summarize exceptions thrown by immidiatly awaited function calls

Author: erik-krogh

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -1000,6 +1000,17 @@ private predicate flowThroughCall(
     not isLabeledBarrierEdge(cfg, ret, output, summary.getEndLabel()) and
     not cfg.isLabeledBarrier(output, summary.getEndLabel())
   )
+  or
+  // exception thrown inside an immidiatly awaited function call.
+  exists(DataFlow::FunctionNode f, DataFlow::Node invk, DataFlow::Node ret |
+    f.getFunction().isAsync()
+  |
+    (calls(invk, f.getFunction()) or callsBound(invk, f.getFunction(), _)) and
+    reachableFromInput(f.getFunction(), invk, input, ret, cfg, summary) and
+    output = invk.asExpr().getExceptionTarget() and
+    f.getExceptionalReturn() = getThrowTarget(ret) and
+    invk = getAwaitOperand(_)
+  )
 }
 
 /**

javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -70,23 +70,34 @@ predicate localExceptionStep(DataFlow::Node pred, DataFlow::Node succ) {
  * The `async` flag is true if the successor
  */
 predicate localExceptionStepWithAsyncFlag(DataFlow::Node pred, DataFlow::Node succ, boolean async) {
-  exists(Expr expr |
-    expr = any(ThrowStmt throw).getExpr() and
-    pred = expr.flow()
-    or
-    DataFlow::exceptionalInvocationReturnNode(pred, expr)
-  |
+  exists(DataFlow::Node target | target = getThrowTarget(pred) |
     async = false and
-    succ = expr.getExceptionTarget() and
+    succ = target and
     not succ = any(DataFlow::FunctionNode f | f.getFunction().isAsync()).getExceptionalReturn()
     or
     async = true and
-    exists(DataFlow::FunctionNode f | f.getExceptionalReturn() = expr.getExceptionTarget() |
+    exists(DataFlow::FunctionNode f | f.getExceptionalReturn() = target |
       succ = f.getReturnNode() // returns a rejected promise - therefore using the ordinary return node.
     )
   )
 }
 
+/**
+ * Gets the dataflow-node that an exception thrown at `thrower` will flow to.
+ *
+ * The predicate that all functions are not async.
+ */
+DataFlow::Node getThrowTarget(DataFlow::Node thrower) {
+  exists(Expr expr |
+    expr = any(ThrowStmt throw).getExpr() and
+    thrower = expr.flow()
+    or
+    DataFlow::exceptionalInvocationReturnNode(thrower, expr)
+  |
+    result = expr.getExceptionTarget()
+  )
+}
+
 /**
  * Implements a set of data flow predicates that are used by multiple predicates and
  * hence should only be computed once.

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -52,6 +52,7 @@ typeInferenceMismatch
 | exceptions.js:21:17:21:24 | source() | exceptions.js:24:10:24:21 | e.toString() |
 | exceptions.js:21:17:21:24 | source() | exceptions.js:25:10:25:18 | e.message |
 | exceptions.js:21:17:21:24 | source() | exceptions.js:26:10:26:19 | e.fileName |
+| exceptions.js:59:24:59:31 | source() | exceptions.js:61:12:61:12 | e |
 | exceptions.js:88:6:88:13 | source() | exceptions.js:11:10:11:10 | e |
 | exceptions.js:88:6:88:13 | source() | exceptions.js:32:10:32:10 | e |
 | exceptions.js:88:6:88:13 | source() | exceptions.js:33:10:33:21 | e.toString() |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -31,6 +31,7 @@
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
 | constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
 | exceptions.js:3:15:3:22 | source() | exceptions.js:5:10:5:10 | e |
+| exceptions.js:59:24:59:31 | source() | exceptions.js:61:12:61:12 | e |
 | exceptions.js:88:6:88:13 | source() | exceptions.js:11:10:11:10 | e |
 | exceptions.js:93:11:93:18 | source() | exceptions.js:95:10:95:10 | e |
 | exceptions.js:100:13:100:20 | source() | exceptions.js:102:12:102:12 | e |