JS: Also summarize loads

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -110,8 +110,15 @@ module StepSummary {
     or
     // Summarize calls with flow directly from a parameter to a return.
     exists(DataFlow::ParameterNode param, DataFlow::FunctionNode fun |
-      param.flowsTo(fun.getAReturn()) and
-      summary = LevelStep() and
+      (
+        param.flowsTo(fun.getAReturn()) and
+        summary = LevelStep()
+        or
+        exists(string prop |
+          param.getAPropertyRead(prop).flowsTo(fun.getAReturn()) and
+          summary = LoadStep(prop)
+        )
+      ) and
       if param = fun.getAParameter() then (
         // Step from argument to call site.
         argumentPassing(succ, pred, fun.getFunction(), param)

javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected

@@ -35,6 +35,9 @@ test_Connection
 | tst.js:104:10:106:6 | (functi ... \\n  })() |
 | tst.js:108:1:108:23 | shared( ... tion()) |
 | tst.js:108:8:108:22 | getConnection() |
+| tst.js:112:10:112:14 | obj.x |
+| tst.js:114:1:114:28 | getX({  ... on() }) |
+| tst.js:114:11:114:25 | getConnection() |
 | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 test_DataCallback
 | client.js:3:28:3:34 | x => {} |

javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected

@@ -19,7 +19,9 @@ connection
 | type tracker with call steps | tst.js:93:5:93:18 | innerCapture() |
 | type tracker with call steps | tst.js:103:17:103:17 | x |
 | type tracker with call steps | tst.js:104:10:106:6 | (functi ... \\n  })() |
+| type tracker with call steps | tst.js:112:10:112:14 | obj.x |
 | type tracker with call steps with property connection | tst.js:7:14:7:13 | this |
+| type tracker with call steps with property x | tst.js:111:15:111:17 | obj |
 | type tracker without call steps | client.js:1:10:1:27 | exportedConnection |
 | type tracker without call steps | tst.js:16:10:16:49 | api.cha ... ction() |
 | type tracker without call steps | tst.js:19:7:19:21 | getConnection() |
@@ -36,11 +38,14 @@ connection
 | type tracker without call steps | tst.js:100:12:100:26 | getConnection() |
 | type tracker without call steps | tst.js:108:1:108:23 | shared( ... tion()) |
 | type tracker without call steps | tst.js:108:8:108:22 | getConnection() |
+| type tracker without call steps | tst.js:114:1:114:28 | getX({  ... on() }) |
+| type tracker without call steps | tst.js:114:11:114:25 | getConnection() |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property MyApplication.namespace.connection | file://:0:0:0:0 | global access path |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |
 | type tracker without call steps with property conflict | tst_conflict.js:6:3:6:25 | MyAppli ... mespace |
 | type tracker without call steps with property connection | tst.js:62:3:62:25 | MyAppli ... mespace |
+| type tracker without call steps with property x | tst.js:114:6:114:27 | { x: ge ... ion() } |
 dataCallback
 | client.js:3:28:3:34 | x => {} |
 | tst.js:10:11:10:12 | cb |

javascript/ql/test/library-tests/TypeTracking/tst.js

@@ -107,3 +107,9 @@ function shared(x) {
 }
 shared(getConnection());
 shared(somethingElse());
+
+function getX(obj) {
+  return obj.x;
+}
+getX({ x: getConnection() });
+getX({ x: somethingElse() });