change succ in storeStep to be a SourceNode

erik-krogh · erik-krogh · commit fd511422008e · 2020-04-15T20:40:58.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -155,10 +155,10 @@ private module ArrayDataFlow {
       this.getMethodName() = "unshift"
     }
 
-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       prop = arrayElement() and
       element = this.getAnArgument() and
-      obj = this.getReceiver().getALocalSource()
+      obj.getAMethodCall() = this
     }
   }
 
@@ -188,10 +188,10 @@ private module ArrayDataFlow {
       element = this
     }
 
-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       prop = arrayElement() and
       element = this.(DataFlow::PropWrite).getRhs() and
-      this = obj.(DataFlow::SourceNode).getAPropertyWrite()
+      this = obj.getAPropertyWrite()
     }
   }
 
@@ -234,7 +234,7 @@ private module ArrayDataFlow {
       element = getCallback(0).getParameter(0)
     }
 
-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       this.getMethodName() = "map" and
       prop = arrayElement() and
       element = this.getCallback(0).getAReturn() and
@@ -254,7 +254,7 @@ private module ArrayDataFlow {
   private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {
     ArrayCreationStep() { this instanceof DataFlow::ArrayCreationNode }
 
-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       prop = arrayElement() and
       element = this.(DataFlow::ArrayCreationNode).getAnElement() and
       obj = this
@@ -268,10 +268,10 @@ private module ArrayDataFlow {
   private class ArraySpliceStep extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {
     ArraySpliceStep() { this.getMethodName() = "splice" }
 
-    override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {
+    override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       prop = arrayElement() and
       element = getArgument(2) and
-      obj = this.getReceiver().getALocalSource()
+      this = obj.getAMethodCall()
     }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/Collections.qll b/javascript/ql/src/semmle/javascript/Collections.qll
@@ -52,9 +52,9 @@ abstract private class CollectionFlowStep extends DataFlow::AdditionalFlowStep {
   /**
    * Holds if `pred` should be stored in the object `succ` under the property `prop`.
    */
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, PseudoProperty prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, PseudoProperty prop) { none() }
 
-  final override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
     this.store(pred, succ, prop)
   }
 
@@ -132,8 +132,8 @@ private module CollectionDataFlow {
   private class SetAdd extends CollectionFlowStep, DataFlow::MethodCallNode {
     SetAdd() { this.getMethodName() = "add" }
 
-    override predicate store(DataFlow::Node element, DataFlow::Node obj, PseudoProperty prop) {
-      this = obj.(DataFlow::SourceNode).getAMethodCall() and
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
       element = this.getArgument(0) and
       prop = setElement()
     }
@@ -226,8 +226,8 @@ private module CollectionDataFlow {
   class MapSet extends CollectionFlowStep, DataFlow::MethodCallNode {
     MapSet() { this.getMethodName() = "set" }
 
-    override predicate store(DataFlow::Node element, DataFlow::Node obj, PseudoProperty prop) {
-      this = obj.(DataFlow::SourceNode).getAMethodCall() and
+    override predicate store(DataFlow::Node element, DataFlow::SourceNode obj, PseudoProperty prop) {
+      this = obj.getAMethodCall() and
       element = this.getArgument(1) and
       prop = getAPseudoProperty()
     }
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -232,9 +232,9 @@ abstract private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
   /**
    * Holds if `pred` should be stored in the object `succ` under the property `prop`.
    */
-  predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 
-  final override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  final override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
     this.store(pred, succ, prop)
   }
 
@@ -273,7 +273,7 @@ private module PromiseFlow {
 
     PromiseDefitionStep() { this = promise }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = valueProp() and
       pred = promise.getResolveParameter().getACall().getArgument(0) and
       succ = this
@@ -302,7 +302,7 @@ private module PromiseFlow {
 
     CreationStep() { this = promise }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = valueProp() and
       pred = promise.getValue() and
       succ = this
@@ -368,7 +368,7 @@ private module PromiseFlow {
       succ = this
     }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = valueProp() and
       pred = getCallback([0 .. 1]).getAReturn() and
       succ = this
@@ -402,7 +402,7 @@ private module PromiseFlow {
       succ = this
     }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = errorProp() and
       pred = getCallback(0).getExceptionalReturn() and
       succ = this
@@ -430,7 +430,7 @@ private module PromiseFlow {
       succ = this
     }
 
-    override predicate store(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate store(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       prop = errorProp() and
       pred = getCallback(0).getExceptionalReturn() and
       succ = this
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -244,8 +244,11 @@ abstract class Configuration extends string {
    * EXPERIMENTAL. This API may change in the future.
    *
    * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
    */
-  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate isAdditionalStoreStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+    none()
+  }
 
   /**
    * EXPERIMENTAL. This API may change in the future.
@@ -540,9 +543,10 @@ abstract class AdditionalFlowStep extends DataFlow::Node {
    * EXPERIMENTAL. This API may change in the future.
    *
    * Holds if `pred` should be stored in the object `succ` under the property `prop`.
+   * The object `succ` must be a `DataFlow::SourceNode` for the object wherein the value is stored.
    */
   cached
-  predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) { none() }
+  predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) { none() }
 
   /**
    * EXPERIMENTAL. This API may change in the future.
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -603,15 +603,10 @@ module TaintTracking {
      * 3) A `URLSearchParams` object (either `url.searchParams` or `new URLSearchParams(input)`) has a tainted value,
      *    which can be accessed using a `get` or `getAll` call. (See getableUrlPseudoProperty())
      */
-    override predicate storeStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
       succ = this and
       (
-        (
-          prop = "searchParams" or
-          prop = "hash" or
-          prop = "search" or
-          prop = hiddenUrlPseudoProperty()
-        ) and
+        prop = ["searchParams", "hash", "search", hiddenUrlPseudoProperty()] and
         exists(DataFlow::NewNode newUrl | succ = newUrl |
           newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
           pred = newUrl.getArgument(0)

Original file line number	Diff line number	Diff line change
`@@ -155,10 +155,10 @@ private module ArrayDataFlow {`
`155`	`155`	`this.getMethodName() = "unshift"`
`156`	`156`	`}`
`157`	`157`
`158`		`- override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {`
	`158`	`+ override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`159`	`159`	`prop = arrayElement() and`
`160`	`160`	`element = this.getAnArgument() and`
`161`		`- obj = this.getReceiver().getALocalSource()`
	`161`	`+ obj.getAMethodCall() = this`
`162`	`162`	`}`
`163`	`163`	`}`
`164`	`164`
`@@ -188,10 +188,10 @@ private module ArrayDataFlow {`
`188`	`188`	`element = this`
`189`	`189`	`}`
`190`	`190`
`191`		`- override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {`
	`191`	`+ override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`192`	`192`	`prop = arrayElement() and`
`193`	`193`	`element = this.(DataFlow::PropWrite).getRhs() and`
`194`		`- this = obj.(DataFlow::SourceNode).getAPropertyWrite()`
	`194`	`+ this = obj.getAPropertyWrite()`
`195`	`195`	`}`
`196`	`196`	`}`
`197`	`197`
`@@ -234,7 +234,7 @@ private module ArrayDataFlow {`
`234`	`234`	`element = getCallback(0).getParameter(0)`
`235`	`235`	`}`
`236`	`236`
`237`		`- override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {`
	`237`	`+ override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`238`	`238`	`this.getMethodName() = "map" and`
`239`	`239`	`prop = arrayElement() and`
`240`	`240`	`element = this.getCallback(0).getAReturn() and`
`@@ -254,7 +254,7 @@ private module ArrayDataFlow {`
`254`	`254`	`private class ArrayCreationStep extends DataFlow::AdditionalFlowStep, DataFlow::Node {`
`255`	`255`	`ArrayCreationStep() { this instanceof DataFlow::ArrayCreationNode }`
`256`	`256`
`257`		`- override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {`
	`257`	`+ override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`258`	`258`	`prop = arrayElement() and`
`259`	`259`	`element = this.(DataFlow::ArrayCreationNode).getAnElement() and`
`260`	`260`	`obj = this`
`@@ -268,10 +268,10 @@ private module ArrayDataFlow {`
`268`	`268`	`private class ArraySpliceStep extends DataFlow::AdditionalFlowStep, DataFlow::MethodCallNode {`
`269`	`269`	`ArraySpliceStep() { this.getMethodName() = "splice" }`
`270`	`270`
`271`		`- override predicate storeStep(DataFlow::Node element, DataFlow::Node obj, string prop) {`
	`271`	`+ override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`272`	`272`	`prop = arrayElement() and`
`273`	`273`	`element = getArgument(2) and`
`274`		`- obj = this.getReceiver().getALocalSource()`
	`274`	`+ this = obj.getAMethodCall()`
`275`	`275`	`}`
`276`	`276`	`}`
`277`	`277`