JS: Add test for captured flow into callback

asgerf · asgerf · commit 0496642b0b2a · 2020-12-07T10:34:27.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1291,7 +1291,9 @@ private predicate summarizedHigherOrderCall(
     DataFlow::Node innerArg, DataFlow::SourceNode cbParm, PathSummary oldSummary
   |
     reachableFromInput(f, outer, arg, innerArg, cfg, oldSummary) and
-    not arg = DataFlow::capturedVariableNode(_) and // Only track actual parameter flow
+    // Only track actual parameter flow.
+    // Captured flow does not need to be summarized - it is handled by the local case in `higherOrderCall`.
+    not arg = DataFlow::capturedVariableNode(_) and
     argumentPassing(outer, cb, f, cbParm) and
     innerArg = inner.getArgument(j)
   |
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -31,6 +31,7 @@ typeInferenceMismatch
 | callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
 | callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
+| callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -22,6 +22,7 @@
 | callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
 | callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
+| callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
diff --git a/javascript/ql/test/library-tests/TaintTracking/callbacks.js b/javascript/ql/test/library-tests/TaintTracking/callbacks.js
@@ -49,4 +49,12 @@ function test() {
 
   middleCallback(source());
   middleCallback(source());
+
+  let capturedTaint = source();
+  function helper2(cb) {
+    cb(capturedTaint);
+  }
+  helper2(x => {
+    sink(x); // NOT OK
+  });
 }

Original file line number	Diff line number	Diff line change
`@@ -1291,7 +1291,9 @@ private predicate summarizedHigherOrderCall(`
`1291`	`1291`	`DataFlow::Node innerArg, DataFlow::SourceNode cbParm, PathSummary oldSummary`
`1292`	`1292`	`\|`
`1293`	`1293`	`reachableFromInput(f, outer, arg, innerArg, cfg, oldSummary) and`
`1294`		`- not arg = DataFlow::capturedVariableNode(_) and // Only track actual parameter flow`
	`1294`	`+ // Only track actual parameter flow.`
	`1295`	+ // Captured flow does not need to be summarized - it is handled by the local case in `higherOrderCall`.
	`1296`	`+ not arg = DataFlow::capturedVariableNode(_) and`
`1295`	`1297`	`argumentPassing(outer, cb, f, cbParm) and`
`1296`	`1298`	`innerArg = inner.getArgument(j)`
`1297`	`1299`	`\|`