add support for Immutable Record

erik-krogh · erik-krogh · commit c0de6a3af250 · 2021-02-04T12:05:44.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll b/javascript/ql/src/semmle/javascript/frameworks/Immutable.qll
@@ -32,11 +32,15 @@ private module Immutable {
 
   /**
    * An instance of any immutable collection.
+   *
+   * This predicate keeps track of which values in the program are Immutable collections.
    */
   API::Node immutableCollection() {
-    // keep this list in sync with the constructors defined in `storeStep`.
+    // keep this predicate in sync with the constructors defined in `storeStep`.
     result = immutableImport().getMember(["Map", "OrderedMap", "List", "fromJS"]).getReturn()
     or
+    result = immutableImport().getMember("Record").getReturn().getReturn()
+    or
     result = immutableCollection().getMember(["set", "map", "filter", "push"]).getReturn()
   }
 
@@ -77,6 +81,15 @@ private module Immutable {
       result = call and
       prop = DataFlow::PseudoProperties::arrayElement()
     )
+    or
+    // Immutable.Record({defaults})({values}).
+    exists(API::CallNode factoryCall, API::CallNode recordCall |
+      factoryCall = immutableImport().getMember("Record").getACall() and
+      recordCall = factoryCall.getReturn().getACall()
+    |
+      pred = [factoryCall, recordCall].getOptionArgument(0, prop) and
+      result = recordCall
+    )
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js b/javascript/ql/test/library-tests/frameworks/Immutable/immutable.js
@@ -1,7 +1,7 @@
 var obj = { a: source("a"), b: source("b1") };
 sink(obj["a"]); // NOT OK
 
-const { Map, fromJS, List, OrderedMap } = require('immutable');
+const { Map, fromJS, List, OrderedMap, Record } = require('immutable');
 
 const map1 = Map(obj);
 
@@ -34,4 +34,9 @@ List(["safe"]).push(source()).forEach(x => sink(x)); // NOT OK
 
 
 const map4 = OrderedMap({}).set("f", source());
-sink(map4.get("f")); // NOT OK
+sink(map4.get("f")); // NOT OK
+
+const map5 = Record({a: source(), b: null, c: null})({b: source()});
+sink(map5.get("a")); // NOT OK
+sink(map5.get("b")); // NOT OK
+sink(map5.get("c")); // OK
diff --git a/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected b/javascript/ql/test/library-tests/frameworks/Immutable/tests.expected
@@ -11,3 +11,5 @@
 | immutable.js:31:7:31:14 | source() | immutable.js:31:75:31:75 | x |
 | immutable.js:33:21:33:28 | source() | immutable.js:33:49:33:49 | x |
 | immutable.js:36:38:36:45 | source() | immutable.js:37:6:37:18 | map4.get("f") |
+| immutable.js:39:25:39:32 | source() | immutable.js:40:6:40:18 | map5.get("a") |
+| immutable.js:39:58:39:65 | source() | immutable.js:41:6:41:18 | map5.get("b") |
