Merge pull request #1697 from esben-semmle/js/fix-missing-this-in-method

semmle-qlci · web-flow · commit 5de6da4ee42a · 2019-08-06T11:38:11.000+01:00
Approved by xiemaisi
diff --git a/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/src/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
@@ -711,50 +711,52 @@ private class AngularMethodCall extends AngularJSCall {
 }
 
 /**
- * A call to a method on a builtin service.
+ * A call to a builtin service or one of its methods.
  */
-private class ServiceMethodCall extends AngularJSCall {
-  MethodCallExpr mce;
+private class BuiltinServiceCall extends AngularJSCall {
+  CallExpr call;
 
-  ServiceMethodCall() {
+  BuiltinServiceCall() {
     exists(BuiltinServiceReference service |
-      service.getAMethodCall(_) = this and
-      mce = this
+      service.getAMethodCall(_) = this or
+      service.getACall() = this
+    |
+      call = this
     )
   }
 
   override predicate interpretsArgumentAsHtml(Expr e) {
     exists(ServiceReference service, string methodName |
       service.getName() = "$sce" and
-      mce = service.getAMethodCall(methodName)
+      call = service.getAMethodCall(methodName)
     |
       // specialized call
       (methodName = "trustAsHtml" or methodName = "trustAsCss") and
-      e = mce.getArgument(0)
+      e = call.getArgument(0)
       or
       // generic call with enum argument
       methodName = "trustAs" and
       exists(DataFlow::PropRead prn |
-        prn.asExpr() = mce.getArgument(0) and
+        prn.asExpr() = call.getArgument(0) and
         (prn = service.getAPropertyAccess("HTML") or prn = service.getAPropertyAccess("CSS")) and
-        e = mce.getArgument(1)
+        e = call.getArgument(1)
       )
     )
   }
 
   override predicate storesArgumentGlobally(Expr e) {
     exists(ServiceReference service, string serviceName, string methodName |
       service.getName() = serviceName and
-      mce = service.getAMethodCall(methodName)
+      call = service.getAMethodCall(methodName)
     |
       // AngularJS caches (only available during runtime, so similar to sessionStorage)
       (serviceName = "$cacheFactory" or serviceName = "$templateCache") and
       methodName = "put" and
-      e = mce.getArgument(1)
+      e = call.getArgument(1)
       or
       serviceName = "$cookies" and
       (methodName = "put" or methodName = "putObject") and
-      e = mce.getArgument(1)
+      e = call.getArgument(1)
     )
   }
 
@@ -768,23 +770,25 @@ private class ServiceMethodCall extends AngularJSCall {
       methodName = "$watchCollection" or
       methodName = "$watchGroup"
     |
-      e = scope.getAMethodCall(methodName).getArgument(0)
+      call = scope.getAMethodCall(methodName) and
+      e = call.getArgument(0)
     )
     or
     exists(ServiceReference service |
       service.getName() = "$compile" or
       service.getName() = "$parse" or
       service.getName() = "$interpolate"
     |
-      e = service.getACall().getArgument(0)
+      call = service.getACall() and
+      e = call.getArgument(0)
     )
     or
-    exists(ServiceReference service, CallExpr filter, CallExpr filterInvocation |
+    exists(ServiceReference service, CallExpr filterInvocation |
       // `$filter('orderBy')(collection, expression)`
       service.getName() = "$filter" and
-      filter = service.getACall() and
-      filter.getArgument(0).mayHaveStringValue("orderBy") and
-      filterInvocation.getCallee() = filter and
+      call = service.getACall() and
+      call.getArgument(0).mayHaveStringValue("orderBy") and
+      filterInvocation.getCallee() = call and
       e = filterInvocation.getArgument(1)
     )
   }
