JS: Fix some join orders

Author: asgerf

javascript/ql/src/semmle/javascript/DOM.qll

@@ -315,6 +315,11 @@ module DOM {
       )
     }
 
+    private InferredType getArgumentTypeFromJQueryMethodGet(JQuery::MethodCall call) {
+      call.getMethodName() = "get" and
+      result = call.getArgument(0).analyze().getAType()
+    }
+
     private class DefaultRange extends Range {
       DefaultRange() {
         this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
@@ -344,7 +349,7 @@ module DOM {
         or
         exists(JQuery::MethodCall call | this = call and call.getMethodName() = "get" |
           call.getNumArgument() = 1 and
-          unique(InferredType t | t = call.getArgument(0).analyze().getAType()) = TTNumber()
+          unique(InferredType t | t = getArgumentTypeFromJQueryMethodGet(call)) = TTNumber()
         )
         or
         // A `this` node from a callback given to a `$().each(callback)` call.

javascript/ql/src/semmle/javascript/HtmlSanitizers.qll

@@ -16,51 +16,54 @@ abstract class HtmlSanitizerCall extends DataFlow::CallNode {
   abstract DataFlow::Node getInput();
 }
 
+pragma[noinline]
+private DataFlow::SourceNode htmlSanitizerFunction() {
+  result = DataFlow::moduleMember("ent", "encode")
+  or
+  result = DataFlow::moduleMember("entities", "encodeHTML")
+  or
+  result = DataFlow::moduleMember("entities", "encodeXML")
+  or
+  result = DataFlow::moduleMember("escape-goat", "escape")
+  or
+  result = DataFlow::moduleMember("he", "encode")
+  or
+  result = DataFlow::moduleMember("he", "escape")
+  or
+  result = DataFlow::moduleImport("sanitize-html")
+  or
+  result = DataFlow::moduleMember("sanitizer", "escape")
+  or
+  result = DataFlow::moduleMember("sanitizer", "sanitize")
+  or
+  result = DataFlow::moduleMember("validator", "escape")
+  or
+  result = DataFlow::moduleImport("xss")
+  or
+  result = DataFlow::moduleMember("xss-filters", _)
+  or
+  result = LodashUnderscore::member("escape")
+  or
+  exists(DataFlow::PropRead read | read = result |
+    read.getPropertyName() = "sanitize" and
+    read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
+  )
+  or
+  exists(string name | name = "encode" or name = "encodeNonUTF" |
+    result =
+      DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or
+    result = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
+  )
+  or
+  result = Closure::moduleImport("goog.string.htmlEscape")
+}
+
 /**
  * Matches HTML sanitizers from known NPM packages as well as home-made sanitizers (matched by name).
  */
 private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
   DefaultHtmlSanitizerCall() {
-    exists(DataFlow::SourceNode callee | this = callee.getACall() |
-      callee = DataFlow::moduleMember("ent", "encode")
-      or
-      callee = DataFlow::moduleMember("entities", "encodeHTML")
-      or
-      callee = DataFlow::moduleMember("entities", "encodeXML")
-      or
-      callee = DataFlow::moduleMember("escape-goat", "escape")
-      or
-      callee = DataFlow::moduleMember("he", "encode")
-      or
-      callee = DataFlow::moduleMember("he", "escape")
-      or
-      callee = DataFlow::moduleImport("sanitize-html")
-      or
-      callee = DataFlow::moduleMember("sanitizer", "escape")
-      or
-      callee = DataFlow::moduleMember("sanitizer", "sanitize")
-      or
-      callee = DataFlow::moduleMember("validator", "escape")
-      or
-      callee = DataFlow::moduleImport("xss")
-      or
-      callee = DataFlow::moduleMember("xss-filters", _)
-      or
-      callee = LodashUnderscore::member("escape")
-      or
-      exists(DataFlow::PropRead read | read = callee |
-        read.getPropertyName() = "sanitize" and
-        read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
-      )
-      or
-      exists(string name | name = "encode" or name = "encodeNonUTF" |
-        callee =
-          DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or
-        callee = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
-      )
-      or
-      callee = Closure::moduleImport("goog.string.htmlEscape")
-    )
+    this = htmlSanitizerFunction().getACall()
     or
     // Match home-made sanitizers by name.
     exists(string calleeName | calleeName = getCalleeName() |

javascript/ql/src/semmle/javascript/Promises.qll

@@ -596,6 +596,7 @@ private module ClosurePromise {
    * A promise created by a call `goog.Promise.resolve(value)`.
    */
   private class ResolvedClosurePromiseDefinition extends ResolvedPromiseDefinition {
+    pragma[noinline]
     ResolvedClosurePromiseDefinition() {
       this = Closure::moduleImport("goog.Promise.resolve").getACall()
     }

javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll

@@ -268,9 +268,11 @@ module SocketIO {
 
     /** Gets the `i`th parameter through which data is received from a client. */
     override DataFlow::SourceNode getReceivedItem(int i) {
-      exists(DataFlow::FunctionNode cb | cb = getListener() and result = cb.getParameter(i) |
+      exists(DataFlow::FunctionNode cb |
+        cb = getListener() and
+        result = cb.getParameter(i) and
         // exclude last parameter if it looks like a callback
-        result != cb.getLastParameter() or not exists(result.getAnInvocation())
+        not (result = cb.getLastParameter() and exists(result.getAnInvocation()))
       )
     }
 

javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll

@@ -156,6 +156,12 @@ private module PersistentWebStorage {
     result = DataFlow::globalVarRef(kind)
   }
 
+  pragma[noinline]
+  WriteAccess getAWriteByName(string name, string kind) {
+    result.getKey() = name and
+    result.getKind() = kind
+  }
+
   /**
    * A read access.
    */
@@ -165,8 +171,10 @@ private module PersistentWebStorage {
     ReadAccess() { this = webStorage(kind).getAMethodCall("getItem") }
 
     override PersistentWriteAccess getAWrite() {
-      getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey()) and
-      result.(WriteAccess).getKind() = kind
+      exists(string name |
+        getArgument(0).mayHaveStringValue(name) and 
+        result = getAWriteByName(name, kind)
+      )
     }
   }