Merge pull request #2505 from erik-krogh/EventEmitter

Approved by esbena, max-schaefer

Author: semmle-qlci

javascript/ql/src/javascript.qll

@@ -73,6 +73,7 @@ import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
 import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
+import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
 import semmle.javascript.frameworks.jQuery

javascript/ql/src/semmle/javascript/frameworks/Electron.qll

@@ -73,187 +73,109 @@ module Electron {
   /**
    * A reference to the `webContents` property of a browser object.
    */
-  class WebContents extends DataFlow::SourceNode {
+  class WebContents extends DataFlow::SourceNode, NodeJSLib::NodeJSEventEmitter {
     WebContents() { this.(DataFlow::PropRead).accesses(any(BrowserObject bo), "webContents") }
   }
 
   /**
    * Provides classes and predicates for modelling Electron inter-process communication (IPC).
+   * The Electron IPC are EventEmitters, but they also expose a number of methods on top of the standard EventEmitter.
    */
   private module IPC {
-    class Process extends string {
-      Process() { this = "main" or this = "renderer" }
+    DataFlow::SourceNode main() { result = DataFlow::moduleMember("electron", "ipcMain") }
 
-      DataFlow::SourceNode getAnImport() {
-        this = Process::main() and result = DataFlow::moduleMember("electron", "ipcMain")
-        or
-        this = Process::renderer() and result = DataFlow::moduleMember("electron", "ipcRenderer")
-      }
-    }
-
-    module Process {
-      Process main() { result = "main" }
-
-      Process renderer() { result = "renderer" }
-    }
-
-    /**
-     * An IPC callback.
-     */
-    class Callback extends DataFlow::FunctionNode {
-      DataFlow::Node channel;
-      Process process;
-
-      Callback() {
-        exists(DataFlow::MethodCallNode mc |
-          mc = process.getAnImport().getAMemberCall("on") and
-          this = mc.getCallback(1) and
-          channel = mc.getArgument(0)
-        )
-      }
-
-      /** Gets the process on which this callback is executed. */
-      Process getProcess() { result = process }
-
-      /** Gets the name of the channel the callback is listening on. */
-      string getChannelName() { result = channel.getStringValue() }
-
-      /** Gets the data flow node containing the message received by the callback. */
-      DataFlow::Node getMessage() { result = getParameter(1) }
-    }
+    DataFlow::SourceNode renderer() { result = DataFlow::moduleMember("electron", "ipcRenderer") }
 
     /**
-     * An IPC message.
+     * A model for the Main and Renderer process in an Electron app.
      */
-    abstract class Message extends DataFlow::Node {
-      /** Gets the process that sends this message. */
-      abstract Process getProcess();
-
-      /** Gets the name of the channel this message is sent on. */
-      abstract string getChannelName();
+    abstract class Process extends EventEmitter::Range {
+      /**
+       * Gets a node that refers to a Process object.
+       */
+      DataFlow::SourceNode ref() { result = EventEmitter::trackEventEmitter(this) }
     }
 
     /**
-     * An IPC message sent directly from a process.
+     * An instance of the Main process of an Electron app.
+     * Communication in an Electron app generally happens from the renderer process to the main process.
      */
-    class DirectMessage extends Message {
-      DataFlow::MethodCallNode mc;
-      Process process;
-      DataFlow::Node channel;
-      boolean isSync;
-
-      DirectMessage() {
-        exists(string send |
-          send = "send" and isSync = false
-          or
-          send = "sendSync" and isSync = true
-        |
-          mc = process.getAnImport().getAMemberCall(send) and
-          this = mc.getArgument(1) and
-          channel = mc.getArgument(0)
-        )
-      }
-
-      override Process getProcess() { result = process }
-
-      override string getChannelName() { result = channel.getStringValue() }
+    class MainProcess extends Process {
+      MainProcess() { this = main() }
     }
 
     /**
-     * A synchronous IPC message sent directly from a process.
+     * An instance of the renderer process of an Electron app.
      */
-    class SyncDirectMessage extends DirectMessage {
-      SyncDirectMessage() { isSync = true }
-
-      /** Gets the data flow node holding the reply to the message. */
-      DataFlow::Node getReply() { result = mc }
+    class RendererProcess extends Process {
+      RendererProcess() { this = renderer() }
     }
 
     /**
-     * An asynchronous IPC reply sent from within an IPC callback.
+     * The `sender` property of the event in an IPC event handler.
+     * This sender is used to send a response back from the main process to the renderer.
      */
-    class AsyncReplyMessage extends Message {
-      Callback callback;
-      DataFlow::Node channel;
-
-      AsyncReplyMessage() {
-        exists(DataFlow::MethodCallNode mc |
-          mc = callback.getParameter(0).getAPropertyRead("sender").getAMemberCall("send") and
-          this = mc.getArgument(1) and
-          channel = mc.getArgument(0)
+    class ProcessSender extends Process {
+      ProcessSender() {
+        exists(IPCSendRegistration reg | reg.getEmitter() instanceof MainProcess |
+          this = reg.getABoundCallbackParameter(1, 0).getAPropertyRead("sender")
         )
       }
-
-      override Process getProcess() { result = callback.getProcess() }
-
-      override string getChannelName() { result = channel.getStringValue() }
     }
 
     /**
-     * A synchronous IPC reply sent from within an IPC callback.
+     * A registration of an Electron IPC event handler.
+     * Does mostly the same as an EventEmitter event handler,
+     * except that values can be returned through the `event.returnValue` property.
      */
-    class SyncReplyMessage extends Message {
-      Callback callback;
+    class IPCSendRegistration extends EventRegistration::DefaultEventRegistration,
+      DataFlow::MethodCallNode {
+      override Process emitter;
 
-      SyncReplyMessage() {
-        this = callback.getParameter(0).getAPropertyWrite("returnValue").getRhs()
-      }
+      IPCSendRegistration() { this = emitter.ref().getAMethodCall(EventEmitter::on()) }
 
-      override Process getProcess() { result = callback.getProcess() }
+      override DataFlow::Node getAReturnedValue() {
+        result = this.getABoundCallbackParameter(1, 0).getAPropertyWrite("returnValue").getRhs()
+      }
 
-      override string getChannelName() { result = callback.getChannelName() }
+      override IPCDispatch getAReturnDispatch() {
+        result.getCalleeName() = "sendSync"
+      }
     }
 
     /**
-     * An asynchronous Electron IPC message sent from the main process via a `webContents` object.
+     * A dispatch of an IPC event.
+     * An IPC event is sent from the renderer to the main process.
+     * And a value can be returned through the `returnValue` property of the event (first parameter in the callback).
      */
-    class WebContentsMessage extends Message {
-      DataFlow::Node channel;
-
-      WebContentsMessage() {
-        exists(WebContents wc, DataFlow::MethodCallNode mc |
-          wc.flowsTo(mc.getReceiver()) and
-          this = mc.getArgument(1) and
-          channel = mc.getArgument(0) and
-          mc.getCalleeName() = "send"
+    class IPCDispatch extends EventDispatch::DefaultEventDispatch, DataFlow::InvokeNode {
+      override Process emitter;
+
+      IPCDispatch() {
+        exists(string methodName | methodName = "sendSync" or methodName = "send" |
+          this = emitter.ref().getAMemberCall(methodName)
         )
       }
 
-      override Process getProcess() { result = Process::main() }
-
-      override string getChannelName() { result = channel.getStringValue() }
-    }
-
-    /**
-     * Holds if `pred` flows to `succ` via Electron IPC.
-     */
-    private predicate ipcFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      // match a message sent from one process with a callback parameter in the other process
-      exists(Callback callback, Message msg |
-        callback.getChannelName() = msg.getChannelName() and
-        callback.getProcess() != msg.getProcess() and
-        pred = msg and
-        succ = callback.getMessage()
-      )
-      or
-      // match a synchronous reply sent from one process with a `sendSync` call in the other process
-      exists(SyncDirectMessage sendSync, SyncReplyMessage msg |
-        sendSync.getChannelName() = msg.getChannelName() and
-        sendSync.getProcess() != msg.getProcess() and
-        pred = msg and
-        succ = sendSync.getReply()
-      )
-    }
-
-    /**
-     * An additional flow step  via an Electron IPC message.
-     */
-    private class IPCAdditionalFlowStep extends DataFlow::AdditionalFlowStep {
-      IPCAdditionalFlowStep() { ipcFlowStep(this, _) }
+      /**
+       * Gets the `i`th dispatched argument to the event handler.
+       * The 0th parameter in the callback is a event generated by the IPC system,
+       * therefore these arguments start at 1.
+       */
+      override DataFlow::Node getSentItem(int i) {
+        i >= 1 and
+        result = getArgument(i)
+      }
 
-      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-        pred = this and
-        ipcFlowStep(pred, succ)
+      /**
+       * Gets a registration that this dispatch can send an event to. 
+       */
+      override IPCSendRegistration getAReceiver() {
+        this.getEmitter() instanceof RendererProcess and
+        result.getEmitter() instanceof MainProcess
+        or
+        this.getEmitter() instanceof ProcessSender and
+        result.getEmitter() instanceof RendererProcess
       }
     }
   }