Merge pull request #5087 from erik-krogh/immutable

Approved by asgerf

Author: codeql-ci

…cript/change-notes/202020-12-22-execa.md …ascript/change-notes/2020-12-22-execa.mdjavascript/change-notes/202020-12-22-execa.md renamed to javascript/change-notes/2020-12-22-execa.md javascript/change-notes/202020-12-22-execa.md renamed to javascript/change-notes/2020-12-22-execa.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the Immutable.js library.
+  Affected packages are
+    [Immutable.js](https://npmjs.com/package/immutable)

javascript/change-notes/2021-02-08-immutable.md

@@ -85,6 +85,7 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
+import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars

javascript/ql/src/javascript.qll

@@ -659,9 +659,15 @@ module PseudoProperties {
    */
   pragma[inline]
   string mapValueKnownKey(DataFlow::Node key) {
-    result = pseudoProperty("mapValue", any(string s | key.mayHaveStringValue(s)))
+    result = mapValueKey(any(string s | key.mayHaveStringValue(s)))
   }
 
+  /**
+   * Gets a pseudo-property for the location of a map value where the key is `key`.
+   */
+  bindingset[key]
+  string mapValueKey(string key) { result = pseudoProperty("mapValue", key) }
+
   /**
    * Gets a pseudo-property for the location of a map value where the key is `key`.
    */

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -0,0 +1,185 @@
+/**
+ * Provides classes and predicates for reasoning about [immutable](https://www.npmjs.com/package/immutable).
+ */
+
+import javascript
+
+/**
+ * Provides classes implementing data-flow for Immutable.
+ *
+ * The implemention rely on the flowsteps implemented in `Collections.qll`.
+ */
+private module Immutable {
+  /**
+   * An API entrypoint for the global `Immutable` variable.
+   */
+  private class ImmutableGlobalEntry extends API::EntryPoint {
+    ImmutableGlobalEntry() { this = "ImmutableGlobalEntry" }
+
+    override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("Immutable") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * An import of the `Immutable` library.
+   */
+  API::Node immutableImport() {
+    result = API::moduleImport("immutable")
+    or
+    result = API::root().getASuccessor(any(ImmutableGlobalEntry i))
+  }
+
+  /**
+   * An instance of any immutable collection.
+   *
+   * This predicate keeps track of which values in the program are Immutable collections.
+   */
+  API::Node immutableCollection() {
+    // keep this predicate in sync with the constructors defined in `storeStep`/`step`.
+    result =
+      immutableImport()
+          .getMember(["Map", "OrderedMap", "List", "Stack", "Set", "OrderedSet", "fromJS", "merge"])
+          .getReturn()
+    or
+    result = immutableImport().getMember("Record").getReturn().getReturn()
+    or
+    result =
+      immutableImport()
+          .getMember(["List", "Set", "OrderedSet", "Stack"])
+          .getMember("of")
+          .getReturn()
+    or
+    result = immutableCollection().getMember(["set", "map", "filter", "push", "merge"]).getReturn()
+  }
+
+  /**
+   * Gets the immutable collection where `pred` has been stored using the name `prop`.
+   */
+  DataFlow::SourceNode storeStep(DataFlow::Node pred, string prop) {
+    // Immutable.Map() and Immutable.fromJS().
+    exists(DataFlow::CallNode call |
+      call = immutableImport().getMember(["Map", "OrderedMap", "fromJS"]).getACall()
+    |
+      pred = call.getOptionArgument(0, prop) and
+      result = call
+    )
+    or
+    // Immutable.List()
+    exists(DataFlow::CallNode call, DataFlow::ArrayCreationNode arr |
+      call = immutableImport().getMember(["List", "Stack", "Set", "OrderedSet"]).getACall()
+    |
+      arr = call.getArgument(0).getALocalSource() and
+      exists(int i |
+        prop = DataFlow::PseudoProperties::arrayElement(i) and
+        pred = arr.getElement(i) and
+        result = call
+      )
+    )
+    or
+    // collection.set(key, value)
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("set").getACall() |
+      call.getArgument(0).mayHaveStringValue(prop) and
+      pred = call.getArgument(1) and
+      result = call
+    )
+    or
+    // list.push(x)
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("push").getACall() |
+      pred = call.getArgument(0) and
+      result = call and
+      prop = DataFlow::PseudoProperties::arrayElement()
+    )
+    or
+    // Immutable.Record({defaults})({values}).
+    exists(API::CallNode factoryCall, API::CallNode recordCall |
+      factoryCall = immutableImport().getMember("Record").getACall() and
+      recordCall = factoryCall.getReturn().getACall()
+    |
+      pred = [factoryCall, recordCall].getOptionArgument(0, prop) and
+      result = recordCall
+    )
+    or
+    // List/Set/Stack.of(values)
+    exists(API::CallNode call |
+      call =
+        immutableImport()
+            .getMember(["List", "Set", "OrderedSet", "Stack"])
+            .getMember("of")
+            .getACall()
+    |
+      pred = call.getAnArgument() and
+      result = call and
+      prop = DataFlow::PseudoProperties::arrayElement()
+    )
+  }
+
+  /**
+   * Gets the value that was stored in the immutable collection `pred` under the name `prop`.
+   */
+  DataFlow::Node loadStep(DataFlow::Node pred, string prop) {
+    // map.get()
+    exists(DataFlow::MethodCallNode call |
+      call = immutableCollection().getMember("get").getACall()
+    |
+      call.getArgument(0).mayHaveStringValue(prop) and
+      pred = call.getReceiver() and
+      result = call
+    )
+  }
+
+  /**
+   * Gets an immutable collection that contains all the elements from `pred`.
+   */
+  DataFlow::SourceNode step(DataFlow::Node pred) {
+    // map.set() / list.push() copies all existing values
+    exists(DataFlow::CallNode call |
+      call = immutableCollection().getMember(["set", "push"]).getACall()
+    |
+      pred = call.getReceiver() and
+      result = call
+    )
+    or
+    // toJS()/toList() on any immutable collection converts it to a plain JavaScript object/array (and vice versa for `fromJS`).
+    exists(DataFlow::CallNode call |
+      call = immutableCollection().getMember(["toJS", "toList"]).getACall()
+    |
+      pred = call.getReceiver() and
+      result = call
+    )
+    or
+    // Immutable.merge(x, y)
+    exists(DataFlow::CallNode call | call = immutableImport().getMember("merge").getACall() |
+      pred = call.getAnArgument() and
+      result = call
+    )
+    or
+    // collection.merge(other)
+    exists(DataFlow::CallNode call | call = immutableCollection().getMember("merge").getACall() |
+      pred = [call.getAnArgument(), call.getReceiver()] and
+      result = call
+    )
+  }
+
+  /**
+   * A dataflow step for an immutable collection.
+   */
+  class ImmutableConstructionStep extends DataFlow::AdditionalFlowStep {
+    ImmutableConstructionStep() { this = [loadStep(_, _), storeStep(_, _), step(_)] }
+
+    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      this = loadStep(pred, prop) and
+      succ = this
+    }
+
+    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+      this = storeStep(pred, prop) and
+      succ = this
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      this = step(pred) and
+      succ = this
+    }
+  }
+}

javascript/ql/src/semmle/javascript/frameworks/Immutable.qll

@@ -0,0 +1,58 @@
+var obj = { a: source("a"), b: source("b1") };
+sink(obj["a"]); // NOT OK
+
+const { Map, fromJS, List, OrderedMap, Record, merge, Stack, Set, OrderedSet } = require('immutable');
+
+const map1 = Map(obj);
+
+sink(map1.get("b")); // NOT OK
+
+const map2 = map1.set('c', "safe");
+sink(map1.get("a")); // NOT OK
+sink(map2.get("a")); // NOT OK
+sink(map2.get("b")); // OK - but still flagged [INCONSISTENCY]
+
+const map3 = map2.set("d", source("d"));
+sink(map1.get("d")); // OK
+sink(map3.get("d")); // NOT OK
+
+
+sink(map3.toJS()["a"]); // NOT OK
+
+sink(fromJS({"e": source("e")}).get("e")); // NOT OK
+
+const l1 = List([source(), "foobar"]);
+l1.forEach(x => sink(x)); // NOT OK
+
+l1.map(x => "safe").forEach(x => sink(x)); // OK
+
+List(["safe"]).map(x => source()).forEach(x => sink(x)); // NOT OK
+
+List([source()]).map(x => x).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+List(["safe"]).push(source()).forEach(x => sink(x)); // NOT OK
+
+
+const map4 = OrderedMap({}).set("f", source());
+sink(map4.get("f")); // NOT OK
+
+const map5 = Record({a: source(), b: null, c: null})({b: source()});
+sink(map5.get("a")); // NOT OK
+sink(map5.get("b")); // NOT OK
+sink(map5.get("c")); // OK
+
+const map6 = merge(Map({}), Record({a: source()})());
+sink(map6.get("a")); // NOT OK
+
+const map7 = map6.merge(Map({b: source()}));
+sink(map7.get("b")); // NOT OK
+
+Stack.of(source(), "foobar").forEach(x => sink(x)); // NOT OK
+
+List.of(source()).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+Set.of(source()).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+Set([source()]).filter(x => true).toList().forEach(x => sink(x)); // NOT OK
+
+OrderedSet([source()]).filter(x => true).toList().forEach(x => sink(x)); // NOT OK

javascript/ql/test/library-tests/frameworks/Immutable/immutable.js

@@ -0,0 +1,22 @@
+| immutable.js:1:16:1:26 | source("a") | immutable.js:2:6:2:13 | obj["a"] |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:11:6:11:18 | map1.get("a") |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:12:6:12:18 | map2.get("a") |
+| immutable.js:1:16:1:26 | source("a") | immutable.js:20:6:20:21 | map3.toJS()["a"] |
+| immutable.js:1:32:1:43 | source("b1") | immutable.js:8:6:8:18 | map1.get("b") |
+| immutable.js:1:32:1:43 | source("b1") | immutable.js:13:6:13:18 | map2.get("b") |
+| immutable.js:15:28:15:38 | source("d") | immutable.js:17:6:17:18 | map3.get("d") |
+| immutable.js:22:19:22:29 | source("e") | immutable.js:22:6:22:40 | fromJS( ... et("e") |
+| immutable.js:24:18:24:25 | source() | immutable.js:25:22:25:22 | x |
+| immutable.js:29:25:29:32 | source() | immutable.js:29:53:29:53 | x |
+| immutable.js:31:7:31:14 | source() | immutable.js:31:75:31:75 | x |
+| immutable.js:33:21:33:28 | source() | immutable.js:33:49:33:49 | x |
+| immutable.js:36:38:36:45 | source() | immutable.js:37:6:37:18 | map4.get("f") |
+| immutable.js:39:25:39:32 | source() | immutable.js:40:6:40:18 | map5.get("a") |
+| immutable.js:39:58:39:65 | source() | immutable.js:41:6:41:18 | map5.get("b") |
+| immutable.js:44:40:44:47 | source() | immutable.js:45:6:45:18 | map6.get("a") |
+| immutable.js:47:33:47:40 | source() | immutable.js:48:6:48:18 | map7.get("b") |
+| immutable.js:50:10:50:17 | source() | immutable.js:50:48:50:48 | x |
+| immutable.js:52:9:52:16 | source() | immutable.js:52:64:52:64 | x |
+| immutable.js:54:8:54:15 | source() | immutable.js:54:63:54:63 | x |
+| immutable.js:56:6:56:13 | source() | immutable.js:56:62:56:62 | x |
+| immutable.js:58:13:58:20 | source() | immutable.js:58:69:58:69 | x |

javascript/ql/test/library-tests/frameworks/Immutable/tests.expected

@@ -0,0 +1,18 @@
+import javascript
+private import semmle.javascript.dataflow.internal.StepSummary
+
+class Config extends DataFlow::Configuration {
+  Config() { this = "Config" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CallNode).getCalleeName() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(DataFlow::CallNode call | call.getCalleeName() = "sink" | call.getAnArgument() = sink)
+  }
+}
+
+query predicate dataFlow(DataFlow::Node pred, DataFlow::Node succ) {
+  any(Config c).hasFlow(pred, succ)
+}