JS: Test and QLDoc for RxJS model

asgerf · asgerf · commit 1d1149f4cd3d · 2021-01-21T12:08:22.000Z
diff --git a/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll b/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
@@ -17,15 +17,21 @@ private class RxJsSubscribeStep extends TaintTracking::AdditionalTaintStep, Data
 }
 
 /**
- * Holds if a tainted value sent into the given `pipe` should propagate to `arg`.
+ * Gets a data flow node that can take the value of any input sent to `pipe`.
+ *
+ * For example, in `map(x => ...)`, `x` refers to any value sent to the pipe
+ * created by the `map` call.
  */
 private DataFlow::Node pipeInput(DataFlow::CallNode pipe) {
   pipe = DataFlow::moduleMember("rxjs/operators", ["map", "filter"]).getACall() and
   result = pipe.getCallback(0).getParameter(0)
 }
 
 /**
- * Holds if a tainted value in `output` should propagate to the output of the given pipe.
+ * Gets a data flow node whose value becomes the output of the given `pipe`.
+ *
+ * For example, in `map(x => x + 1)`, the `x + 1` node becomes the output of
+ * the pipe.
  */
 private DataFlow::Node pipeOutput(DataFlow::CallNode pipe) {
   pipe = DataFlow::moduleMember("rxjs/operators", "map").getACall() and
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -97,6 +97,7 @@ typeInferenceMismatch
 | promise.js:5:25:5:32 | source() | promise.js:5:8:5:33 | bluebir ... urce()) |
 | promise.js:10:24:10:31 | source() | promise.js:10:8:10:32 | Promise ... urce()) |
 | promise.js:12:20:12:27 | source() | promise.js:13:8:13:23 | resolver.promise |
+| rxjs.js:3:1:3:8 | source() | rxjs.js:10:14:10:17 | data |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:33:14:33:18 | taint |
 | sanitizer-guards.js:2:11:2:18 | source() | sanitizer-guards.js:4:8:4:8 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/rxjs.js b/javascript/ql/test/library-tests/TaintTracking/rxjs.js
@@ -0,0 +1,11 @@
+import { map, catchError } from 'rxjs/operators';
+
+source()
+    .pipe(
+        map(x => x + 'foo'),
+        map(x => x + 'bar'),
+        catchError(err => {})
+    )
+    .subscribe(data => {
+        sink(data)
+    });
