Merge branch 'master' into ts-typescript2.9

Author: Max Schaefer

change-notes/1.18/analysis-javascript.md

@@ -98,7 +98,8 @@
 
 ## Changes to QL libraries
 
+* HTTP and HTTPS requests made using the Node.js `http.request` and `https.request` APIs and the Electron `Electron.net.request` and `Electron.ClientRequest` APIs are modeled as `RemoteFlowSources`.
 * HTTP header names are now always normalized to lower case to reflect the fact that they are case insensitive. In particular, the result of `HeaderDefinition.getAHeaderName`, and the first parameter of `HeaderDefinition.defines`, `ExplicitHeaderDefinition.definesExplicitly` and `RouteHandler.getAResponseHeader` is now always a lower-case string.
+* New AST nodes for TypeScript 2.9 features have been added.
 * The class `JsonParseCall` has been deprecated. Use `JsonParserCall` instead.
 * The handling of spread arguments in the data flow library has been changed: `DataFlow::InvokeNode.getArgument(i)` is now only defined when there is no spread argument at or before argument position `i`, and similarly `InvokeNode.getNumArgument` is only defined for invocations without spread arguments.
-* New AST nodes for TypeScript 2.9 features have been added.

csharp/ql/test/library-tests/controlflow/graph/ElementGraph.ql

@@ -1,8 +1,3 @@
-/**
- * @kind graph
- * @id elementgraph
- */
-
 import csharp
 import semmle.code.csharp.controlflow.ControlFlowGraph
 

csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql

@@ -1,8 +1,3 @@
-/**
- * @kind graph
- * @id nodegraph
- */
-
 import csharp
 import semmle.code.csharp.controlflow.ControlFlowGraph
 

csharp/ql/test/library-tests/csharp7/IsFlow.ql

@@ -1,8 +1,3 @@
-/**
- * @kind graph
- * @id nodegraph
- */
-
 import csharp
 import semmle.code.csharp.controlflow.ControlFlowGraph
 

csharp/ql/test/library-tests/goto/Goto1.ql

@@ -1,8 +1,3 @@
-/**
- * @kind graph
- * @id nodegraph
- */
-
 import csharp
 import semmle.code.csharp.controlflow.ControlFlowGraph
 

javascript/ql/src/semmle/javascript/frameworks/Electron.qll

@@ -33,4 +33,54 @@ module Electron {
       this = DataFlow::moduleMember("electron", "BrowserView").getAnInstantiation()
     }
   }
+  
+  /**
+   * A Node.js-style HTTP or HTTPS request made using an Electron module.
+   */
+  abstract class ClientRequest extends NodeJSLib::ClientRequest {}
+  
+  /**
+   * A Node.js-style HTTP or HTTPS request made using `electron.net`, for example `net.request(url)`.
+   */
+  private class NetRequest extends ClientRequest {
+    NetRequest() {
+      this = DataFlow::moduleMember("electron", "net").getAMemberCall("request")
+    }
+    
+    override DataFlow::Node getOptions() {
+      result = this.(DataFlow::MethodCallNode).getArgument(0)
+    }
+  }
+  
+  
+  /**
+   * A Node.js-style HTTP or HTTPS request made using `electron.client`, for example `new client(url)`.
+   */
+  private class NewClientRequest extends ClientRequest {
+    NewClientRequest() {
+      this = DataFlow::moduleMember("electron", "ClientRequest").getAnInstantiation()
+    }
+    
+    override DataFlow::Node getOptions() {
+      result = this.(DataFlow::NewNode).getArgument(0)
+    }
+  }
+  
+    
+  /**
+   * A data flow node that is the parameter of a redirect callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `net.request(url).on('redirect', (res) => {})`.
+   */
+  private class ClientRequestRedirectEvent extends RemoteFlowSource {
+    ClientRequestRedirectEvent() {
+      exists(NodeJSLib::ClientRequestHandler handler |
+        this = handler.getParameter(0) and
+        handler.getAHandledEvent() = "redirect" and
+        handler.getClientRequest() instanceof ClientRequest
+      )
+    }
+    
+    override string getSourceType() {
+      result = "Electron ClientRequest redirect event"
+    }
+  }
 }

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -501,4 +501,231 @@ module NodeJSLib {
     }
   }
 
+  /**
+   * A data flow node that is an HTTP or HTTPS client request made by a Node.js server, for example `http.request(url)`.
+   */
+  abstract class ClientRequest extends DataFlow::DefaultSourceNode {
+    /**
+     * Gets the options object or string URL used to make the request.
+     */
+    abstract DataFlow::Node getOptions();
+  }
+  
+  /**
+   * A data flow node that is an HTTP or HTTPS client request made by a Node.js server, for example `http.request(url)`.
+   */
+  private class HttpRequest extends ClientRequest {
+    HttpRequest() {
+      exists(string protocol |
+        (
+          protocol = "http" or
+          protocol = "https"
+        )
+        and
+        this = DataFlow::moduleImport(protocol).getAMemberCall("request")
+      )
+    }
+    
+    override DataFlow::Node getOptions() {
+      result = this.(DataFlow::MethodCallNode).getArgument(0)
+    }
+  }
+  
+  /**
+   * A data flow node that is an HTTP or HTTPS client request made by a Node.js process, for example `https.get(url)`.
+   */
+  private class HttpGet extends ClientRequest {
+    HttpGet() {
+      exists(string protocol |
+        (
+          protocol = "http" or
+          protocol = "https"
+        )
+        and
+        this = DataFlow::moduleImport(protocol).getAMemberCall("get")
+      )
+    }
+    
+    override DataFlow::Node getOptions() {
+      result = this.(DataFlow::MethodCallNode).getArgument(0)
+    }
+  }
+  
+  /**
+   * A data flow node that is the parameter of a result callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `https.request(url, (res) => {})`.
+   */
+  private class ClientRequestCallbackParam extends DataFlow::ParameterNode, RemoteFlowSource {
+    ClientRequestCallbackParam() {
+      exists(ClientRequest req |
+        this = req.(DataFlow::MethodCallNode).getCallback(1).getParameter(0)
+      )
+    }
+    
+    override string getSourceType() {
+      result = "ClientRequest callback parameter"
+    }
+  }
+  
+  /**
+   * A data flow node that is the parameter of a data callback for an HTTP or HTTPS request made by a Node.js process, for example `body` in `http.request(url, (res) => {res.on('data', (body) => {})})`.
+   */
+  private class ClientRequestCallbackData extends RemoteFlowSource {
+    ClientRequestCallbackData() {
+      exists(ClientRequestCallbackParam rcp, DataFlow::MethodCallNode mcn |
+        rcp.getAMethodCall("on") = mcn and
+        mcn.getArgument(0).mayHaveStringValue("data") and
+        this = mcn.getCallback(1).getParameter(0)
+      )
+    }
+    
+    override string getSourceType() {
+      result = "http.request data parameter"
+    }
+  }
+  
+  
+  /**
+   * A data flow node that is registered as a callback for an HTTP or HTTPS request made by a Node.js process, for example the function `handler` in `http.request(url).on(message, handler)`.
+   */
+  class ClientRequestHandler extends DataFlow::FunctionNode {
+    string handledEvent;
+    ClientRequest clientRequest;
+    
+    ClientRequestHandler() {
+      exists(DataFlow::MethodCallNode mcn |
+        clientRequest.getAMethodCall("on") = mcn and
+        mcn.getArgument(0).mayHaveStringValue(handledEvent) and
+        flowsTo(mcn.getArgument(1))
+      )
+    }
+    
+    /**
+     * Gets the name of an event this callback is registered for.
+     */
+    string getAHandledEvent() {
+      result = handledEvent
+    }
+    
+    /**
+     * Gets a request this callback is registered for.
+     */
+    ClientRequest getClientRequest() {
+      result = clientRequest
+    }
+  }
+  
+  /**
+   * A data flow node that is the parameter of a response callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `http.request(url).on('response', (res) => {})`.
+   */
+  private class ClientRequestResponseEvent extends RemoteFlowSource, DataFlow::ParameterNode {
+    ClientRequestResponseEvent() {
+      exists(ClientRequestHandler handler |
+        this = handler.getParameter(0) and
+        handler.getAHandledEvent() = "response"
+      )
+    }
+    
+    override string getSourceType() {
+      result = "ClientRequest response event"
+    }
+  }
+  
+  /**
+   * A data flow node that is the parameter of a data callback for an HTTP or HTTPS request made by a Node.js process, for example `chunk` in `http.request(url).on('response', (res) => {res.on('data', (chunk) => {})})`.
+   */
+  private class ClientRequestDataEvent extends RemoteFlowSource {
+    ClientRequestDataEvent() {
+      exists(DataFlow::MethodCallNode mcn, ClientRequestResponseEvent cr |
+        cr.getAMethodCall("on") = mcn and
+        mcn.getArgument(0).mayHaveStringValue("data") and
+        this = mcn.getCallback(1).getParameter(0)
+      )
+    }
+    
+    override string getSourceType() {
+      result = "ClientRequest data event"
+    }
+  }
+  
+  /**
+   * A data flow node that is a login callback for an HTTP or HTTPS request made by a Node.js process.
+   */
+  private class ClientRequestLoginHandler extends ClientRequestHandler {
+    ClientRequestLoginHandler() {
+      getAHandledEvent() = "login"
+    }
+  }
+  
+  /**
+   * A data flow node that is a parameter of a login callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `http.request(url).on('login', (res, callback) => {})`.
+   */
+  private class ClientRequestLoginEvent extends RemoteFlowSource {
+    ClientRequestLoginEvent() {
+      exists(ClientRequestLoginHandler handler |
+        this = handler.getParameter(0)
+      )
+    }
+    
+    override string getSourceType() {
+      result = "ClientRequest login event"
+    }
+  }
+  
+  /**
+   * A data flow node that is the login callback provided by an HTTP or HTTPS request made by a Node.js process, for example `callback` in `http.request(url).on('login', (res, callback) => {})`.
+   */
+  class ClientRequestLoginCallback extends DataFlow::ParameterNode {
+    ClientRequestLoginCallback() {
+      exists(ClientRequestLoginHandler handler |
+        this = handler.getParameter(1)
+      )
+    }
+  }
+  
+  /**
+   * A data flow node that is the username passed to the login callback provided by an HTTP or HTTPS request made by a Node.js process, for example `username` in `http.request(url).on('login', (res, cb) => {cb(username, password)})`.
+   */
+  private class ClientRequestLoginUsername extends CredentialsExpr {
+    ClientRequestLoginUsername() {
+      exists(ClientRequestLoginCallback callback |
+        this = callback.getACall().getArgument(0).asExpr()
+      )
+    }
+    
+    override string getCredentialsKind() {
+      result = "Node.js http(s) client login username"
+    }
+  }
+  
+  /**
+   * A data flow node that is the password passed to the login callback provided by an HTTP or HTTPS request made by a Node.js process, for example `password` in `http.request(url).on('login', (res, cb) => {cb(username, password)})`. 
+   */
+  private class ClientRequestLoginPassword extends CredentialsExpr {
+    ClientRequestLoginPassword() {
+      exists(ClientRequestLoginCallback callback |
+        this = callback.getACall().getArgument(1).asExpr()
+      )
+    }
+    
+    override string getCredentialsKind() {
+      result = "Node.js http(s) client login password"
+    }
+  }
+
+  
+  /**
+   * A data flow node that is the parameter of an error callback for an HTTP or HTTPS request made by a Node.js process, for example `err` in `http.request(url).on('error', (err) => {})`.
+   */
+  private class ClientRequestErrorEvent extends RemoteFlowSource {
+    ClientRequestErrorEvent() {
+      exists(ClientRequestHandler handler |
+        this = handler.getParameter(0) and
+        handler.getAHandledEvent() = "error"
+      )
+    }
+    
+    override string getSourceType() {
+      result = "ClientRequest error event"
+    }
+  }
 }

javascript/ql/test/library-tests/frameworks/Electron/ClientRequest.expected

@@ -0,0 +1,2 @@
+| electron.js:7:5:7:38 | net.req ... e.com') |
+| electron.js:8:16:8:78 | new Cli ... POST'}) |

javascript/ql/test/library-tests/frameworks/Electron/ClientRequest.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from NodeJSLib::ClientRequest cr
+select cr

javascript/ql/test/library-tests/frameworks/Electron/RemoteFlowSources.expected

@@ -0,0 +1,5 @@
+| electron.js:10:26:10:33 | response |
+| electron.js:11:28:11:32 | chunk |
+| electron.js:16:26:16:33 | redirect |
+| electron.js:21:23:21:30 | authInfo |
+| electron.js:26:23:26:27 | error |