add support for Array.prototype.find and polyfills

erik-krogh · erik-krogh · commit e64f29fe8f78 · 2021-07-15T11:16:06.000+02:00
diff --git a/javascript/change-notes/2021-07-15-array-libs.md b/javascript/change-notes/2021-07-15-array-libs.md
@@ -1,4 +1,6 @@
 lgtm,codescanning
 * The dataflow libraries now model dataflow through more array libraries.
   Affected packages are
-    [array-from](https://npmjs.com/package/array-from)
+    [array-from](https://npmjs.com/package/array-from),
+    [array.prototype.find](https://npmjs.com/package/array.prototype.find),
+    [array-find](https://npmjs.com/package/array-find)
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -79,6 +79,11 @@ module ArrayTaintTracking {
     call.(DataFlow::MethodCallNode).getMethodName() = "concat" and
     succ = call and
     pred = call.getAnArgument()
+    or
+    // find
+    // `e = arr.find(callback)`
+    call = arrayFindCall(pred) and
+    succ = call
   }
 }
 
@@ -297,6 +302,19 @@ private module ArrayDataFlow {
       )
     }
   }
+
+  /**
+   * A step modelling that elements from an array `arr` are received by calling `find`.
+   */
+  private class ArrayFindStep extends DataFlow::SharedFlowStep {
+    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      exists(DataFlow::CallNode call |
+        call = arrayFindCall(pred) and
+        succ = call and
+        prop = arrayElement()
+      )
+    }
+  }
 }
 
 private import ArrayLibraries
@@ -313,4 +331,15 @@ private module ArrayLibraries {
     or
     result = DataFlow::moduleImport("array-from").getACall()
   }
+
+  /**
+   * Gets a call to `Array.prototype.find` or a polyfill implementing the same functionality.
+   */
+  DataFlow::CallNode arrayFindCall(DataFlow::Node array) {
+    result.(DataFlow::MethodCallNode).getMethodName() = "find" and
+    array = result.getReceiver()
+    or
+    result = DataFlow::moduleImport(["array.prototype.find", "array-find"]).getACall() and
+    array = result.getArgument(0)
+  }
 }
diff --git a/javascript/ql/test/library-tests/Arrays/DataFlow.expected b/javascript/ql/test/library-tests/Arrays/DataFlow.expected
@@ -8,6 +8,8 @@
 | arrays.js:2:16:2:23 | "source" | arrays.js:60:10:60:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:66:10:66:10 | x |
 | arrays.js:2:16:2:23 | "source" | arrays.js:71:10:71:10 | x |
+| arrays.js:2:16:2:23 | "source" | arrays.js:74:8:74:29 | arr.fin ... llback) |
+| arrays.js:2:16:2:23 | "source" | arrays.js:77:8:77:35 | arrayFi ... llback) |
 | arrays.js:18:22:18:29 | "source" | arrays.js:18:50:18:50 | e |
 | arrays.js:22:15:22:22 | "source" | arrays.js:23:8:23:17 | arr2.pop() |
 | arrays.js:25:15:25:22 | "source" | arrays.js:26:8:26:17 | arr3.pop() |
diff --git a/javascript/ql/test/library-tests/Arrays/arrays.js b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -70,4 +70,9 @@
   for (const x of arrayFrom(arr)) {
     sink(x); // NOT OK
   }
+
+  sink(arr.find(someCallback)); // NOT OK
+
+  const arrayFind = require("array-find");
+  sink(arrayFind(arr, someCallback)); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,11 @@ module ArrayTaintTracking {`
`79`	`79`	`call.(DataFlow::MethodCallNode).getMethodName() = "concat" and`
`80`	`80`	`succ = call and`
`81`	`81`	`pred = call.getAnArgument()`
	`82`	`+ or`
	`83`	`+ // find`
	`84`	+ // `e = arr.find(callback)`
	`85`	`+ call = arrayFindCall(pred) and`
	`86`	`+ succ = call`
`82`	`87`	`}`
`83`	`88`	`}`
`84`	`89`
`@@ -297,6 +302,19 @@ private module ArrayDataFlow {`
`297`	`302`	`)`
`298`	`303`	`}`
`299`	`304`	`}`
	`305`	`+`
	`306`	`+ /**`
	`307`	+ * A step modelling that elements from an array `arr` are received by calling `find`.
	`308`	`+ */`
	`309`	`+ private class ArrayFindStep extends DataFlow::SharedFlowStep {`
	`310`	`+ override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {`
	`311`	`+ exists(DataFlow::CallNode call \|`
	`312`	`+ call = arrayFindCall(pred) and`
	`313`	`+ succ = call and`
	`314`	`+ prop = arrayElement()`
	`315`	`+ )`
	`316`	`+ }`
	`317`	`+ }`
`300`	`318`	`}`
`301`	`319`
`302`	`320`	`private import ArrayLibraries`
`@@ -313,4 +331,15 @@ private module ArrayLibraries {`
`313`	`331`	`or`
`314`	`332`	`result = DataFlow::moduleImport("array-from").getACall()`
`315`	`333`	`}`
	`334`	`+`
	`335`	`+ /**`
	`336`	+ * Gets a call to `Array.prototype.find` or a polyfill implementing the same functionality.
	`337`	`+ */`
	`338`	`+ DataFlow::CallNode arrayFindCall(DataFlow::Node array) {`
	`339`	`+ result.(DataFlow::MethodCallNode).getMethodName() = "find" and`
	`340`	`+ array = result.getReceiver()`
	`341`	`+ or`
	`342`	`+ result = DataFlow::moduleImport(["array.prototype.find", "array-find"]).getACall() and`
	`343`	`+ array = result.getArgument(0)`
	`344`	`+ }`
`316`	`345`	`}`