JS: handle CloudFunctions

asger-semmle · asger-semmle · commit 0401b26b48e6 · 2019-03-27T13:21:45.000Z
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll b/javascript/ql/src/semmle/javascript/frameworks/Firebase.qll
@@ -1,7 +1,9 @@
+/**
+ * Provides classes and predicates for reasoning about code using the Firebase API.
+ */
 import javascript
 
 module Firebase {
-  
   /** Gets a reference to the firebase API object. */
   private DataFlow::SourceNode firebase(DataFlow::TypeTracker t) {
     t.start() and
@@ -18,7 +20,7 @@ module Firebase {
     )
   }
 
-  /** Gets a reference to the firebase API object. */
+  /** Gets a reference to the `firebase/app` or `firebase-admin` API object. */
   DataFlow::SourceNode firebase() {
     result = firebase(_)
   }
@@ -31,7 +33,7 @@ module Firebase {
       result = initApp(t2).track(t2, t)
     )
   }
-
+  
   /**
    * Gets a reference to a firebase app, either the `firebase` object or an
    * app created explicitly with `initializeApp()`.
@@ -40,96 +42,188 @@ module Firebase {
     result = firebase(_) or result = initApp(_)
   }
 
-  /** Gets a reference to a firebase database object, such as `firebase.database()`. */
-  private DataFlow::SourceNode database(DataFlow::TypeTracker t) {
-    result = app().getAMethodCall("database") and t.start()
-    or
-    exists (DataFlow::TypeTracker t2 |
-      result = database(t2).track(t2, t)
-    )
-  }
-
-  /** Gets a reference to a firebase database object, such as `firebase.database()`. */
-  DataFlow::SourceNode database() {
-    result = database(_)
-  }
-
-  /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */
-  DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
-    t.start() and
-    (
-      exists (string name | result = database().getAMethodCall(name) |
-        name = "ref" or
-        name = "refFromURL"
+  module Database {
+  
+    /** Gets a reference to a firebase database object, such as `firebase.database()`. */
+    private DataFlow::SourceNode database(DataFlow::TypeTracker t) {
+      result = app().getAMethodCall("database") and t.start()
+      or
+      exists (DataFlow::TypeTracker t2 |
+        result = database(t2).track(t2, t)
+      )
+    }
+  
+    /** Gets a reference to a firebase database object, such as `firebase.database()`. */
+    DataFlow::SourceNode database() {
+      result = database(_)
+    }
+  
+    /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */
+    DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      t.start() and
+      (
+        exists (string name | result = database().getAMethodCall(name) |
+          name = "ref" or
+          name = "refFromURL"
+        )
+        or
+        exists (string name | result = ref(_).getAMethodCall(name) |
+          name = "push" or
+          name = "child"
+        )
+        or
+        exists (string name | result = ref(_).getAPropertyRead(name) |
+          name = "parent" or
+          name = "root"
+        )
+        or
+        result = snapshot().getAPropertyRead("ref")
       )
       or
-      exists (string name | result = ref(_).getAMethodCall(name) |
-        name = "push" or
-        name = "child"
+      exists (DataFlow::TypeTracker t2 |
+        result = ref(t2).track(t2, t)
+      )
+    }
+  
+    /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */
+    DataFlow::SourceNode ref() {
+      result = ref(_)
+    }
+  
+    /** Gets a node that refers to a `Query` or `Reference` object. */
+    DataFlow::SourceNode query(DataFlow::TypeTracker t) {
+      t.start() and
+      (
+        result = ref(t) // a Reference can be used as a Query
+        or
+        exists (string name | result = query(_).getAMethodCall(name) |
+          name = "endAt" or
+          name = "limitTo" + any(string s) or
+          name = "orderBy" + any(string s) or
+          name = "startAt"
+        )
       )
       or
-      exists (string name | result = ref(_).getAPropertyRead(name) |
-        name = "parent" or
-        name = "root"
+      exists (DataFlow::TypeTracker t2 |
+        result = query(t2).track(t2, t)
       )
+    }
+  
+    /** Gets a node that refers to a `Query` or `Reference` object. */
+    DataFlow::SourceNode query() {
+      result = query(_)
+    }
+    
+    /**
+     * A call of form `query.on(...)` or `query.once(...)`.
+     */
+    class QueryListenCall extends DataFlow::MethodCallNode {
+      QueryListenCall() {
+        this = query().getAMethodCall() and
+        (getMethodName() = "on" or getMethodName() = "once")
+      }
+  
+      DataFlow::Node getCallbackNode() {
+        result = getArgument(1)
+      }
+    }
+    
+    /**
+     * Gets a node that is passed as the callback to a `Reference.transaction` call.
+     */
+    DataFlow::SourceNode transactionCallback(DataFlow::TypeTracker t) {
+      t.start() and
+      result = ref().getAMethodCall("transaction").getArgument(0).getALocalSource()
       or
-      result = snapshot().getAPropertyRead("ref")
-    )
-    or
-    exists (DataFlow::TypeTracker t2 |
-      result = ref(t2).track(t2, t)
-    )
+      exists (DataFlow::TypeTracker t2 |
+        result = transactionCallback(t2).backtrack(t2, t)
+      )
+    }
+  
+    /**
+     * Gets a node that is passed as the callback to a `Reference.transaction` call.
+     */
+    DataFlow::SourceNode transactionCallback() {
+      result = transactionCallback(_)
+    }
   }
 
-  /** Gets a node that refers to a `Reference` object, such as `firebase.database().ref()`. */
-  DataFlow::SourceNode ref() {
-    result = ref(_)
-  }
+  /**
+   * Provides predicates for reasoning about the the Firebase Cloud Functions API,
+   * sometimes referred to just as just "Firebase Functions".
+   */
+  module CloudFunctions {
+    /** Gets a reference to the Cloud Functions namespace. */
+    DataFlow::SourceNode namespace(DataFlow::TypeTracker t) {
+      t.start() and
+      result = DataFlow::moduleImport("firebase-functions")
+      or
+      exists (DataFlow::TypeTracker t2 |
+        result = namespace(t2).track(t2, t)
+      )
+    }
+    
+    /** Gets a reference to the Cloud Functions namespace. */
+    DataFlow::SourceNode namespace() {
+      result = namespace(_)
+    }
 
-  /** Gets a node that refers to a `Query` or `Reference` object. */
-  DataFlow::SourceNode query(DataFlow::TypeTracker t) {
-    t.start() and
-    (
-      result = ref(t) // a Reference can be used as a Query
+    /** Gets a reference to a Cloud Functions database object. */
+    DataFlow::SourceNode database(DataFlow::TypeTracker t) {
+      t.start() and
+      result = namespace().getAPropertyRead("database")
       or
-      exists (string name | result = query(_).getAMethodCall(name) |
-        name = "endAt" or
-        name = "limitTo" + any(string s) or
-        name = "orderBy" + any(string s) or
-        name = "startAt"
+      exists (DataFlow::TypeTracker t2 |
+        result = database(t2).track(t2, t)
       )
-    )
-    or
-    exists (DataFlow::TypeTracker t2 |
-      result = query(t2).track(t2, t)
-    )
-  }
+    }
 
-  /** Gets a node that refers to a `Query` or `Reference` object. */
-  DataFlow::SourceNode query() {
-    result = query(_)
-  }
-  
-  /**
-   * A call of form `query.on(...)` or `query.once(...)`.
-   */
-  class QueryListenCall extends DataFlow::MethodCallNode {
-    QueryListenCall() {
-      this = query().getAMethodCall() and
-      (getMethodName() = "on" or getMethodName() = "once")
+    /** Gets a reference to a Cloud Functions database object. */
+    DataFlow::SourceNode database() {
+      result = database(_)
+    }
+    
+    /** Gets a dataflow node holding a `RefBuilder` object. */
+    DataFlow::SourceNode refBuilder(DataFlow::TypeTracker t) {
+      t.start() and
+      result = database().getAMethodCall("ref")
+      or
+      exists (DataFlow::TypeTracker t2 |
+        result = refBuilder(t2).track(t2, t)
+      )
     }
 
-    DataFlow::Node getCallbackNode() {
-      result = getArgument(1)
+    /** Gets a dataflow node holding a `RefBuilder` object. */
+    DataFlow::SourceNode ref() {
+      result = refBuilder(_)
     }
-  }
 
+    /** Gets a call that registers a listener on a `RefBuilder`, such as `ref.onCreate(...)`. */
+    class RefBuilderListenCall extends DataFlow::MethodCallNode {
+      RefBuilderListenCall() {
+        this = ref().getAMethodCall() and
+        getMethodName() = "on" + any(string s)
+      }
+  
+      /**
+       * Gets the dataflow node holding the listener callback.
+       */
+      DataFlow::Node getCallbackNode() {
+        result = getArgument(0)
+      }
+    }
+  }
+  
   /**
    * Gets a value that will be invoked with a `DataSnapshot` value as its first parameter.
    */
   DataFlow::SourceNode snapshotCallback(DataFlow::TypeTracker t) {
     t.start() and
-    result = any(QueryListenCall call).getCallbackNode().getALocalSource()
+    (
+      result = any(Database::QueryListenCall call).getCallbackNode().getALocalSource()
+      or
+      result = any(CloudFunctions::RefBuilderListenCall call).getCallbackNode().getALocalSource()
+    )
     or
     exists (DataFlow::TypeTracker t2 |
       result = snapshotCallback(t2).backtrack(t2, t)
@@ -151,7 +245,7 @@ module Firebase {
     (
       result = snapshotCallback().(DataFlow::FunctionNode).getParameter(0)
       or
-      result instanceof QueryListenCall // returns promise
+      result instanceof Database::QueryListenCall // returns promise
       or
       result = snapshot(_).getAMethodCall("child")
       or
@@ -161,7 +255,7 @@ module Firebase {
     promiseTaintStep(snapshot(t), result)
     or
     exists (DataFlow::TypeTracker t2 |
-      result = ref(t2).track(t2, t)
+      result = snapshot(t2).track(t2, t)
     )
   }
 
@@ -174,32 +268,16 @@ module Firebase {
   }
 
   /**
-   * Gets a node that is passed as the callback to a `Reference.transaction` call.
+   * A reference to a value obtained from a Firebase database.
    */
-  DataFlow::SourceNode transactionCallback(DataFlow::TypeTracker t) {
-    t.start() and
-    result = ref().getAMethodCall("transaction").getArgument(0).getALocalSource()
-    or
-    exists (DataFlow::TypeTracker t2 |
-      result = transactionCallback(t2).backtrack(t2, t)
-    )
-  }
-
-  /**
-   * Gets a node that is passed as the callback to a `Reference.transaction` call.
-   */
-  DataFlow::SourceNode transactionCallback() {
-    result = transactionCallback(_)
-  }
-  
   class FirebaseVal extends RemoteFlowSource {
     FirebaseVal() {
       exists (string name | this = snapshot().getAMethodCall(name) |
         name = "val" or
         name = "exportVal"
       )
       or
-      this = transactionCallback().(DataFlow::FunctionNode).getParameter(0)
+      this = Database::transactionCallback().(DataFlow::FunctionNode).getParameter(0)
     }
 
     override string getSourceType() {
