Merge pull request #4106 from erik-krogh/depTracked

Approved by esbena

Author: codeql-ci

…taflow/StoredXss/StoredXssTrackedNode.ql …aflow/StoredXss/StoredXssTypeTracking.qljavascript/ql/examples/queries/dataflow/StoredXss/StoredXssTrackedNode.ql renamed to javascript/ql/examples/queries/dataflow/StoredXss/StoredXssTypeTracking.ql javascript/ql/examples/queries/dataflow/StoredXss/StoredXssTrackedNode.ql renamed to javascript/ql/examples/queries/dataflow/StoredXss/StoredXssTypeTracking.ql

@@ -15,18 +15,18 @@ import DataFlow::PathGraph
 /**
  * An instance of `mysql.createConnection()`, tracked globally.
  */
-class MysqlConnection extends TrackedNode {
-  MysqlConnection() { this = moduleImport("mysql").getAMemberCall("createConnection") }
-
-  /**
-   * Gets a call to the `query` method on this connection object.
-   */
-  MethodCallNode getAQueryCall() {
-    this.flowsTo(result.getReceiver()) and
-    result.getMethodName() = "query"
-  }
+DataFlow::SourceNode mysqlConnection(DataFlow::TypeTracker t) {
+  t.start() and
+  result = moduleImport("mysql").getAMemberCall("createConnection")
+  or
+  exists(DataFlow::TypeTracker t2 | result = mysqlConnection(t2).track(t2, t))
 }
 
+/**
+ * An instance of `mysql.createConnection()`, tracked globally.
+ */
+DataFlow::SourceNode mysqlConnection() { result = mysqlConnection(DataFlow::TypeTracker::end()) }
+
 /**
  * Data returned from a MySQL query.
  *
@@ -42,7 +42,7 @@ class MysqlConnection extends TrackedNode {
  * ```
  */
 class MysqlSource extends StoredXss::Source {
-  MysqlSource() { this = any(MysqlConnection con).getAQueryCall().getCallback(1).getParameter(1) }
+  MysqlSource() { this = mysqlConnection().getAMethodCall("query").getCallback(1).getParameter(1) }
 }
 
 from StoredXss::Configuration cfg, PathNode source, PathNode sink

javascript/ql/src/semmle/javascript/dataflow/Sources.qll

@@ -2,7 +2,7 @@
  * Provides support for intra-procedural tracking of a customizable
  * set of data flow nodes.
  *
- * Note that unlike `TrackedNodes`, this library only performs
+ * Note that unlike `TypeTracking.qll`, this library only performs
  * local tracking within a function.
  */
 

javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll

@@ -1,4 +1,52 @@
 /**
+ * DEPRECATED: Use `TypeTracking.qll` instead.
+ *
+ * The following `TrackedNode` usage is usually equivalent to the type tracking usage below.
+ *
+ * ```
+ * class MyTrackedNode extends TrackedNode {
+ *    MyTrackedNode() { isInteresting(this) }
+ * }
+ *
+ * DataFlow::Node getMyTrackedNodeLocation(MyTrackedNode n) {
+ *   n.flowsTo(result)
+ * }
+ * ```
+ *
+ * ```
+ * DataFlow::SourceNode getMyTrackedNodeLocation(DataFlow::SourceNode start, DataFlow::TypeTracker t) {
+ *   t.start() and
+ *   isInteresting(result) and
+ *   result = start
+ *   or
+ *   exists (DataFlow::TypeTracker t2 |
+ *     result = getMyTrackedNodeLocation(start, t2).track(t2, t)
+ *   )
+ * }
+ *
+ * DataFlow::SourceNode getMyTrackedNodeLocation(DataFlow::SourceNode n) {
+ *   result = getMyTrackedNodeLocation(n, DataFlow::TypeTracker::end())
+ * }
+ * ```
+ *
+ * In rare cases, additional tracking is required, for instance when tracking string constants, and the following type tracking formulation is required instead.
+ *
+ * ```
+ * DataFlow::Node getMyTrackedNodeLocation(DataFlow::Node start, DataFlow::TypeTracker t) {
+ *   t.start() and
+ *   isInteresting(result) and
+ *   result = start
+ *   or
+ *   exists(DataFlow::TypeTracker t2 |
+ *     t = t2.smallstep(getMyTrackedNodeLocation(start, t2), result)
+ *   )
+ * }
+ *
+ * DataFlow::Node getMyTrackedNodeLocation(DataFlow::Node n) {
+ *   result = getMyTrackedNodeLocation(n, DataFlow::TypeTracker::end())
+ * }
+ * ```
+ *
  * Provides support for inter-procedural tracking of a customizable
  * set of data flow nodes.
  */
@@ -12,7 +60,7 @@ private import internal.FlowSteps as FlowSteps
  * To track additional values, extends this class with additional
  * subclasses.
  */
-abstract class TrackedNode extends DataFlow::Node {
+abstract deprecated class TrackedNode extends DataFlow::Node {
   /**
    * Holds if this node flows into `sink` in zero or more (possibly
    * inter-procedural) steps.
@@ -26,7 +74,7 @@ abstract class TrackedNode extends DataFlow::Node {
  * To track additional expressions, extends this class with additional
  * subclasses.
  */
-abstract class TrackedExpr extends Expr {
+abstract deprecated class TrackedExpr extends Expr {
   predicate flowsTo(Expr sink) {
     exists(TrackedExprNode ten | ten.asExpr() = this | ten.flowsTo(DataFlow::valueNode(sink)))
   }
@@ -35,7 +83,7 @@ abstract class TrackedExpr extends Expr {
 /**
  * Turn all `TrackedExpr`s into `TrackedNode`s.
  */
-private class TrackedExprNode extends TrackedNode {
+deprecated private class TrackedExprNode extends TrackedNode {
   TrackedExprNode() { asExpr() instanceof TrackedExpr }
 }
 
@@ -64,7 +112,9 @@ private module NodeTracking {
    *
    * Summary steps through function calls are not taken into account.
    */
-  private predicate basicFlowStep(DataFlow::Node pred, DataFlow::Node succ, PathSummary summary) {
+  deprecated private predicate basicFlowStep(
+    DataFlow::Node pred, DataFlow::Node succ, PathSummary summary
+  ) {
     isRelevant(pred) and
     (
       // Local flow
@@ -94,7 +144,7 @@ private module NodeTracking {
    *
    * No call/return matching is done, so this is a relatively coarse over-approximation.
    */
-  private predicate isRelevant(DataFlow::Node nd) {
+  deprecated private predicate isRelevant(DataFlow::Node nd) {
     nd instanceof TrackedNode
     or
     exists(DataFlow::Node mid | isRelevant(mid) |
@@ -115,7 +165,7 @@ private module NodeTracking {
    * either `pred` is an argument of `f` and `succ` the corresponding parameter, or
    * `pred` is a variable definition whose value is captured by `f` at `succ`.
    */
-  private predicate callInputStep(
+  deprecated private predicate callInputStep(
     Function f, DataFlow::Node invk, DataFlow::Node pred, DataFlow::Node succ
   ) {
     isRelevant(pred) and
@@ -136,7 +186,7 @@ private module NodeTracking {
    * that is captured by `f`, may flow to `nd` (possibly through callees, but not containing
    * any unmatched calls or returns) along a path summarized by `summary`.
    */
-  private predicate reachableFromInput(
+  deprecated private predicate reachableFromInput(
     Function f, DataFlow::Node invk, DataFlow::Node input, DataFlow::Node nd, PathSummary summary
   ) {
     callInputStep(f, invk, input, nd) and
@@ -154,7 +204,7 @@ private module NodeTracking {
    * Holds if `nd` may flow into a return statement of `f`
    * (possibly through callees) along a path summarized by `summary`.
    */
-  private predicate reachesReturn(Function f, DataFlow::Node nd, PathSummary summary) {
+  deprecated private predicate reachesReturn(Function f, DataFlow::Node nd, PathSummary summary) {
     returnExpr(f, nd, _) and
     summary = PathSummary::level()
     or
@@ -170,7 +220,7 @@ private module NodeTracking {
    * which is either an argument or a definition captured by the function, flows,
    * possibly through callees.
    */
-  private predicate flowThroughCall(DataFlow::Node input, DataFlow::Node output) {
+  deprecated private predicate flowThroughCall(DataFlow::Node input, DataFlow::Node output) {
     exists(Function f, DataFlow::ValueNode ret |
       ret.asExpr() = f.getAReturnedExpr() and
       reachableFromInput(f, output, input, ret, _)
@@ -187,7 +237,7 @@ private module NodeTracking {
   /**
    * Holds if `pred` may flow into property `prop` of `succ` along a path summarized by `summary`.
    */
-  private predicate storeStep(
+  deprecated private predicate storeStep(
     DataFlow::Node pred, DataFlow::SourceNode succ, string prop, PathSummary summary
   ) {
     basicStoreStep(pred, succ, prop) and
@@ -210,7 +260,7 @@ private module NodeTracking {
    * Holds if property `prop` of `pred` may flow into `succ` along a path summarized by
    * `summary`.
    */
-  private predicate loadStep(
+  deprecated private predicate loadStep(
     DataFlow::Node pred, DataFlow::Node succ, string prop, PathSummary summary
   ) {
     basicLoadStep(pred, succ, prop) and
@@ -226,7 +276,7 @@ private module NodeTracking {
    * Holds if `rhs` is the right-hand side of a write to property `prop`, and `nd` is reachable
    * from the base of that write (possibly through callees) along a path summarized by `summary`.
    */
-  private predicate reachableFromStoreBase(
+  deprecated private predicate reachableFromStoreBase(
     string prop, DataFlow::Node rhs, DataFlow::Node nd, PathSummary summary
   ) {
     storeStep(rhs, nd, prop, summary)
@@ -244,7 +294,7 @@ private module NodeTracking {
    *
    * In other words, `pred` may flow to `succ` through a property.
    */
-  private predicate flowThroughProperty(
+  deprecated private predicate flowThroughProperty(
     DataFlow::Node pred, DataFlow::Node succ, PathSummary summary
   ) {
     exists(string prop, DataFlow::Node base, PathSummary oldSummary, PathSummary newSummary |
@@ -259,7 +309,7 @@ private module NodeTracking {
    * invokes `cb`, passing `arg` as its `i`th argument. `arg` flows along a path summarized
    * by `summary`, while `cb` is only tracked locally.
    */
-  private predicate summarizedHigherOrderCall(
+  deprecated private predicate summarizedHigherOrderCall(
     DataFlow::Node arg, DataFlow::Node cb, int i, PathSummary summary
   ) {
     exists(
@@ -293,7 +343,7 @@ private module NodeTracking {
    * Alternatively, the callback can flow into a call `f(callback)` which itself provides the `arg`.
    * That is, `arg` refers to a value defined in `f` or one of its callees.
    */
-  predicate higherOrderCall(
+  deprecated predicate higherOrderCall(
     DataFlow::Node arg, DataFlow::SourceNode callback, int i, PathSummary summary
   ) {
     // Summarized call
@@ -328,7 +378,7 @@ private module NodeTracking {
    * of `cb`. `arg` flows along a path summarized by `summary`, while `cb` is only tracked
    * locally.
    */
-  private predicate flowIntoHigherOrderCall(
+  deprecated private predicate flowIntoHigherOrderCall(
     DataFlow::Node pred, DataFlow::Node succ, PathSummary summary
   ) {
     exists(DataFlow::FunctionNode cb, int i, PathSummary oldSummary |
@@ -341,7 +391,9 @@ private module NodeTracking {
   /**
    * Holds if there is a flow step from `pred` to `succ` described by `summary`.
    */
-  private predicate flowStep(DataFlow::Node pred, DataFlow::Node succ, PathSummary summary) {
+  deprecated private predicate flowStep(
+    DataFlow::Node pred, DataFlow::Node succ, PathSummary summary
+  ) {
     basicFlowStep(pred, succ, summary)
     or
     // Flow through a function that returns a value that depends on one of its arguments
@@ -360,7 +412,7 @@ private module NodeTracking {
    * Holds if there is a path from `source` to `nd` along a path summarized by
    * `summary`.
    */
-  predicate flowsTo(TrackedNode source, DataFlow::Node nd, PathSummary summary) {
+  deprecated predicate flowsTo(TrackedNode source, DataFlow::Node nd, PathSummary summary) {
     source = nd and
     summary = PathSummary::level()
     or

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -1,7 +1,7 @@
 /**
  * Provides the `TypeTracker` class for tracking types interprocedurally.
  *
- * This provides an alternative to `DataFlow::TrackedNode` and `AbstractValue`
+ * This provides an alternative to `AbstractValue`
  * for tracking certain types interprocedurally without computing which source
  * a given value came from.
  */

javascript/ql/test/library-tests/InterProceduralFlow/TrackedNodes.expected

@@ -1,12 +1,15 @@
 import javascript
 
-class TrackedStringLiteral extends DataFlow::TrackedNode {
-  TrackedStringLiteral() { this.asExpr() instanceof ConstantString }
+DataFlow::Node constantString(DataFlow::TypeTracker t) {
+  t.start() and
+  result.asExpr() instanceof ConstantString
+  or
+  exists(DataFlow::TypeTracker t2 | t = t2.smallstep(constantString(t2), result))
 }
 
 query predicate test_query15(DataFlow::Node sink) {
-  exists(TrackedStringLiteral source, SsaExplicitDefinition def |
-    source.flowsTo(sink) and
+  exists(SsaExplicitDefinition def |
+    sink = constantString(DataFlow::TypeTracker::end()) and
     sink = DataFlow::ssaDefinitionNode(def) and
     def.getSourceVariable().getName().toLowerCase() = "password"
   |