Merge pull request #975 from asger-semmle/global-closure-dataflow

semmle-qlci · web-flow · commit 86e646beb48a · 2019-02-26T13:57:39.000Z
Approved by esben-semmle
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
@@ -47,6 +47,14 @@ class AnalyzedNode extends DataFlow::Node {
    */
   AnalyzedNode localFlowPred() { result = getAPredecessor() }
 
+  /**
+   * INTERNAL. Do not use.
+   *
+   * Gets another data flow node whose value flows into this node in a global step
+   * (this is, involving global variables).
+   */
+  AnalyzedNode globalFlowPred() { none() }
+
   /**
    * Gets an abstract value that this node may evaluate to at runtime.
    *
@@ -57,7 +65,9 @@ class AnalyzedNode extends DataFlow::Node {
    * instances is also performed.
    */
   cached
-  AbstractValue getAValue() { result = getALocalValue() }
+  AbstractValue getAValue() {
+    result = getALocalValue()
+  }
 
   /**
    * INTERNAL: Do not use.
@@ -68,7 +78,7 @@ class AnalyzedNode extends DataFlow::Node {
    * and global), IIFEs, ES6-style imports that can be resolved uniquely, and
    * the properties of CommonJS `module` and `exports` objects. No
    * tracking through the properties of object literals and function/class
-   * instances is performed.
+   * instances is performed, other than those accounted for by `globalFlowPred`.
    */
   cached
   AbstractValue getALocalValue() {
@@ -82,6 +92,9 @@ class AnalyzedNode extends DataFlow::Node {
     exists(DataFlow::Incompleteness cause |
       isIncomplete(cause) and result = TIndefiniteAbstractValue(cause)
     )
+    or
+    result = globalFlowPred().getALocalValue() and
+    shouldTrackGlobally(result)
   }
 
   /** Gets a type inferred for this node. */
@@ -282,3 +295,8 @@ private class AnalyzedAsyncFunction extends AnalyzedFunction {
 
   override AbstractValue getAReturnValue() { result = TAbstractOtherObject() }
 }
+
+/**
+ * Holds if the given value should be propagated along `globalFlowPred()` edges.
+ */
+private predicate shouldTrackGlobally(AbstractValue value) { value instanceof AbstractCallable }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
@@ -381,13 +381,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp
     accessPath = Closure::getClosureNamespaceFromSourceNode(this)
   }
 
-  override AnalyzedNode localFlowPred() {
+  override AnalyzedNode globalFlowPred() {
     exists(DataFlow::PropWrite write |
       Closure::getWrittenClosureNamespace(write) = accessPath and
       result = write.getRhs()
     )
-    or
-    result = AnalyzedNode.super.localFlowPred()
   }
 
   override predicate reads(AbstractValue base, string propName) {

Original file line number	Diff line number	Diff line change
`@@ -381,13 +381,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp`
`381`	`381`	`accessPath = Closure::getClosureNamespaceFromSourceNode(this)`
`382`	`382`	`}`
`383`	`383`
`384`		`- override AnalyzedNode localFlowPred() {`
	`384`	`+ override AnalyzedNode globalFlowPred() {`
`385`	`385`	`exists(DataFlow::PropWrite write \|`
`386`	`386`	`Closure::getWrittenClosureNamespace(write) = accessPath and`
`387`	`387`	`result = write.getRhs()`
`388`	`388`	`)`
`389`		`- or`
`390`		`- result = AnalyzedNode.super.localFlowPred()`
`391`	`389`	`}`
`392`	`390`
`393`	`391`	`override predicate reads(AbstractValue base, string propName) {`