Merge pull request #915 from asger-semmle/closure-uri-methods

Approved by xiemaisi

Author: semmle-qlci

javascript/ql/src/semmle/javascript/Closure.qll

@@ -170,9 +170,11 @@ module Closure {
     isLibraryNamespacePath(result) and
     node = DataFlow::globalVarRef(result)
     or
-    isLibraryNamespacePath(result) and
-    exists(DataFlow::PropRead read | node = read |
-      result = getLibraryAccessPath(read.getBase().getALocalSource()) + "." + read.getPropertyName()
+    exists(DataFlow::SourceNode base, string basePath, string prop |
+      basePath = getLibraryAccessPath(base) and
+      isLibraryNamespacePath(basePath) and
+      node = base.getAPropertyRead(prop) and
+      result = basePath + "." + prop
     )
     or
     // Associate an access path with the immediate RHS of a store on a closure namespace.
@@ -194,16 +196,7 @@ module Closure {
   }
 
   /**
-   * Gets a dataflow node that refers to the given Closure module.
-   */
-  DataFlow::SourceNode moduleImport(string moduleName) {
-    getLibraryAccessPath(result) = moduleName
-  }
-
-  /**
-   * Gets a dataflow node that refers to the given member of a Closure module.
+   * Gets a dataflow node that refers to the given value exported from a Closure module.
    */
-  DataFlow::SourceNode moduleMember(string moduleName, string memberName) {
-    result = moduleImport(moduleName).getAPropertyRead(memberName)
-  }
+  DataFlow::SourceNode moduleImport(string moduleName) { getLibraryAccessPath(result) = moduleName }
 }

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

@@ -240,11 +240,38 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
  * A model of a URL request made using the `XMLHttpRequest` browser class.
  */
 private class XMLHttpRequest extends CustomClientRequest {
-  XMLHttpRequest() { this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation() }
+  XMLHttpRequest() {
+    this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation()
+    or
+    // closure shim for XMLHttpRequest
+    this = Closure::moduleImport("goog.net.XmlHttp").getAnInstantiation()
+  }
 
   override DataFlow::Node getUrl() { result = getAMethodCall("open").getArgument(1) }
 
   override DataFlow::Node getHost() { none() }
 
   override DataFlow::Node getADataNode() { result = getAMethodCall("send").getArgument(0) }
 }
+
+/**
+ * A model of a URL request made using the `XhrIo` class from the closure library.
+ */
+private class ClosureXhrIoRequest extends CustomClientRequest {
+  ClosureXhrIoRequest() {
+    exists(DataFlow::SourceNode xhrIo | xhrIo = Closure::moduleImport("goog.net.XhrIo") |
+      this = xhrIo.getAMethodCall("send")
+      or
+      this = xhrIo.getAnInstantiation().getAMethodCall("send")
+    )
+  }
+
+  override DataFlow::Node getUrl() { result = getArgument(0) }
+
+  override DataFlow::Node getHost() { none() }
+
+  override DataFlow::Node getADataNode() {
+    result = getArgument(2) or
+    result = getArgument(3)
+  }
+}

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

@@ -309,3 +309,88 @@ module querystring {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) { pred = src and succ = this }
   }
 }
+
+/**
+ * Provides steps for the `goog.Uri` class in the closure library.
+ */
+private module ClosureLibraryUri {
+  /**
+   * Taint step from an argument of a `goog.Uri` call to the return value.
+   */
+  private class ArgumentStep extends UriLibraryStep, DataFlow::InvokeNode {
+    int arg;
+
+    ArgumentStep() {
+      // goog.Uri constructor
+      this = Closure::moduleImport("goog.Uri").getAnInstantiation() and arg = 0
+      or
+      // static methods on goog.Uri
+      exists(string name | this = Closure::moduleImport("goog.Uri." + name).getACall() |
+        name = "parse" and arg = 0
+        or
+        name = "create" and
+        (arg = 0 or arg = 2 or arg = 4)
+        or
+        name = "resolve" and
+        (arg = 0 or arg = 1)
+      )
+      or
+      // static methods in goog.uri.utils
+      arg = 0 and
+      exists(string name | this = Closure::moduleImport("goog.uri.utils." + name).getACall() |
+        name = "appendParam" or // preserve taint from the original URI, but not from the appended param
+        name = "appendParams" or
+        name = "appendParamsFromMap" or
+        name = "appendPath" or
+        name = "getParamValue" or
+        name = "getParamValues" or
+        name = "getPath" or
+        name = "getPathAndAfter" or
+        name = "getQueryData" or
+        name = "parseQueryData" or
+        name = "removeFragment" or
+        name = "removeParam" or
+        name = "setParam" or
+        name = "setParamsFromMap" or
+        name = "setPath" or
+        name = "split"
+      )
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(arg) and
+      succ = this
+    }
+  }
+
+  /**
+   * Taint steps through chainable setter calls.
+   *
+   * Setters mutate the URI object and return the same instance.
+   */
+  private class SetterCall extends DataFlow::MethodCallNode, UriLibraryStep {
+    DataFlow::NewNode uri;
+    string name;
+
+    SetterCall() {
+      exists(DataFlow::SourceNode base |
+        base = Closure::moduleImport("goog.Uri").getAnInstantiation() and
+        uri = base
+        or
+        base.(SetterCall).getUri() = uri
+      |
+        this = base.getAMethodCall(name) and
+        name.matches("set%")
+      )
+    }
+
+    DataFlow::NewNode getUri() { result = uri }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getReceiver() and succ = this
+      or
+      (name = "setDomain" or name = "setPath" or name = "setScheme") and
+      pred = getArgument(0) and succ = uri
+    }
+  }
+}

javascript/ql/test/library-tests/Closure/Uri.expected

@@ -0,0 +1 @@
+| tests/uri.js:5:5:5:11 | net.Uri |

javascript/ql/test/library-tests/Closure/Uri.ql

@@ -0,0 +1,3 @@
+import javascript
+
+select Closure::moduleImport("goog.net.Uri")

javascript/ql/test/library-tests/Closure/moduleImport.expected

@@ -1,3 +1,59 @@
+| goog | tests/es6Module.js:1:1:1:4 | goog |
+| goog | tests/es6ModuleDefault.js:1:1:1:4 | goog |
+| goog | tests/globalModule.js:1:1:1:4 | goog |
+| goog | tests/globalModuleDefault.js:1:1:1:4 | goog |
+| goog | tests/googModule.js:1:1:1:4 | goog |
+| goog | tests/googModuleDefault.js:1:1:1:4 | goog |
+| goog | tests/requireFromEs6.js:3:20:3:23 | goog |
+| goog | tests/requireFromEs6.js:4:27:4:30 | goog |
+| goog | tests/requireFromEs6.js:6:17:6:20 | goog |
+| goog | tests/requireFromEs6.js:7:24:7:27 | goog |
+| goog | tests/requireFromEs6.js:9:18:9:21 | goog |
+| goog | tests/requireFromEs6.js:10:25:10:28 | goog |
+| goog | tests/requireFromGlobalModule.js:1:1:1:4 | goog |
+| goog | tests/requireFromGlobalModule.js:2:1:2:4 | goog |
+| goog | tests/requireFromGlobalModule.js:4:1:4:4 | goog |
+| goog | tests/requireFromGlobalModule.js:5:1:5:4 | goog |
+| goog | tests/requireFromGlobalModule.js:7:1:7:4 | goog |
+| goog | tests/requireFromGlobalModule.js:8:1:8:4 | goog |
+| goog | tests/requireFromGoogModule.js:1:1:1:4 | goog |
+| goog | tests/requireFromGoogModule.js:3:20:3:23 | goog |
+| goog | tests/requireFromGoogModule.js:4:27:4:30 | goog |
+| goog | tests/requireFromGoogModule.js:6:17:6:20 | goog |
+| goog | tests/requireFromGoogModule.js:7:24:7:27 | goog |
+| goog | tests/requireFromGoogModule.js:9:18:9:21 | goog |
+| goog | tests/requireFromGoogModule.js:10:25:10:28 | goog |
+| goog | tests/uri.js:1:1:1:4 | goog |
+| goog | tests/uri.js:3:11:3:14 | goog |
+| goog.declareModuleId | tests/es6Module.js:1:1:1:20 | goog.declareModuleId |
+| goog.declareModuleId | tests/es6ModuleDefault.js:1:1:1:20 | goog.declareModuleId |
+| goog.module | tests/googModule.js:1:1:1:11 | goog.module |
+| goog.module | tests/googModuleDefault.js:1:1:1:11 | goog.module |
+| goog.module | tests/requireFromGoogModule.js:1:1:1:11 | goog.module |
+| goog.module | tests/uri.js:1:1:1:11 | goog.module |
+| goog.net | tests/uri.js:3:11:3:34 | goog.re ... g.net') |
+| goog.net.Uri | tests/uri.js:5:5:5:11 | net.Uri |
+| goog.provide | tests/globalModule.js:1:1:1:12 | goog.provide |
+| goog.provide | tests/globalModuleDefault.js:1:1:1:12 | goog.provide |
+| goog.require | tests/requireFromEs6.js:3:20:3:31 | goog.require |
+| goog.require | tests/requireFromEs6.js:4:27:4:38 | goog.require |
+| goog.require | tests/requireFromEs6.js:6:17:6:28 | goog.require |
+| goog.require | tests/requireFromEs6.js:7:24:7:35 | goog.require |
+| goog.require | tests/requireFromEs6.js:9:18:9:29 | goog.require |
+| goog.require | tests/requireFromEs6.js:10:25:10:36 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:1:1:1:12 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:2:1:2:12 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:4:1:4:12 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:5:1:5:12 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:7:1:7:12 | goog.require |
+| goog.require | tests/requireFromGlobalModule.js:8:1:8:12 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:3:20:3:31 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:4:27:4:38 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:6:17:6:28 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:7:24:7:35 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:9:18:9:29 | goog.require |
+| goog.require | tests/requireFromGoogModule.js:10:25:10:36 | goog.require |
+| goog.require | tests/uri.js:3:11:3:22 | goog.require |
 | x | tests/globalModule.js:3:1:3:1 | x |
 | x | tests/globalModuleDefault.js:3:1:3:1 | x |
 | x | tests/requireFromGlobalModule.js:10:1:10:1 | x |
@@ -26,6 +82,9 @@
 | x.y.z.es6 | tests/requireFromGlobalModule.js:7:1:7:25 | goog.re ... z.es6') |
 | x.y.z.es6 | tests/requireFromGlobalModule.js:16:1:16:9 | x.y.z.es6 |
 | x.y.z.es6 | tests/requireFromGoogModule.js:6:17:6:41 | goog.re ... z.es6') |
+| x.y.z.es6.fun | tests/requireFromEs6.js:15:1:15:13 | es6Module.fun |
+| x.y.z.es6.fun | tests/requireFromGlobalModule.js:16:1:16:13 | x.y.z.es6.fun |
+| x.y.z.es6.fun | tests/requireFromGoogModule.js:15:1:15:13 | es6Module.fun |
 | x.y.z.es6default | tests/requireFromEs6.js:7:24:7:55 | goog.re ... fault') |
 | x.y.z.es6default | tests/requireFromGlobalModule.js:8:1:8:32 | goog.re ... fault') |
 | x.y.z.es6default | tests/requireFromGlobalModule.js:17:1:17:16 | x.y.z.es6default |
@@ -36,6 +95,9 @@
 | x.y.z.global | tests/requireFromGlobalModule.js:10:1:10:12 | x.y.z.global |
 | x.y.z.global | tests/requireFromGoogModule.js:3:20:3:47 | goog.re ... lobal') |
 | x.y.z.global.fun | tests/globalModule.js:4:6:4:10 | () {} |
+| x.y.z.global.fun | tests/requireFromEs6.js:12:1:12:16 | globalModule.fun |
+| x.y.z.global.fun | tests/requireFromGlobalModule.js:10:1:10:16 | x.y.z.global.fun |
+| x.y.z.global.fun | tests/requireFromGoogModule.js:12:1:12:16 | globalModule.fun |
 | x.y.z.globaldefault | tests/globalModuleDefault.js:3:23:3:39 | function fun() {} |
 | x.y.z.globaldefault | tests/requireFromEs6.js:4:27:4:61 | goog.re ... fault') |
 | x.y.z.globaldefault | tests/requireFromGlobalModule.js:2:1:2:35 | goog.re ... fault') |
@@ -45,6 +107,9 @@
 | x.y.z.goog | tests/requireFromGlobalModule.js:4:1:4:26 | goog.re ... .goog') |
 | x.y.z.goog | tests/requireFromGlobalModule.js:13:1:13:10 | x.y.z.goog |
 | x.y.z.goog | tests/requireFromGoogModule.js:9:18:9:43 | goog.re ... .goog') |
+| x.y.z.goog.fun | tests/requireFromEs6.js:18:1:18:14 | googModule.fun |
+| x.y.z.goog.fun | tests/requireFromGlobalModule.js:13:1:13:14 | x.y.z.goog.fun |
+| x.y.z.goog.fun | tests/requireFromGoogModule.js:18:1:18:14 | googModule.fun |
 | x.y.z.googdefault | tests/requireFromEs6.js:10:25:10:57 | goog.re ... fault') |
 | x.y.z.googdefault | tests/requireFromGlobalModule.js:5:1:5:33 | goog.re ... fault') |
 | x.y.z.googdefault | tests/requireFromGlobalModule.js:14:1:14:17 | x.y.z.googdefault |

javascript/ql/test/library-tests/Closure/moduleMember.expected

@@ -0,0 +1,5 @@
+goog.module('uritest');
+
+let net = goog.require('goog.net');
+
+new net.Uri();

javascript/ql/test/library-tests/Closure/moduleMember.ql

@@ -1,3 +1,27 @@
+| closureUri.js:5:11:5:20 | new Uri(x) | closureUri.js:5:19:5:19 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:6:1:6:12 | Uri.parse(x) | closureUri.js:6:11:6:11 | x | closureUri.js:6:1:6:12 | Uri.parse(x) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:13:7:13 | x | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:16:7:16 | y | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:12:8:17 | scheme | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:26:8:31 | domain | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:40:8:43 | path | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:1:10:3 | uri | closureUri.js:10:1:10:16 | uri.setScheme(x) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:15:10:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:11:1:11:18 | uri.setUserInfo(x) | closureUri.js:11:1:11:3 | uri | closureUri.js:11:1:11:18 | uri.setUserInfo(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:1:12:3 | uri | closureUri.js:12:1:12:16 | uri.setDomain(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:15:12:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:13:1:13:14 | uri.setPort(x) | closureUri.js:13:1:13:3 | uri | closureUri.js:13:1:13:14 | uri.setPort(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:1:14:3 | uri | closureUri.js:14:1:14:14 | uri.setPath(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:13:14:13 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:15:1:15:15 | uri.setQuery(x) | closureUri.js:15:1:15:3 | uri | closureUri.js:15:1:15:15 | uri.setQuery(x) |
+| closureUri.js:16:1:16:18 | uri.setFragment(x) | closureUri.js:16:1:16:3 | uri | closureUri.js:16:1:16:18 | uri.setFragment(x) |
+| closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:3 | uri | closureUri.js:18:1:18:15 | uri.setQuery(x) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:26 | uri.set ... Path(y) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:25:18:25 | y | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:39 | uri.set ... heme(z) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:38:18:38 | z | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:22:1:22:25 | utils.a ... uri, z) | closureUri.js:22:19:22:21 | uri | closureUri.js:22:1:22:25 | utils.a ... uri, z) |
+| closureUri.js:23:1:23:18 | utils.getPath(uri) | closureUri.js:23:15:23:17 | uri | closureUri.js:23:1:23:18 | utils.getPath(uri) |
 | punycode.js:3:9:3:26 | punycode.decode(x) | punycode.js:3:25:3:25 | x | punycode.js:3:9:3:26 | punycode.decode(x) |
 | punycode.js:5:5:5:22 | punycode.encode(x) | punycode.js:5:21:5:21 | x | punycode.js:5:5:5:22 | punycode.encode(x) |
 | punycode.js:7:5:7:25 | punycod ... code(x) | punycode.js:7:24:7:24 | x | punycode.js:7:5:7:25 | punycod ... code(x) |