JavaScript: Fix uses of TypeTracker with custom flow steps.

Max Schaefer · Max Schaefer · commit c097031c7e8b · 2019-03-28T10:33:04.000Z
These steps need to check that the type hasn't been tracked into a property.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
@@ -51,6 +51,7 @@ module SocketIO {
         // exclude getter versions
         exists(mcn.getAnArgument()) and
         result = mcn and
+        t2.getProp() = "" and
         t = t2
       )
     )
@@ -110,6 +111,7 @@ module SocketIO {
       or
       // invocation of a chainable method
       result = pred.getAMethodCall(namespaceChainableMethod()) and
+      t2.getProp() = "" and
       t = t2
       or
       // invocation of chainable getter method
@@ -119,6 +121,7 @@ module SocketIO {
         m = "volatile"
       |
         result = pred.getAPropertyRead(m) and
+        t2.getProp() = "" and
         t = t2
       )
     )
@@ -171,6 +174,7 @@ module SocketIO {
         m = EventEmitter::chainableMethod()
       |
         result = pred.getAMethodCall(m) and
+        t2.getProp() = "" and
         t = t2
       )
       or
@@ -182,6 +186,7 @@ module SocketIO {
         m = "volatile"
       |
         result = pred.getAPropertyRead(m) and
+        t2.getProp() = "" and
         t = t2
       )
     )
diff --git a/javascript/ql/test/library-tests/frameworks/SocketIO/tests.expected b/javascript/ql/test/library-tests/frameworks/SocketIO/tests.expected
@@ -149,6 +149,7 @@ test_ServerNode
 | tst.js:15:1:15:15 | io.attach(http) | tst.js:1:12:1:33 | socket.io server |
 | tst.js:16:1:16:15 | io.bind(engine) | tst.js:1:12:1:33 | socket.io server |
 | tst.js:17:1:17:23 | io.onco ... socket) | tst.js:1:12:1:33 | socket.io server |
+| tst.js:79:1:79:10 | obj.server | tst.js:1:12:1:33 | socket.io server |
 test_ClientSendNode_getAReceiver
 | client2.js:14:1:14:32 | sock.em ... there") | tst.js:72:3:72:43 | socket. ...  => {}) |
 | client2.js:16:1:16:36 | sock.wr ...  => {}) | tst.js:70:3:70:35 | socket. ...  => {}) |
diff --git a/javascript/ql/test/library-tests/frameworks/SocketIO/tst.js b/javascript/ql/test/library-tests/frameworks/SocketIO/tst.js
@@ -71,3 +71,11 @@ ns.on('connection', (socket) => {
   socket.once('message', (data1, data2) => {});
   socket.addListener(eventName(), () => {});
 });
+
+var obj = {
+  server: io,
+  serveClient: function() { return null; }
+};
+obj.server;                    // SocketIO::ServerNode
+obj.serveClient(false);        // not a SocketIO::ServerNode
+obj.serveClient(false).server; // not a SocketIO::ServerNode

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ module SocketIO {`
`51`	`51`	`// exclude getter versions`
`52`	`52`	`exists(mcn.getAnArgument()) and`
`53`	`53`	`result = mcn and`
	`54`	`+ t2.getProp() = "" and`
`54`	`55`	`t = t2`
`55`	`56`	`)`
`56`	`57`	`)`
`@@ -110,6 +111,7 @@ module SocketIO {`
`110`	`111`	`or`
`111`	`112`	`// invocation of a chainable method`
`112`	`113`	`result = pred.getAMethodCall(namespaceChainableMethod()) and`
	`114`	`+ t2.getProp() = "" and`
`113`	`115`	`t = t2`
`114`	`116`	`or`
`115`	`117`	`// invocation of chainable getter method`
`@@ -119,6 +121,7 @@ module SocketIO {`
`119`	`121`	`m = "volatile"`
`120`	`122`	`\|`
`121`	`123`	`result = pred.getAPropertyRead(m) and`
	`124`	`+ t2.getProp() = "" and`
`122`	`125`	`t = t2`
`123`	`126`	`)`
`124`	`127`	`)`
`@@ -171,6 +174,7 @@ module SocketIO {`
`171`	`174`	`m = EventEmitter::chainableMethod()`
`172`	`175`	`\|`
`173`	`176`	`result = pred.getAMethodCall(m) and`
	`177`	`+ t2.getProp() = "" and`
`174`	`178`	`t = t2`
`175`	`179`	`)`
`176`	`180`	`or`
`@@ -182,6 +186,7 @@ module SocketIO {`
`182`	`186`	`m = "volatile"`
`183`	`187`	`\|`
`184`	`188`	`result = pred.getAPropertyRead(m) and`
	`189`	`+ t2.getProp() = "" and`
`185`	`190`	`t = t2`
`186`	`191`	`)`
`187`	`192`	`)`