JS: Add documentation for Fuzzy component

asgerf · asgerf · commit 2c3117a9816b · 2023-07-14T11:33:06.000+02:00
diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
@@ -220,6 +220,59 @@ For example, the **mysql** model that is included with the CodeQL JS analysis in
 
   - ["mysql.Connection", "mysql", "Member[createConnection].ReturnValue"]
 
+Example: Using fuzzy models to simplify modeling
+------------------------------------------------
+
+In this example, we'll show how to add the following SQL injection sink using a "fuzzy" model:
+
+.. code-block:: ts
+
+  import * as mysql from 'mysql';
+  const pool = mysql.createPool({...});
+  pool.getConnection((err, conn) => {
+    conn.query(q, (err, rows) => {...}); // <-- add 'q' as a SQL injection sink
+  });
+
+We can recognize this using a fuzzy model, as showin in the following extension:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sinkModel
+      data:
+        - ["mysql", "Fuzzy.Member[query].Argument[0]", "sql-injection"]
+
+- The first column, **"mysql"**, begins the search at at places where the `mysql` package is imported.
+- **Fuzzy** selects all objects that appear to originate from the `mysql` package, such as the `pool`, `conn`, `err`, and `rows` objects.
+- **Member[query]** selects the **query** member from any of those objects. In this case, the only such member is `conn.query`.
+  In principle, this would also find expressions such as `pool.query` and `err.query`, but in practice such expressions
+  are not likely to occur, because the `pool` and `err` objects do not have a member named `query`.
+- **Argument[0]** selects the first argument of a call to the selected member, that is, the `q` argument to `conn.query`.
+- **sql-injection** indicates that this is considered a sink for the SQL injection query.
+
+For reference, a more detailed model might look like this, as described in the preceding examples:
+
+.. code-block:: yaml
+
+  extensions:
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: sinkModel
+      data:
+        - ["mysql.Connection", "Member[query].Argument[0]", "sql-injection"]
+
+    - addsTo:
+        pack: codeql/javascript-all
+        extensible: typeModel
+      data:
+        - ["mysql.Pool", "mysql", "Member[createPool].ReturnValue"]
+        - ["mysql.Connection", "mysql.Pool", "Member[getConnection].Argument[0].Parameter[1]"]
+
+The model using the **Fuzzy** component is simpler, at the cost of being approximate.
+This technique is useful when modeling a large or complex library, where it is difficult to write a detailed model.
+
 Example: Adding flow through 'decodeURIComponent'
 -------------------------------------------------
 
@@ -431,6 +484,9 @@ The following components are supported:
 - **MapValue** selects a value of a map object.
 - **Awaited** selects the value of a promise.
 - **Instance** selects instances of a class.
+- **Fuzzy** selects all values that are derived from the current value through a combination of the other operations described in this list.
+  For example, this can be used to find all values the appear to originate from a particular package. This can be useful for finding method calls
+  from a known package, but where the receiver type is not known or is difficult to model.
 
 The following components are called "call site filters". They select a subset of the previously-selected calls, if the call fits certain criteria:
 
