Merge pull request #828 from esben-semmle/js/vue-support-1

JS: basic Vue support

Author: Max Schaefer

change-notes/1.20/analysis-javascript.md

@@ -3,7 +3,7 @@
 ## General improvements
 
 * Support for popular libraries has been improved. Consequently, queries may produce better results on code bases that use the following features:
-  - client-side code, for example [React](https://reactjs.org/)
+  - client-side code, for example [React](https://reactjs.org/) and [Vue](https://vuejs.org/)
   - cookies and webstorage, for example [js-cookie](https://github.com/js-cookie/js-cookie)
   - server-side code, for example [hapi](https://hapijs.com/)
   - asynchronous code, for example [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
@@ -17,6 +17,7 @@
 
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Arrow method on Vue instance (`js/vue/arrow-method-on-vue-instance`) | reliability, frameworks/vue | Highlights arrow functions that are used as methods on Vue instances. Results are shown on LGTM by default.|
 | Cross-window communication with unrestricted target origin (`js/cross-window-information-leak`) | security, external/cwe/201, external/cwe/359 | Highlights code that sends potentially sensitive information to another window without restricting the receiver window's origin, indicating a possible violation of [CWE-201](https://cwe.mitre.org/data/definitions/201.html). Results are shown on LGTM by default. |
 | Double escaping or unescaping (`js/double-escaping`) | correctness, security, external/cwe/cwe-116 | Highlights potential double escaping or unescaping of special characters, indicating a possible violation of [CWE-116](https://cwe.mitre.org/data/definitions/116.html). Results are shown on LGTM by default. |
 | Incomplete regular expression for hostnames (`js/incomplete-hostname-regexp`) | correctness, security, external/cwe/cwe-020 |  Highlights hostname sanitizers that are likely to be incomplete, indicating a violation of [CWE-020](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default.|

javascript/config/suites/javascript/frameworks-more

@@ -23,3 +23,4 @@
 + semmlecode-javascript-queries/React/UnusedOrUndefinedStateProperty.ql: /Frameworks/React
 + semmlecode-javascript-queries/Electron/DisablingWebSecurity.ql: /Frameworks/Electron
 + semmlecode-javascript-queries/Electron/AllowRunningInsecureContent.ql: /Frameworks/Electron
++ semmlecode-javascript-queries/Vue/ArrowMethodOnVueInstance.ql: /Frameworks/Vue

javascript/ql/src/Vue/ArrowMethodOnVueInstance.qhelp

@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+	<p>
+
+		The Vue framework invokes the methods of a Vue instance with
+		the instance as the receiver.  It is however impossible to perform
+		this binding of instance and receiver for arrow functions, so the
+		<code>this</code> variable in an arrow function on a Vue instance may
+		not have the value that the programmer expects.
+
+	</p>
+</overview>
+
+<recommendation>
+	<p>
+		Ensure that the methods on a Vue instance can have their receiver bound to the instance.
+	</p>
+</recommendation>
+
+<example>
+
+	<p>
+
+		The following example shows two similar Vue instances, the only
+		difference is how the <code>created</code> life cycle hook
+		callback is defined.
+
+		The first Vue instance uses an arrow function as the callback.
+		This means that the <code>this</code> variable will have the global
+		object as its value, causing <code>this.myProperty</code> to evaluate
+		to <code>undefined</code>, which may not be intended.
+
+		Instead, the second Vue instance uses an ordinary function as the callback,
+		causing <code>this.myProperty</code> to evaluate to <code>42</code>.
+
+	</p>
+
+	<sample src="examples/ArrowMethodOnVueInstance.js"/>
+
+</example>
+
+<references>
+	<li>Vue documentation: <a href="https://vuejs.org/v2/guide/instance.html">The Vue Instance</a></li>
+</references>
+</qhelp>

javascript/ql/src/Vue/ArrowMethodOnVueInstance.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Arrow method on Vue instance
+ * @description An arrow method on a Vue instance doesn't have its `this` variable bound to the Vue instance.
+ * @kind problem
+ * @problem.severity warning
+ * @id js/vue/arrow-method-on-vue-instance
+ * @tags reliability
+ *       frameworks/vue
+ * @precision high
+ */
+
+import javascript
+
+from Vue::Instance instance, DataFlow::Node def, DataFlow::FunctionNode arrow, ThisExpr dis
+where instance.getABoundFunction() = def and
+      arrow.flowsTo(def) and
+      arrow.asExpr() instanceof ArrowFunctionExpr and
+      arrow.asExpr() = dis.getEnclosingFunction()
+select def, "The $@ of this $@ it will not be bound to the Vue instance.", dis, "`this` variable", arrow, "arrow function"

javascript/ql/src/Vue/examples/ArrowMethodOnVueInstance.js

@@ -0,0 +1,19 @@
+new Vue({
+  data: {
+    myProperty: 42
+  },
+  created: () => {
+    // BAD: prints: "myProperty is: undefined"
+    console.log('myProperty is: ' + this.myProperty);
+  }
+});
+
+new Vue({
+  data: {
+    myProperty: 42
+  },
+  created: function () {
+    // GOOD: prints: "myProperty is: 1"
+    console.log('myProperty is: ' + this.myProperty);
+  }
+});

javascript/ql/src/javascript.qll

@@ -78,6 +78,7 @@ import semmle.javascript.frameworks.Request
 import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.StringFormatters
 import semmle.javascript.frameworks.UriLibraries
+import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
 import semmle.javascript.linters.ESLint

javascript/ql/src/semmle/javascript/HTML.qll

@@ -159,6 +159,40 @@ module HTML {
      * if it can be determined.
      */
     Script resolveSource() { result.getFile().getAbsolutePath() = resolveSourcePath() }
+
+    /**
+     * Gets the inline script of this script element, if any.
+     */
+    private InlineScript getInlineScript() {
+      exists(string f, Location l1, int sl1, int sc1, int el1, int ec1, Location l2, int sl2, int sc2, int el2, int ec2 |
+        l1 = getLocation() and
+        l2 = result.getLocation() and
+        l1.hasLocationInfo(f, sl1, sc1, el1, ec1) and
+        l2.hasLocationInfo(f, sl2, sc2, el2, ec2)
+        |
+        (
+          sl1 = sl2 and sc1 < sc2
+          or
+          sl1 < sl2
+        ) and
+        (
+          el1 = el2 and ec1 > ec2
+          or
+          el1 > el2
+        )
+      ) and
+      // the src attribute has precedence
+      not exists(getSourcePath())
+    }
+
+    /**
+     * Gets the script of this element, if it can be determined.
+     */
+    Script getScript() {
+      result = getInlineScript() or
+      result = resolveSource()
+    }
+
   }
 
   /**