Merge pull request #1707 from asger-semmle/canonical-name-call-graph

Approved by xiemaisi

Author: semmle-qlci

change-notes/1.23/analysis-javascript.md

@@ -5,6 +5,8 @@
 * Support for the following frameworks and libraries has been improved:
   - [firebase](https://www.npmjs.com/package/firebase)
 
+* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
+
 ## New queries
 
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |

javascript/externs/es/es5.js

@@ -236,20 +236,13 @@ Date.prototype.toISOString = function() {};
 Date.prototype.toJSON = function(opt_ignoredKey) {};
 
 
-/**
- * A fake type to model the JSON object.
- * @constructor
- */
-function JSONType() {}
-
-
 /**
  * @param {string} jsonStr The string to parse.
  * @param {(function(string, *) : *)=} opt_reviver
  * @return {*} The JSON object.
  * @throws {Error}
  */
-JSONType.prototype.parse = function(jsonStr, opt_reviver) {};
+JSON.parse = function(jsonStr, opt_reviver) {};
 
 
 /**
@@ -259,11 +252,4 @@ JSONType.prototype.parse = function(jsonStr, opt_reviver) {};
  * @return {string} JSON string which represents jsonObj.
  * @throws {Error}
  */
-JSONType.prototype.stringify = function(jsonObj, opt_replacer, opt_space) {};
-
-
-/**
- * @type {!JSONType}
- * @suppress {duplicate}
- */
-var JSON;
+JSON.stringify = function(jsonObj, opt_replacer, opt_space) {};

javascript/ql/src/semmle/javascript/Closure.qll

@@ -212,45 +212,34 @@ module Closure {
       or
       name = namespace
     )
+    or
+    name = "goog" // The closure libraries themselves use the "goog" namespace
+  }
+
+  /**
+   * Holds if a prefix of `name` is a closure namespace.
+   */
+  bindingset[name]
+  private predicate hasClosureNamespacePrefix(string name) {
+    isClosureNamespace(name.substring(0, name.indexOf(".")))
+    or
+    isClosureNamespace(name)
   }
 
   /**
    * Gets the closure namespace path addressed by the given data flow node, if any.
    */
   string getClosureNamespaceFromSourceNode(DataFlow::SourceNode node) {
-    isClosureNamespace(result) and
-    node = DataFlow::globalVarRef(result)
-    or
-    exists(DataFlow::SourceNode base, string basePath, string prop |
-      basePath = getClosureNamespaceFromSourceNode(base) and
-      node = base.getAPropertyRead(prop) and
-      result = basePath + "." + prop and
-      // ensure finiteness
-      (
-        isClosureNamespace(basePath)
-        or
-        // direct access, no indirection
-        node.(DataFlow::PropRead).getBase() = base
-      )
-    )
-    or
-    // Associate an access path with the immediate RHS of a store on a closure namespace.
-    // This is to support patterns like:
-    // foo.bar = { baz() {} }
-    exists(DataFlow::PropWrite write |
-      node = write.getRhs() and
-      result = getWrittenClosureNamespace(write)
-    )
-    or
-    result = node.(ClosureNamespaceAccess).getClosureNamespace()
+    result = GlobalAccessPath::getAccessPath(node) and
+    hasClosureNamespacePrefix(result)
   }
 
   /**
    * Gets the closure namespace path written to by the given property write, if any.
    */
   string getWrittenClosureNamespace(DataFlow::PropWrite node) {
-    result = getClosureNamespaceFromSourceNode(node.getBase().getALocalSource()) + "." +
-        node.getPropertyName()
+    result = GlobalAccessPath::fromRhs(node.getRhs()) and
+    hasClosureNamespacePrefix(result)
   }
 
   /**

javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll

@@ -41,6 +41,7 @@ module GlobalAccessPath {
    * })(NS = NS || {});
    * ``` 
    */
+  cached
   string fromReference(DataFlow::Node node) {
     result = fromReference(node.getImmediatePredecessor())
     or
@@ -142,6 +143,7 @@ module GlobalAccessPath {
    *  })(foo = foo || {});
    * ```
    */
+  cached
   string fromRhs(DataFlow::Node node) {
     exists(DataFlow::SourceNode base, string baseName, string name |
       node = base.getAPropertyWrite(name).getRhs() and
@@ -152,9 +154,9 @@ module GlobalAccessPath {
       baseName = fromRhs(base)
     )
     or
-    exists(AssignExpr assign |
-      node = assign.getRhs().flow() and
-      result = assign.getLhs().(GlobalVarAccess).getName()
+    exists(GlobalVariable var |
+      node = var.getAnAssignedExpr().flow() and
+      result = var.getName()
     )
     or
     exists(FunctionDeclStmt fun |
@@ -166,6 +168,16 @@ module GlobalAccessPath {
       node = DataFlow::valueNode(cls) and
       result = cls.getIdentifier().(GlobalVarDecl).getName()
     )
+    or
+    exists(EnumDeclaration decl |
+      node = DataFlow::valueNode(decl) and
+      result = decl.getIdentifier().(GlobalVarDecl).getName()
+    )
+    or
+    exists(NamespaceDeclaration decl |
+      node = DataFlow::valueNode(decl) and
+      result = decl.getId().(GlobalVarDecl).getName()
+    )
   }
 
   /**

javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll

@@ -43,7 +43,8 @@ module DataFlow {
     } or
     THtmlAttributeNode(HTML::Attribute attr) or
     TExceptionalFunctionReturnNode(Function f) or
-    TExceptionalInvocationReturnNode(InvokeExpr e)
+    TExceptionalInvocationReturnNode(InvokeExpr e) or
+    TGlobalAccessPathRoot()
 
   /**
    * A node in the data flow graph.
@@ -120,6 +121,12 @@ module DataFlow {
     /** Gets a function value that may reach this node. */
     FunctionNode getAFunctionValue() {
       result.getAstNode() = analyze().getAValue().(AbstractCallable).getFunction()
+      or
+      exists(string name |
+        GlobalAccessPath::isAssignedInUniqueFile(name) and
+        GlobalAccessPath::fromRhs(result) = name and
+        GlobalAccessPath::fromReference(this) = name
+      )
     }
 
     /**
@@ -912,6 +919,20 @@ module DataFlow {
     DataFlow::InvokeNode getInvocation() { result = invoke.flow() }
   }
 
+  /**
+   * A pseudo-node representing the root of a global access path.
+   */
+  private class GlobalAccessPathRoot extends TGlobalAccessPathRoot, DataFlow::Node {
+    override string toString() { result = "global access path" }
+  }
+
+  /**
+   * INTERNAL. DO NOT USE.
+   *
+   * Gets a pseudo-node representing the root of a global access path.
+   */
+  DataFlow::Node globalAccessPathRootPseudoNode() { result instanceof TGlobalAccessPathRoot }
+
   /**
    * Provides classes representing various kinds of calls.
    *

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -693,6 +693,7 @@ class ClassNode extends DataFlow::SourceNode {
   /**
    * Gets a dataflow node that refers to this class object.
    */
+  cached
   DataFlow::SourceNode getAClassReference() {
     result = getAClassReference(DataFlow::TypeTracker::end())
   }
@@ -709,6 +710,15 @@ class ClassNode extends DataFlow::SourceNode {
     t.start() and
     result = getAReceiverNode()
     or
+    // Use a parameter type as starting point of type tracking.
+    // Use `t.call()` to emulate the value being passed in through an unseen
+    // call site, but not out of the call again.
+    t.call() and
+    exists(Parameter param |
+      this = param.getTypeAnnotation().getClass() and
+      result = DataFlow::parameterNode(param)
+    )
+    or
     result = getAnInstanceReferenceAux(t) and
     // Avoid tracking into the receiver of other classes.
     // Note that this also blocks flows into a property of the receiver,
@@ -724,6 +734,7 @@ class ClassNode extends DataFlow::SourceNode {
   /**
    * Gets a dataflow node that refers to an instance of this class.
    */
+  cached
   DataFlow::SourceNode getAnInstanceReference() {
     result = getAnInstanceReference(DataFlow::TypeTracker::end())
   }
@@ -844,6 +855,12 @@ module ClassNode {
     override DataFlow::Node getASuperClassNode() { result = astNode.getSuperClass().flow() }
   }
 
+  private DataFlow::PropRef getAPrototypeReferenceInFile(string name, File f) {
+    GlobalAccessPath::getAccessPath(result.getBase()) = name and
+    result.getPropertyName() = "prototype" and
+    result.getFile() = f
+  }
+
   /**
    * A function definition with prototype manipulation as a `ClassNode` instance.
    */
@@ -854,9 +871,16 @@ module ClassNode {
 
     FunctionStyleClass() {
       function.getFunction() = astNode and
-      exists(DataFlow::PropRef read |
-        read.getPropertyName() = "prototype" and
-        read.getBase().analyze().getAValue() = function
+      (
+        exists (DataFlow::PropRef read |
+          read.getPropertyName() = "prototype" and
+          read.getBase().analyze().getAValue() = function
+        )
+        or
+        exists(string name |
+          name = GlobalAccessPath::fromRhs(this) and
+          exists(getAPrototypeReferenceInFile(name, getFile()))
+        )
       )
     }
 
@@ -916,11 +940,16 @@ module ClassNode {
         result = base.getAPropertyRead("prototype")
         or
         result = base.getAPropertySource("prototype")
-        or
-        exists(ExtendCall call |
-          call.getDestinationOperand() = base.getAPropertyRead("prototype") and
-          result = call.getASourceOperand()
-        )
+      )
+      or
+      exists(string name |
+        GlobalAccessPath::fromRhs(this) = name and
+        result = getAPrototypeReferenceInFile(name, getFile())
+      )
+      or
+      exists(ExtendCall call |
+        call.getDestinationOperand() = getAPrototypeReference() and
+        result = call.getASourceOperand()
       )
     }
 

javascript/ql/src/semmle/javascript/dataflow/Sources.qll

@@ -250,6 +250,8 @@ module SourceNode {
       DataFlow::thisNode(this, _)
       or
       this = DataFlow::destructuredModuleImportNode(_)
+      or
+      this = DataFlow::globalAccessPathRootPseudoNode()
     }
   }
 }

javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll

@@ -47,14 +47,6 @@ class AnalyzedNode extends DataFlow::Node {
    */
   AnalyzedNode localFlowPred() { result = getAPredecessor() }
 
-  /**
-   * INTERNAL. Do not use.
-   *
-   * Gets another data flow node whose value flows into this node in a global step
-   * (this is, involving global variables).
-   */
-  AnalyzedNode globalFlowPred() { none() }
-
   /**
    * Gets an abstract value that this node may evaluate to at runtime.
    *
@@ -92,9 +84,6 @@ class AnalyzedNode extends DataFlow::Node {
     exists(DataFlow::Incompleteness cause |
       isIncomplete(cause) and result = TIndefiniteAbstractValue(cause)
     )
-    or
-    result = globalFlowPred().getALocalValue() and
-    shouldTrackGlobally(result)
   }
 
   /** Gets a type inferred for this node. */
@@ -295,8 +284,3 @@ private class AnalyzedAsyncFunction extends AnalyzedFunction {
 
   override AbstractValue getAReturnValue() { result = TAbstractOtherObject() }
 }
-
-/**
- * Holds if the given value should be propagated along `globalFlowPred()` edges.
- */
-private predicate shouldTrackGlobally(AbstractValue value) { value instanceof AbstractCallable }

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -10,7 +10,11 @@ private import javascript
 private import internal.FlowSteps
 
 private class PropertyName extends string {
-  PropertyName() { this = any(DataFlow::PropRef pr).getPropertyName() }
+  PropertyName() {
+    this = any(DataFlow::PropRef pr).getPropertyName()
+    or
+    GlobalAccessPath::isAssignedInUniqueFile(this)
+  }
 }
 
 private class OptionalPropertyName extends string {
@@ -89,6 +93,20 @@ module StepSummary {
     or
     any(AdditionalTypeTrackingStep st).step(pred, succ) and
     summary = LevelStep()
+    or
+    exists(string name |
+      name = GlobalAccessPath::fromRhs(pred) and
+      GlobalAccessPath::isAssignedInUniqueFile(name) and
+      succ = DataFlow::globalAccessPathRootPseudoNode() and
+      summary = StoreStep(name)
+    )
+    or
+    exists(string name |
+      name = GlobalAccessPath::fromReference(succ) and
+      GlobalAccessPath::isAssignedInUniqueFile(name) and
+      pred = DataFlow::globalAccessPathRootPseudoNode() and
+      summary = LoadStep(name)
+    )
   }
 }
 
@@ -158,6 +176,12 @@ class TypeTracker extends TTypeTracker {
    */
   predicate start() { hasCall = false and prop = "" }
 
+  /**
+   * Holds if this is the starting point of type tracking
+   * when tracking a parameter into a call, but not out of it.
+   */
+  predicate call() { hasCall = true and prop = "" }
+
   /**
    * Holds if this is the end point of type tracking.
    */