JS: use type inference to back up function-style classes

asger-semmle · asger-semmle · commit 74a9c4b50094 · 2019-02-08T16:42:24.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -719,8 +719,15 @@ module ClassNode {
    */
   class FunctionStyleClass extends Range, DataFlow::ValueNode {
     override Function astNode;
+    AbstractFunction function;
 
-    FunctionStyleClass() { exists(getAPropertyReference("prototype")) }
+    FunctionStyleClass() {
+      function.getFunction() = astNode and
+      exists (DataFlow::PropRef read |
+        read.getPropertyName() = "prototype" and
+        read.getBase().analyze().getAValue() = function
+      )
+    }
 
     override string getName() { result = astNode.getName() }
 
@@ -771,14 +778,16 @@ module ClassNode {
     /**
      * Gets a reference to the prototype of this class.
      */
-    private DataFlow::SourceNode getAPrototypeReference() {
-      result = getAPropertyRead("prototype")
-      or
-      result = getAPropertySource("prototype")
-      or
-      exists(ExtendCall call |
-        call.getDestinationOperand() = getAPropertyRead("prototype") and
-        result = call.getASourceOperand()
+    DataFlow::SourceNode getAPrototypeReference() {
+      exists (DataFlow::SourceNode base | base.analyze().getAValue() = function |
+        result = base.getAPropertyRead("prototype")
+        or
+        result = base.getAPropertySource("prototype")
+        or
+        exists(ExtendCall call |
+          call.getDestinationOperand() = base.getAPropertyRead("prototype") and
+          result = call.getASourceOperand()
+        )
       )
     }
 
diff --git a/javascript/ql/test/library-tests/ClassNode/InstanceMember.expected b/javascript/ql/test/library-tests/ClassNode/InstanceMember.expected
@@ -1,3 +1,4 @@
+| namespace.js:5:32:5:44 | function() {} | Baz.method | method |
 | tst.js:4:17:4:21 | () {} | A.instanceMethod | method |
 | tst.js:7:6:7:10 | () {} | A.bar | method |
 | tst.js:9:10:9:14 | () {} | A.baz | getter |
diff --git a/javascript/ql/test/library-tests/ClassNode/InstanceMethod.expected b/javascript/ql/test/library-tests/ClassNode/InstanceMethod.expected
@@ -1,3 +1,4 @@
+| namespace.js:5:32:5:44 | function() {} | Baz.method |
 | tst.js:4:17:4:21 | () {} | A.instanceMethod |
 | tst.js:7:6:7:10 | () {} | A.bar |
 | tst.js:17:19:17:31 | function() {} | B.foo |
diff --git a/javascript/ql/test/library-tests/ClassNode/namespace.js b/javascript/ql/test/library-tests/ClassNode/namespace.js
@@ -0,0 +1,5 @@
+goog.provide('foo.bar.baz');
+
+foo.bar.baz = function Baz() {};
+
+foo.bar.baz.prototype.method = function() {};

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+\| namespace.js:5:32:5:44 \| function() {} \| Baz.method \| method \|`
`1`	`2`	`\| tst.js:4:17:4:21 \| () {} \| A.instanceMethod \| method \|`
`2`	`3`	`\| tst.js:7:6:7:10 \| () {} \| A.bar \| method \|`
`3`	`4`	`\| tst.js:9:10:9:14 \| () {} \| A.baz \| getter \|`