Merge pull request #4494 from erik-krogh/callLimit

Approved by asgerf

Author: codeql-ci

change-notes/1.26/analysis-javascript.md

@@ -8,7 +8,9 @@
   - [@angular/*](https://www.npmjs.com/package/@angular/core)
   - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
   - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
+  - [debounce](https://www.npmjs.com/package/debounce)
   - [bluebird](https://www.npmjs.com/package/bluebird)
+  - [call-limit](https://www.npmjs.com/package/call-limit)
   - [express](https://www.npmjs.com/package/express)
   - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
   - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
@@ -18,11 +20,15 @@
   - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
   - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
   - [json3](https://www.npmjs.com/package/json3)
+  - [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
   - [lodash](https://www.npmjs.com/package/lodash)
+  - [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
+  - [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
   - [needle](https://www.npmjs.com/package/needle)
   - [object-inspect](https://www.npmjs.com/package/object-inspect)
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
+  - [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
   - [underscore](https://www.npmjs.com/package/underscore)
 
 * Analyzing files with the ".cjs" extension is now supported.

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -1379,6 +1379,46 @@ module PartialInvokeNode {
     }
   }
 
+  /**
+   * A partial call that behaves like a throttle call, like `require("call-limit")(fs, limit)` or `_.memoize`.
+   * Seen as a partial invocation that binds no arguments.
+   */
+  private class ThrottleLikePartialCall extends PartialInvokeNode::Range, DataFlow::CallNode {
+    int callbackIndex;
+
+    ThrottleLikePartialCall() {
+      callbackIndex = 0 and
+      (
+        this = LodashUnderscore::member(["throttle", "debounce", "once", "memoize"]).getACall()
+        or
+        this = DataFlow::moduleImport(["call-limit", "debounce"]).getACall()
+      )
+      or
+      callbackIndex = 1 and
+      (
+        this = LodashUnderscore::member(["after", "before"]).getACall()
+        or
+        // not jQuery: https://github.com/cowboy/jquery-throttle-debounce
+        this = DataFlow::globalVarRef("$").getAMemberCall(["throttle", "debounce"])
+      )
+      or
+      callbackIndex = -1 and
+      this = DataFlow::moduleMember("throttle-debounce", ["debounce", "throttle"]).getACall()
+    }
+
+    override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) {
+      (
+        callbackIndex >= 0 and
+        callback = getArgument(callbackIndex)
+        or
+        callbackIndex = -1 and
+        callback = getLastArgument()
+      ) and
+      boundArgs = 0 and
+      result = this
+    }
+  }
+
   /**
    * A partial call through `ramda.partial`.
    */

javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected

@@ -32,10 +32,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected

@@ -33,10 +33,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected

@@ -38,10 +38,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |

javascript/ql/test/library-tests/InterProceduralFlow/partial.js

@@ -28,3 +28,29 @@ function f4(x, y) {
   let sink2 = y;
 }
 R.partial(f4, [source1])(source2);
+
+const limit = require('call-limit')
+function f5(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+const limited = limit(f5, 5)
+limited(source1, source2);
+
+function f6(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+_.throttle(f6, 100)(source1, source2);
+
+function f7(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+_.after(3, f7)(source1, source2);
+
+function f8(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+require("throttle-debounce").debounce(1000, false, f8)(source1, source2);