JavaScript: Use type tracking instead of tracked nodes in Express.

Max Schaefer · Max Schaefer · commit 74db8b19796f · 2019-03-25T16:57:46.000Z
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Electron.qll b/javascript/ql/src/semmle/javascript/frameworks/Electron.qll
@@ -16,7 +16,7 @@ module Electron {
   /**
    * An instantiation of `BrowserWindow` or `BrowserView`.
    */
-  abstract private class NewBrowserObject extends BrowserObject, DataFlow::SourceNode {
+  abstract private class NewBrowserObject extends BrowserObject {
     DataFlow::NewNode self;
 
     NewBrowserObject() { this = self }
@@ -56,11 +56,20 @@ module Electron {
     }
   }
 
+  private DataFlow::SourceNode browserObject(DataFlow::TypeTracker t) {
+    t.start() and
+    result instanceof NewBrowserObject
+    or
+    exists(DataFlow::TypeTracker prev |
+      result = browserObject(prev).track(prev, t)
+    )
+  }
+
   /**
    * A data flow node whose value may originate from a browser object instantiation.
    */
   private class BrowserObjectByFlow extends BrowserObject {
-    BrowserObjectByFlow() { any(NewBrowserObject nbo).flowsTo(this) }
+    BrowserObjectByFlow() { browserObject(_).flowsTo(this) }
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Electron/BrowserObject.expected b/javascript/ql/test/library-tests/frameworks/Electron/BrowserObject.expected
@@ -4,6 +4,8 @@
 | electron.js:3:10:3:48 | new Bro ... s: {}}) |
 | electron.js:4:5:4:46 | bv |
 | electron.js:4:10:4:46 | new Bro ... s: {}}) |
+| electron.js:35:14:35:14 | x |
+| electron.js:36:12:36:12 | x |
 | electron.js:39:5:39:6 | bw |
 | electron.js:40:5:40:6 | bv |
 | electron.ts:3:12:3:13 | bw |
