Merge pull request #932 from asger-semmle/cookbook-prepare

Approved by xiemaisi

Author: semmle-qlci

javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql

@@ -19,7 +19,7 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "IncompleteHostnameRegExpTracking" }
 
   override predicate isSource(DataFlow::Node source) {
-    isIncompleteHostNameRegExpPattern(source.asExpr().getStringValue(), _)
+    isIncompleteHostNameRegExpPattern(source.getStringValue(), _)
   }
 
   override predicate isSink(DataFlow::Node sink) { isInterpretedAsRegExp(sink) }

javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql

@@ -76,7 +76,7 @@ predicate isDerivedFromLength(DataFlow::Node length, DataFlow::Node operand) {
   exists(IndexOfCall call | operand = call.getAnOperand() |
     length = getStringSource(operand).getAPropertyRead("length")
     or
-    exists(string val | val = operand.asExpr().getStringValue() |
+    exists(string val | val = operand.getStringValue() |
       // Find a literal length with the same string constant
       exists(LiteralLengthExpr lengthExpr |
         lengthExpr.getContainer() = call.getContainer() and

javascript/ql/src/Security/CWE-116/DoubleEscaping.ql

@@ -83,7 +83,7 @@ class Replacement extends DataFlow::Node {
     exists(DataFlow::MethodCallNode mcn |
       mcn = this and
       input = getStringValue(pattern) and
-      output = mcn.getArgument(1).asExpr().getStringValue()
+      output = mcn.getArgument(1).getStringValue()
     )
   }
 

javascript/ql/src/semmle/javascript/DOM.qll

@@ -111,7 +111,7 @@ module DOM {
     /**
      * Gets the value of this attribute, if it can be determined.
      */
-    string getStringValue() { result = getValueNode().asExpr().getStringValue() }
+    string getStringValue() { result = getValueNode().getStringValue() }
 
     /**
      * Gets the DOM element this attribute belongs to.

javascript/ql/src/semmle/javascript/StringConcatenation.qll

@@ -104,6 +104,6 @@ module StringConcatenation {
    */
   predicate isCoercion(DataFlow::Node node) {
     getNumOperand(node) = 2 and
-    getOperand(node, _).asExpr().getStringValue() = ""
+    getOperand(node, _).getStringValue() = ""
   }
 }

javascript/ql/src/semmle/javascript/StringOps.qll

@@ -141,7 +141,7 @@ module StringOps {
       (
         substring.getALocalSource().getAPropertyRead("length").flowsTo(call.getArgument(1))
         or
-        substring.asExpr().getStringValue().length() = call.getArgument(1).asExpr().getIntValue()
+        substring.getStringValue().length() = call.getArgument(1).asExpr().getIntValue()
       )
     }
 

javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll

@@ -97,14 +97,23 @@ module DataFlow {
      */
     predicate accessesGlobal(string g) { globalVarRef(g).flowsTo(this) }
 
-    /** Holds if this node may evaluate to the string `s`. */
+    /** Holds if this node may evaluate to the string `s`, possibly through local data flow. */
     predicate mayHaveStringValue(string s) { getAPredecessor().mayHaveStringValue(s) }
 
+    /** Gets the string value of this node, if it is a string literal or constant string concatenation. */
+    string getStringValue() { result = asExpr().getStringValue() }
+
     /** Holds if this node may evaluate to the Boolean value `b`. */
     predicate mayHaveBooleanValue(boolean b) {
       b = analyze().getAValue().(AbstractBoolean).getBooleanValue()
     }
 
+    /** Gets the integer value of this node, if it is an integer constant. */
+    int getIntValue() { result = asExpr().getIntValue() }
+
+    /** Gets a function value that may reach this node. */
+    FunctionNode getAFunctionValue() { result.getAstNode() = analyze().getAValue().(AbstractCallable).getFunction() }
+
     /**
      * Holds if this expression may refer to the initial value of parameter `p`.
      */

javascript/ql/src/semmle/javascript/frameworks/CryptoLibraries.qll

@@ -278,7 +278,7 @@ private module BrowserIdCrypto {
         mod = DataFlow::moduleImport("browserid-crypto") and
         keygen = mod.getAMemberCall("generateKeypair") and
         algorithmNameNode = keygen.getOptionArgument(0, "algorithm") and
-        algorithm.matchesName(algorithmNameNode.asExpr().getStringValue()) and
+        algorithm.matchesName(algorithmNameNode.getStringValue()) and
         callback = keygen.getCallback(1) and
         this = mod.getAMemberCall("sign").asExpr()
       )
@@ -321,7 +321,7 @@ private module NodeJSCrypto {
       |
         mod = DataFlow::moduleImport("crypto") and
         this = mod.getAMemberCall("create" + createSuffix) and
-        algorithm.matchesName(getArgument(0).asExpr().getStringValue())
+        algorithm.matchesName(getArgument(0).getStringValue())
       )
     }
 

javascript/ql/src/semmle/javascript/security/dataflow/UrlConcatenation.qll

@@ -13,7 +13,7 @@ import javascript
  * Specifically, this holds if the string contains `?` or `#`.
  */
 private predicate hasSanitizingSubstring(DataFlow::Node nd) {
-  nd.asExpr().getStringValue().regexpMatch(".*[?#].*")
+  nd.getStringValue().regexpMatch(".*[?#].*")
   or
   hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
   or
@@ -48,7 +48,7 @@ predicate sanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sink) {
  * the `//` separating the (optional) scheme from the hostname.
  */
 private predicate hasHostnameSanitizingSubstring(DataFlow::Node nd) {
-  nd.asExpr().getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*")
+  nd.getStringValue().regexpMatch(".*([?#]|[^?#:/\\\\][/\\\\]).*")
   or
   hasHostnameSanitizingSubstring(StringConcatenation::getAnOperand(nd))
   or

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -67,7 +67,7 @@ module DomBasedXss {
         // _may_ be interpreted as HTML
         not exists(DataFlow::Node prefix, string strval |
           isPrefixOfJQueryHtmlString(astNode, prefix) and
-          strval = prefix.asExpr().getStringValue() and
+          strval = prefix.getStringValue() and
           not strval.regexpMatch("\\s*<.*")
         ) and
         not isDocumentURL(astNode)