (member encode (root https://www.npmjs.com/package/base-64/base64.js))) | src/m5/index.js:5:12:5:52 | base64. ... nc(f))) | false |
 | (return (member foo (root https://www.npmjs.com/package/m2))) | src/m3/tst2.js:5:1:5:13 | foo({ x: o }) | false |
+| (return (member log (member console (global)))) | src/m2/main.js:2:3:2:20 | console.log(p.x.y) | true |
+| (return (member log (member console (global)))) | src/m2/main.js:12:5:12:36 | console ... s.name) | true |
+| (return (member log (member console (global)))) | src/m3/index.js:3:31:3:62 | console ... rld!")) | true |
 | (return (member m (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:1:4:19 | new A("me").m("hi") | false |
 | (return (member m (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:1:4:19 | new A("me").m("hi") | true |
 | (return (member m (instance (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:1:4:19 | new A("me").m("hi") | false |
 | (return (member m (member default (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:2:1:2:9 | A.m("hi") | false |
 | (return (member m (return (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:4:1:4:19 | new A("me").m("hi") | false |
 | (return (member m (return (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:4:1:4:19 | new A("me").m("hi") | false |
 | (return (member m (root https://www.npmjs.com/package/m2))) | src/m3/tst3.js:2:1:2:9 | A.m("hi") | false |
+| (return (member readFileSync (root https://www.npmjs.com/package/fs))) | src/m5/index.js:5:33:5:50 | fs.readFileSync(f) | false |
 | (return (member s (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:5:1:5:22 | new A(" ... there") | false |
 | (return (member s (instance (member default (root https://www.npmjs.com/package/m2))))) | src/m3/tst3.js:5:1:5:22 | new A(" ... there") | true |
 | (return (member s (instance (root https://www.npmjs.com/package/m2)))) | src/m3/tst3.js:5:1:5:22 | new A(" ... there") | false |
@@ -1043,6 +1069,8 @@
 | (return (root https://www.npmjs.com/package/m1)) | src/m3/index.js:3:43:3:61 | m1("Hello, world!") | false |
 | (return (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:4:1:4:11 | new A("me") | false |
 | (return (root https://www.npmjs.com/package/m2)) | src/m3/tst3.js:5:1:5:11 | new A("me") | false |
+| (root https://www.npmjs.com/package/base-64/base64.js) | src/m5/index.js:2:14:2:41 | require ... 64.js") | false |
+| (root https://www.npmjs.com/package/fs) | src/m5/index.js:1:12:1:24 | require("fs") | false |
 | (root https://www.npmjs.com/package/m1) | src/m3/index.js:1:10:1:22 | require("m1") | false |
 | (root https://www.npmjs.com/package/m2) | src/m3/tst2.js:1:1:1:25 | import  ... m "m2"; | false |
 | (root https://www.npmjs.com/package/m2) | src/m3/tst3.js:1:1:1:19 | import A from "m2"; | false |
diff --git a/javascript/ql/test/library-tests/Portals/src/m5/index.js b/javascript/ql/test/library-tests/Portals/src/m5/index.js
@@ -0,0 +1,6 @@
+const fs = require("fs"),
+    base64 = require("base-64/base64.js");
+
+module.exports.readBase64 = function (f) {
+    return base64.encode(String(fs.readFileSync(f)));
+};
diff --git a/javascript/ql/test/library-tests/Portals/src/m5/package.json b/javascript/ql/test/library-tests/Portals/src/m5/package.json
@@ -0,0 +1,6 @@
+{
+    "name": "m5",
+    "dependencies": {
+        "base-64": "*"
+    }
+}
