Merge pull request #1452 from markshannon/merge-121

Merge rc/1.21 into master.

Author: Max Schaefer

javascript/ql/src/semmle/javascript/dataflow/internal/AccessPaths.qll

@@ -28,14 +28,17 @@ private newtype PropertyName =
   }
 
 /**
- * Gets the representation of the property name of `pacc`, if any.
+ * Gets an access to property `name` of access path `base` in basic block `bb`.
  */
-private PropertyName getPropertyName(PropAccess pacc) {
-  result = StaticPropertyName(pacc.getPropertyName())
-  or
-  exists(SsaVariable var |
-    pacc.getPropertyNameExpr() = var.getAUse() and
-    result = DynamicPropertyName(var)
+private PropAccess namedPropAccess(AccessPath base, PropertyName name, BasicBlock bb) {
+  result.getBase() = base.getAnInstanceIn(bb) and
+  (
+    name = StaticPropertyName(result.getPropertyName())
+    or
+    exists(SsaVariable var |
+      result.getPropertyNameExpr() = var.getAUse() and
+      name = DynamicPropertyName(var)
+    )
   )
 }
 
@@ -76,10 +79,7 @@ private newtype TAccessPath =
    * A property access on an access path.
    */
   MkAccessStep(AccessPath base, PropertyName name) {
-    exists(PropAccess pacc |
-      pacc.getBase() = base.getAnInstance() and
-      getPropertyName(pacc) = name
-    )
+    exists(namedPropAccess(base, name, _))
   }
 
 /**
@@ -108,24 +108,9 @@ class AccessPath extends TAccessPath {
       this_.getBasicBlock() = bb
     )
     or
-    exists(PropertyName name |
-      result = getABaseInstanceIn(bb, name) and
-      getPropertyName(result) = name
-    )
-  }
-
-  /**
-   * Gets a property access in `bb` whose base is represented by the
-   * base of this access path, and where `name` is bound to the last
-   * component of this access path.
-   *
-   * This is an auxiliary predicate that's needed to enforce a better
-   * join order in `getAnInstanceIn` above.
-   */
-  pragma[noinline]
-  private PropAccess getABaseInstanceIn(BasicBlock bb, PropertyName name) {
-    exists(AccessPath base | this = MkAccessStep(base, name) |
-      result.getBase() = base.getAnInstanceIn(bb)
+    exists(AccessPath base, PropertyName name |
+      this = MkAccessStep(base, name) and
+      result = namedPropAccess(base, name, bb)
     )
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -271,16 +271,19 @@ module ReflectedXss {
    * a content type that does not (case-insensitively) contain the string "html". This
    * is to prevent us from flagging plain-text or JSON responses as vulnerable.
    */
-  private class HttpResponseSink extends Sink {
-    HttpResponseSink() {
-      exists(HTTP::ResponseSendArgument sendarg | sendarg = asExpr() |
-        forall(HTTP::HeaderDefinition hd |
-          hd = sendarg.getRouteHandler().getAResponseHeader("content-type")
-        |
-          exists(string tp | hd.defines("content-type", tp) | tp.toLowerCase().matches("%html%"))
-        )
-      )
-    }
+  private class HttpResponseSink extends Sink, DataFlow::ValueNode {
+    override HTTP::ResponseSendArgument astNode;
+
+    HttpResponseSink() { not nonHtmlContentType(astNode.getRouteHandler()) }
+  }
+
+  /**
+   * Holds if `h` may send a response with a content type other than HTML.
+   */
+  private predicate nonHtmlContentType(HTTP::RouteHandler h) {
+    exists(HTTP::HeaderDefinition hd | hd = h.getAResponseHeader("content-type") |
+      not exists(string tp | hd.defines("content-type", tp) | tp.regexpMatch("(?i).*html.*"))
+    )
   }
 
   /**

python/ql/src/semmle/python/objects/Callables.qll

@@ -270,7 +270,10 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
     }
 
     override predicate neverReturns() {
-        this = Module::named("sys").attr("exit")
+        exists(ModuleObjectInternal sys |
+            sys.getName() = "sys" and
+            sys.attribute("exit", this, _)
+        )
     }
 
     override predicate functionAndOffset(CallableObjectInternal function, int offset) {

python/ql/src/semmle/python/objects/Classes.qll

@@ -11,7 +11,7 @@ private import semmle.python.types.Builtins
 /** Class representing classes */
 abstract class ClassObjectInternal extends ObjectInternal {
 
-    string getName() {
+    override string getName() {
         result = this.getClassDeclaration().getName()
     }
 

python/ql/src/semmle/python/objects/Constants.qll

@@ -67,6 +67,8 @@ abstract class ConstantObjectInternal extends ObjectInternal {
         this = instance
     }
 
+    override string getName() { none() }
+
 }
 
 private abstract class BooleanObjectInternal extends ConstantObjectInternal {

python/ql/src/semmle/python/objects/Descriptors.qll

@@ -11,7 +11,7 @@ private import semmle.python.types.Builtins
 class PropertyInternal extends ObjectInternal, TProperty {
 
     /** Gets the name of this property */
-    string getName() {
+    override string getName() {
         result = this.getGetter().getName()
     }
 
@@ -172,6 +172,10 @@ class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {
 
     override int length() { none() }
 
+    override string getName() {
+        result = this.getFunction().getName()
+    }
+
 }
 
 class StaticMethodObjectInternal extends ObjectInternal, TStaticMethod {
@@ -239,4 +243,8 @@ class StaticMethodObjectInternal extends ObjectInternal, TStaticMethod {
 
     override int length() { none() }
 
+    override string getName() {
+        result = this.getFunction().getName()
+    }
+
 }

python/ql/src/semmle/python/objects/Instances.qll

@@ -49,6 +49,8 @@ abstract class InstanceObject extends ObjectInternal {
     /** Holds if `init` in the context `callee` is the initializer of this instance */
     abstract predicate initializer(PythonFunctionObjectInternal init, Context callee);
 
+    override string getName() { none() }
+
 }
 
 private predicate self_variable_reaching_init_exit(EssaVariable self) {
@@ -362,6 +364,8 @@ class UnknownInstanceInternal extends TUnknownInstance, ObjectInternal {
         result = lengthFromClass(this.getClass())
     }
 
+    override string getName() { none() }
+
 }
 
 private int lengthFromClass(ClassObjectInternal cls) {
@@ -461,5 +465,7 @@ class SuperInstance extends TSuperInstance, ObjectInternal {
         none()
     }
 
+    override string getName() { none() }
+
 }
 

python/ql/src/semmle/python/objects/Modules.qll

@@ -10,9 +10,6 @@ private import semmle.python.types.Builtins
 /** A class representing modules */
 abstract class ModuleObjectInternal extends ObjectInternal {
 
-    /** Gets the name of this module */
-    abstract string getName();
-
     /** Gets the source scope of this module, if it has one. */
     abstract Module getSourceModule();
 
@@ -408,5 +405,8 @@ class AbsentModuleAttributeObjectInternal extends ObjectInternal, TAbsentModuleA
         any()
     }
 
+    /* We know what this is called, but not its innate name */
+    override string getName() { none() }
+
 }