JS: Include summary steps in type tracking

asgerf · asgerf · commit 2f0c80a98bb6 · 2024-11-29T14:23:55.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -1,6 +1,7 @@
 import javascript
 private import semmle.javascript.dataflow.TypeTracking
 private import semmle.javascript.internal.CachedStages
+private import sharedlib.SummaryTypeTracker as SummaryTypeTracker
 private import FlowSteps
 
 cached
@@ -46,6 +47,12 @@ private module Cached {
       LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
         SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
         or
+        exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+          SummaryTypeTracker::basicLoadStoreStep(_, _, loadContent, storeContent) and
+          fromProp = loadContent.asPropertyName() and
+          toProp = storeContent.asPropertyName()
+        )
+        or
         summarizedLoadStoreStep(_, _, fromProp, toProp)
       } or
       WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
@@ -205,6 +212,21 @@ private module Cached {
       succ = getACallbackSource(parameter).getParameter(i) and
       summary = ReturnStep()
     )
+    or
+    SummaryTypeTracker::levelStepNoCall(pred, succ) and summary = LevelStep()
+    or
+    exists(DataFlow::ContentSet content |
+      SummaryTypeTracker::basicLoadStep(pred, succ, content) and
+      summary = LoadStep(content.asPropertyName())
+      or
+      SummaryTypeTracker::basicStoreStep(pred, succ, content) and
+      summary = StoreStep(content.asPropertyName())
+    )
+    or
+    exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+      SummaryTypeTracker::basicLoadStoreStep(pred, succ, loadContent, storeContent) and
+      summary = LoadStoreStep(loadContent.asPropertyName(), storeContent.asPropertyName())
+    )
   }
 }
 
diff --git a/javascript/ql/test/library-tests/TypeTracking2/summaries.js b/javascript/ql/test/library-tests/TypeTracking2/summaries.js
@@ -6,7 +6,7 @@ function m0() {
 function m1() {
   const fn = mkSummary("Argument[0]", "ReturnValue");
   const obj = source("m1.1");
-  sink(fn(obj)); // $ MISSING: track=m1.1
+  sink(fn(obj)); // $ track=m1.1
   sink(fn(obj.p));
   sink(fn(obj).p);
   sink(fn({ p: obj }));
@@ -19,7 +19,7 @@ function m2() {
   sink(fn(obj));
   sink(fn(obj.p));
   sink(fn(obj).p);
-  sink(fn({ p: obj })); // $ MISSING: track=m2.1
+  sink(fn({ p: obj })); // $ track=m2.1
   sink(fn({ p: obj }).q);
 }
 
@@ -28,7 +28,7 @@ function m3() {
   const obj = source("m3.1");
   sink(fn(obj));
   sink(fn(obj.p));
-  sink(fn(obj).p); // $ MISSING: track=m3.1
+  sink(fn(obj).p); // $ track=m3.1
   sink(fn({ p: obj }));
   sink(fn({ p: obj }).q);
 }
@@ -41,5 +41,5 @@ function m4() {
   sink(fn(obj.p));
   sink(fn(obj).p);
   sink(fn({ p: obj }));
-  sink(fn({ p: obj }).q); // $ MISSING: track=m4.1
+  sink(fn({ p: obj }).q); // $ track=m4.1
 }
