JavaScript: Add support for global variables to portals.

Max Schaefer · Max Schaefer · commit 1c47260bdef1 · 2020-07-09T09:12:56.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Portals.qll b/javascript/ql/src/semmle/javascript/dataflow/Portals.qll
@@ -15,6 +15,7 @@
 import javascript
 
 private newtype TPortal =
+  MkGlobalObjectPortal() or
   MkNpmPackagePortal(string pkgName) {
     NpmPackagePortal::imports(_, pkgName) or
     NpmPackagePortal::imports(_, pkgName, _) or
@@ -129,6 +130,22 @@ class Portal extends TPortal {
   abstract int depth();
 }
 
+/**
+ * A portal representing the global object.
+ */
+private class GlobalObjectPortal extends Portal, MkGlobalObjectPortal {
+  override DataFlow::SourceNode getAnExitNode(boolean isRemote) {
+    result = DataFlow::globalObjectRef() and
+    isRemote = true
+  }
+
+  override DataFlow::Node getAnEntryNode(boolean escapes) { none() }
+
+  override string toString() { result = "(global)" }
+
+  override int depth() { result = 1 }
+}
+
 /**
  * A portal representing the exports value of the main module of an npm
  * package (that is, a value of `module.exports` for CommonJS modules, or
@@ -289,6 +306,11 @@ private module MemberPortal {
       base = MkNpmPackagePortal(pkg) and
       isRemote = false
     )
+    or
+    // global variable reads are a kind of property read
+    base instanceof GlobalObjectPortal and
+    read = DataFlow::globalVarRef(prop) and
+    isRemote = true
   }
 
   /** Holds if the main module of `pkgName` exports `rhs` under the name `prop`. */
@@ -314,6 +336,14 @@ private module MemberPortal {
       base = MkNpmPackagePortal(pkgName) and
       escapes = true
     )
+    or
+    // global variable writes are a kind of property write
+    base instanceof GlobalObjectPortal and
+    exists(AssignExpr assgn |
+      assgn.getLhs() = DataFlow::globalVarRef(prop).asExpr() and
+      rhs = assgn.getRhs().flow()
+    ) and
+    escapes = true
   }
 }
 
