JS: Port InterProceduralFlow test

asgerf · asgerf · commit 39ebb1fe56ff · 2023-10-09T13:58:30.000+02:00
All the new results are benign
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/DataFlowConfig.qll b/javascript/ql/test/library-tests/InterProceduralFlow/DataFlowConfig.qll
@@ -1,23 +1,21 @@
 import javascript
 
-class TestDataFlowConfiguration extends DataFlow::Configuration {
-  TestDataFlowConfiguration() { this = "TestDataFlowConfiguration" }
-
-  override predicate isSource(DataFlow::Node src) {
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%source%") and
       src.asExpr() = vd.getInit()
     )
   }
 
-  override predicate isSink(DataFlow::Node snk) {
+  predicate isSink(DataFlow::Node snk) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%sink%") and
       snk.asExpr() = vd.getInit()
     )
   }
 
-  override predicate isBarrier(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     exists(Function f |
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
@@ -26,3 +24,5 @@ class TestDataFlowConfiguration extends DataFlow::Configuration {
     node.asExpr().(PropAccess).getPropertyName() = "notTracked"
   }
 }
+
+module TestFlow = DataFlow::Global<TestConfig>;
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/async.js b/javascript/ql/test/library-tests/InterProceduralFlow/async.js
@@ -11,7 +11,7 @@
     return source;
   }
   let sink3 = sync(); // NOT OK
-  let sink4 = await sync(); // OK
+  let sink4 = await sync(); // NOT OK
 
   async function throwsAsync() {
     throw source;
@@ -64,7 +64,7 @@
       return x.x;
     }
 
-    var sink8 = unpack(pack(source)); // OK 
+    var sink8 = unpack(pack(source)); // OK
     let sink9 = unpack(await (pack(source))); // NOT OK - but not found
   }
 })();
@@ -75,19 +75,19 @@ async function props() {
       p: x
     };
   }
-  
+
   let source = "source";
   let sink = (await (foo(source))).p; // NOT OK - this requires the immidiatly awaited storeStep.
   let sink2 = foo("not a source").p;
-  
+
   async function getP(base) {
     return base.p;
   }
-  
+
   async function getQ(base) {
     return base.q;
   }
-  
+
   let o3 = { p: source };
   let sink6 = await (getP(o3)); // NOT OK - this requires the immidiatly awaited loadStep
   let sink7 = await (getQ(o3));
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/properties2.js b/javascript/ql/test/library-tests/InterProceduralFlow/properties2.js
@@ -14,7 +14,7 @@ function setP(base, rhs) {
 
 var o = {};
 setP(o, source);
-var sink3 = o.p;  // flow from `source` not yet detected
+var sink3 = o.p;
 var sink4 = o.q;
 
 var o2 = {};
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/tests.expected b/javascript/ql/test/library-tests/InterProceduralFlow/tests.expected
@@ -4,6 +4,7 @@ dataFlow
 | a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
 | async.js:2:16:2:23 | "source" | async.js:8:15:8:27 | await async() |
 | async.js:2:16:2:23 | "source" | async.js:13:15:13:20 | sync() |
+| async.js:2:16:2:23 | "source" | async.js:14:15:14:26 | await sync() |
 | async.js:2:16:2:23 | "source" | async.js:27:17:27:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:36:17:36:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:41:17:41:17 | e |
@@ -24,6 +25,7 @@ dataFlow
 | esLib.js:3:21:3:29 | "tainted" | nodeJsClient.js:5:13:5:21 | es.source |
 | global.js:1:15:1:24 | "tainted1" | global.js:9:13:9:22 | g(source1) |
 | global.js:1:15:1:24 | "tainted1" | global.js:17:13:17:27 | window.location |
+| global.js:1:15:1:24 | "tainted1" | global.js:18:13:18:24 | win.location |
 | global.js:2:15:2:24 | "tainted2" | global.js:10:13:10:22 | g(source2) |
 | global.js:5:22:5:35 | "also tainted" | global.js:9:13:9:22 | g(source1) |
 | global.js:5:22:5:35 | "also tainted" | global.js:10:13:10:22 | g(source2) |
@@ -55,7 +57,9 @@ dataFlow
 | promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
 | promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
 | properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
+| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
 | properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
+| properties2.js:7:14:7:21 | "source" | properties2.js:38:13:38:20 | getP(o4) |
 | properties.js:2:16:2:24 | "tainted" | properties.js:5:14:5:23 | a.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:12:15:12:24 | x.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:14:15:14:27 | tmp1.someProp |
@@ -106,6 +110,7 @@ taintTracking
 | esLib.js:3:21:3:29 | "tainted" | nodeJsClient.js:5:13:5:21 | es.source |
 | global.js:1:15:1:24 | "tainted1" | global.js:9:13:9:22 | g(source1) |
 | global.js:1:15:1:24 | "tainted1" | global.js:17:13:17:27 | window.location |
+| global.js:1:15:1:24 | "tainted1" | global.js:18:13:18:24 | win.location |
 | global.js:2:15:2:24 | "tainted2" | global.js:10:13:10:22 | g(source2) |
 | global.js:5:22:5:35 | "also tainted" | global.js:9:13:9:22 | g(source1) |
 | global.js:5:22:5:35 | "also tainted" | global.js:10:13:10:22 | g(source2) |
@@ -140,7 +145,9 @@ taintTracking
 | promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
 | promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
 | properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
+| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
 | properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
+| properties2.js:7:14:7:21 | "source" | properties2.js:38:13:38:20 | getP(o4) |
 | properties.js:2:16:2:24 | "tainted" | properties.js:5:14:5:23 | a.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:12:15:12:24 | x.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:14:15:14:27 | tmp1.someProp |
@@ -191,6 +198,7 @@ germanFlow
 | a.js:2:15:2:28 | "also tainted" | b.js:5:13:5:29 | notTaintedTrustMe |
 | async.js:2:16:2:23 | "source" | async.js:8:15:8:27 | await async() |
 | async.js:2:16:2:23 | "source" | async.js:13:15:13:20 | sync() |
+| async.js:2:16:2:23 | "source" | async.js:14:15:14:26 | await sync() |
 | async.js:2:16:2:23 | "source" | async.js:27:17:27:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:36:17:36:17 | e |
 | async.js:2:16:2:23 | "source" | async.js:41:17:41:17 | e |
@@ -212,6 +220,7 @@ germanFlow
 | esLib.js:3:21:3:29 | "tainted" | nodeJsClient.js:5:13:5:21 | es.source |
 | global.js:1:15:1:24 | "tainted1" | global.js:9:13:9:22 | g(source1) |
 | global.js:1:15:1:24 | "tainted1" | global.js:17:13:17:27 | window.location |
+| global.js:1:15:1:24 | "tainted1" | global.js:18:13:18:24 | win.location |
 | global.js:2:15:2:24 | "tainted2" | global.js:10:13:10:22 | g(source2) |
 | global.js:5:22:5:35 | "also tainted" | global.js:9:13:9:22 | g(source1) |
 | global.js:5:22:5:35 | "also tainted" | global.js:10:13:10:22 | g(source2) |
@@ -243,7 +252,9 @@ germanFlow
 | promises.js:12:22:12:31 | "rejected" | promises.js:24:20:24:20 | v |
 | promises.js:32:24:32:37 | "also tainted" | promises.js:38:32:38:32 | v |
 | properties2.js:7:14:7:21 | "source" | properties2.js:8:12:8:24 | foo(source).p |
+| properties2.js:7:14:7:21 | "source" | properties2.js:17:13:17:15 | o.p |
 | properties2.js:7:14:7:21 | "source" | properties2.js:33:13:33:20 | getP(o3) |
+| properties2.js:7:14:7:21 | "source" | properties2.js:38:13:38:20 | getP(o4) |
 | properties.js:2:16:2:24 | "tainted" | properties.js:5:14:5:23 | a.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:12:15:12:24 | x.someProp |
 | properties.js:2:16:2:24 | "tainted" | properties.js:14:15:14:27 | tmp1.someProp |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/tests.ql b/javascript/ql/test/library-tests/InterProceduralFlow/tests.ql
@@ -1,30 +1,29 @@
+import javascript
 import DataFlowConfig
 
-query predicate dataFlow(DataFlow::Node src, DataFlow::Node snk) {
-  exists(TestDataFlowConfiguration tttc | tttc.hasFlow(src, snk))
-}
+query predicate dataFlow(DataFlow::Node src, DataFlow::Node snk) { TestFlow::flow(src, snk) }
 
 class Parity extends DataFlow::FlowLabel {
   Parity() { this = "even" or this = "odd" }
 
   Parity flip() { result != this }
 }
 
-class FLowLabelConfig extends DataFlow::Configuration {
-  FLowLabelConfig() { this = "FLowLabelConfig" }
+module FlowLabelConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
 
-  override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
+  predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
     nd.(DataFlow::CallNode).getCalleeName() = "source" and
     lbl = "even"
   }
 
-  override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
+  predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
     nd = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getAnArgument() and
     lbl = "even"
   }
 
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLabel,
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::FlowLabel predLabel, DataFlow::Node succ,
     DataFlow::FlowLabel succLabel
   ) {
     exists(DataFlow::CallNode c | c = succ |
@@ -35,28 +34,28 @@ class FLowLabelConfig extends DataFlow::Configuration {
   }
 }
 
-query predicate flowLabels(DataFlow::PathNode source, DataFlow::PathNode sink) {
-  exists(FLowLabelConfig cfg | cfg.hasFlowPath(source, sink))
-}
+module FlowLabelFlow = DataFlow::GlobalWithState<FlowLabelConfig>;
 
-class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
-  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+query predicate flowLabels(FlowLabelFlow::PathNode source, FlowLabelFlow::PathNode sink) {
+  FlowLabelFlow::flowPath(source, sink)
+}
 
-  override predicate isSource(DataFlow::Node src) {
+module TaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%source%") and
       src.asExpr() = vd.getInit()
     )
   }
 
-  override predicate isSink(DataFlow::Node snk) {
+  predicate isSink(DataFlow::Node snk) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%sink%") and
       snk.asExpr() = vd.getInit()
     )
   }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     exists(Function f |
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
@@ -66,14 +65,12 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
   }
 }
 
-query predicate taintTracking(DataFlow::Node src, DataFlow::Node snk) {
-  exists(TestTaintTrackingConfiguration tttc | tttc.hasFlow(src, snk))
-}
+module TaintFlow = TaintTracking::Global<TaintConfig>;
 
-class GermanFlowConfig extends DataFlow::Configuration {
-  GermanFlowConfig() { this = "GermanFlowConfig" }
+query predicate taintTracking(DataFlow::Node src, DataFlow::Node snk) { TaintFlow::flow(src, snk) }
 
-  override predicate isSource(DataFlow::Node src) {
+module GermanConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%source%") and
       src.asExpr() = vd.getInit()
@@ -82,7 +79,7 @@ class GermanFlowConfig extends DataFlow::Configuration {
     src.asExpr() = any(Variable v | v.getName() = "quelle").getAnAssignedExpr()
   }
 
-  override predicate isSink(DataFlow::Node snk) {
+  predicate isSink(DataFlow::Node snk) {
     exists(VariableDeclarator vd |
       vd.getBindingPattern().(VarDecl).getName().matches("%sink%") and
       snk.asExpr() = vd.getInit()
@@ -91,7 +88,7 @@ class GermanFlowConfig extends DataFlow::Configuration {
     snk.asExpr() = any(Variable v | v.getName() = "abfluss").getAnAssignedExpr()
   }
 
-  override predicate isBarrier(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     exists(Function f |
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
@@ -101,6 +98,6 @@ class GermanFlowConfig extends DataFlow::Configuration {
   }
 }
 
-query predicate germanFlow(DataFlow::Node src, DataFlow::Node snk) {
-  exists(GermanFlowConfig tttc | tttc.hasFlow(src, snk))
-}
+module GermanFlow = DataFlow::Global<GermanConfig>;
+
+query predicate germanFlow(DataFlow::Node src, DataFlow::Node snk) { GermanFlow::flow(src, snk) }

Original file line number	Diff line number	Diff line change
`@@ -1,23 +1,21 @@`
`1`	`1`	`import javascript`
`2`	`2`
`3`		`-class TestDataFlowConfiguration extends DataFlow::Configuration {`
`4`		`- TestDataFlowConfiguration() { this = "TestDataFlowConfiguration" }`
`5`		`-`
`6`		`- override predicate isSource(DataFlow::Node src) {`
	`3`	`+module TestConfig implements DataFlow::ConfigSig {`
	`4`	`+ predicate isSource(DataFlow::Node src) {`
`7`	`5`	`exists(VariableDeclarator vd \|`
`8`	`6`	`vd.getBindingPattern().(VarDecl).getName().matches("%source%") and`
`9`	`7`	`src.asExpr() = vd.getInit()`
`10`	`8`	`)`
`11`	`9`	`}`
`12`	`10`
`13`		`- override predicate isSink(DataFlow::Node snk) {`
	`11`	`+ predicate isSink(DataFlow::Node snk) {`
`14`	`12`	`exists(VariableDeclarator vd \|`
`15`	`13`	`vd.getBindingPattern().(VarDecl).getName().matches("%sink%") and`
`16`	`14`	`snk.asExpr() = vd.getInit()`
`17`	`15`	`)`
`18`	`16`	`}`
`19`	`17`
`20`		`- override predicate isBarrier(DataFlow::Node node) {`
	`18`	`+ predicate isBarrier(DataFlow::Node node) {`
`21`	`19`	`exists(Function f \|`
`22`	`20`	`f.getName().matches("%noReturnTracking%") and`
`23`	`21`	`node = f.getAReturnedExpr().flow()`
`@@ -26,3 +24,5 @@ class TestDataFlowConfiguration extends DataFlow::Configuration {`
`26`	`24`	`node.asExpr().(PropAccess).getPropertyName() = "notTracked"`
`27`	`25`	`}`
`28`	`26`	`}`
	`27`	`+`
	`28`	`+module TestFlow = DataFlow::Global<TestConfig>;`