JS: Use for determining underlying types

Author: asgerf

javascript/ql/lib/semmle/javascript/TypeScript.qll

@@ -1,4 +1,5 @@
 import javascript
+private import semmle.javascript.internal.UnderlyingTypes
 
 /**
  * A statement that defines a namespace, that is, a namespace declaration or enum declaration.
@@ -577,7 +578,7 @@ class TypeExpr extends ExprOrType, @typeexpr, TypeAnnotation {
   override TopLevel getTopLevel() { result = ExprOrType.super.getTopLevel() }
 
   override DataFlow::ClassNode getClass() {
-    result.getAstNode() = this.getType().(ClassType).getClass()
+    UnderlyingTypes::nodeHasUnderlyingClassType(this, result.getAstNode())
   }
 }
 

javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll

@@ -27,6 +27,7 @@ private import internal.PreCallGraphStep
 private import semmle.javascript.internal.CachedStages
 private import semmle.javascript.dataflow.internal.DataFlowPrivate as Private
 private import semmle.javascript.dataflow.internal.VariableOrThis
+private import semmle.javascript.internal.UnderlyingTypes
 
 module DataFlow {
   /**
@@ -189,26 +190,6 @@ module DataFlow {
       FlowSteps::identityFunctionStep(result, this)
     }
 
-    /**
-     * Gets the static type of this node as determined by the TypeScript type system.
-     */
-    private Type getType() {
-      exists(AST::ValueNode node |
-        this = TValueNode(node) and
-        ast_node_type(node, result)
-      )
-      or
-      exists(BindingPattern pattern |
-        this = lvalueNode(pattern) and
-        ast_node_type(pattern, result)
-      )
-      or
-      exists(MethodDefinition def |
-        this = TThisNode(def.getInit()) and
-        ast_node_type(def.getDeclaringClass(), result)
-      )
-    }
-
     /**
      * Gets the type annotation describing the type of this node,
      * provided that a static type could not be found.
@@ -236,9 +217,7 @@ module DataFlow {
     cached
     predicate hasUnderlyingType(string globalName) {
       Stages::TypeTracking::ref() and
-      this.getType().hasUnderlyingType(globalName)
-      or
-      this.getFallbackTypeAnnotation().getAnUnderlyingType().hasQualifiedName(globalName)
+      UnderlyingTypes::nodeHasUnderlyingType(this.getFallbackTypeAnnotation(), "global", globalName)
     }
 
     /**
@@ -248,9 +227,8 @@ module DataFlow {
     cached
     predicate hasUnderlyingType(string moduleName, string typeName) {
       Stages::TypeTracking::ref() and
-      this.getType().hasUnderlyingType(moduleName, typeName)
-      or
-      this.getFallbackTypeAnnotation().getAnUnderlyingType().hasQualifiedName(moduleName, typeName)
+      moduleName != "global" and
+      UnderlyingTypes::nodeHasUnderlyingType(this.getFallbackTypeAnnotation(), moduleName, typeName)
     }
 
     /**

javascript/ql/lib/semmle/javascript/internal/UnderlyingTypes.qll

@@ -0,0 +1,146 @@
+/**
+ * Provides name resolution and propagates type information.
+ */
+
+private import javascript
+private import semmle.javascript.internal.TypeResolution::TypeResolution
+
+/**
+ * Provides name resolution and propagates type information.
+ */
+module UnderlyingTypes {
+  /**
+   * Holds if `moduleName` appears to start with a package name, as opposed to a relative file import.
+   */
+  bindingset[moduleName]
+  private predicate isExternalModuleName(string moduleName) {
+    not moduleName.regexpMatch("^(\\.|/).*")
+  }
+
+  bindingset[name]
+  private string normalizeModuleName(string name) {
+    result =
+      name.regexpReplaceAll("^node:", "")
+          .regexpReplaceAll("\\.[jt]sx?$", "")
+          .regexpReplaceAll("/(index)?$", "")
+  }
+
+  /**
+   * Holds if `node` is a reference to the given module, or a qualified name rooted in that module.
+   *
+   * If `qualifiedName` is empty, `node` refers to the module itself.
+   *
+   * If `mod` is the string `"global"`, `node` refers to a global access path.
+   */
+  predicate nodeRefersToModule(Node node, string mod, string qualifiedName) {
+    exists(Import imprt |
+      node = imprt.getImportedPath() and
+      mod = normalizeModuleName(imprt.getImportedPath().getValue()) and
+      isExternalModuleName(mod) and
+      qualifiedName = ""
+    )
+    or
+    mod = "global" and
+    exists(LocalNamespaceAccess access |
+      node = access and
+      not exists(access.getLocalNamespaceName()) and
+      access.getName() = qualifiedName
+    )
+    or
+    // Additionally track through bulk re-exports (`export * from 'mod`).
+    // These are normally handled by 'exportAs' which supports various shadowing rules,
+    // but has no effect when the ultimate re-exported module is not resolved to a Module.
+    // We propagate external module refs through bulk re-exports and ignore shadowing rules.
+    exists(BulkReExportDeclaration reExport |
+      nodeRefersToModule(reExport.getImportedPath(), mod, qualifiedName) and
+      node = reExport.getContainer()
+    )
+    or
+    exists(Node mid |
+      nodeRefersToModule(mid, mod, qualifiedName) and
+      ValueFlow::step(mid, node) and
+      not node instanceof Variable // avoid a lot of unnecessary tuples
+    )
+    or
+    exists(Node mid, string prefix, string step |
+      nodeRefersToModule(mid, mod, prefix) and
+      readStep(mid, step, node) and
+      qualifiedName = append(prefix, step)
+    )
+  }
+
+  private predicate subtypeStep(Node node1, Node node2) {
+    exists(ClassOrInterface cls |
+      (
+        node1 = cls.getSuperClass() or // TODO: test that type flow actually reaches the super class
+        node1 = cls.getASuperInterface()
+      ) and
+      node2 = cls
+    )
+  }
+
+  private predicate underlyingTypeStep(Node node1, Node node2) {
+    exists(UnionOrIntersectionTypeExpr type |
+      node1 = type.getAnElementType() and
+      node2 = type
+    )
+    or
+    exists(ReadonlyTypeExpr type |
+      node1 = type.getElementType() and
+      node2 = type
+    )
+    or
+    exists(OptionalTypeExpr type |
+      node1 = type.getElementType() and
+      node2 = type
+    )
+    or
+    exists(GenericTypeExpr type |
+      node1 = type.getTypeAccess() and
+      node2 = type
+    )
+    or
+    exists(ExpressionWithTypeArguments e |
+      node1 = e.getExpression() and
+      node2 = e
+    )
+  }
+
+  bindingset[a, b]
+  private string append(string a, string b) {
+    if b = "default"
+    then result = a
+    else (
+      (if a = "" or b = "" then result = a + b else result = a + "." + b) and
+      result.length() < 100
+    )
+  }
+
+  predicate nodeHasUnderlyingType(Node node, string mod, string name) {
+    exists(Node mid, string prefix, string step |
+      nodeRefersToModule(mid, mod, prefix) and
+      readStep(mid, step, node) and
+      name = append(prefix, step)
+    )
+    or
+    exists(Node mid | nodeHasUnderlyingType(mid, mod, name) |
+      TypeFlow::step(mid, node)
+      or
+      underlyingTypeStep(mid, node)
+      or
+      subtypeStep(mid, node)
+    )
+  }
+
+  predicate nodeHasUnderlyingClassType(Node node, ClassDefinition cls) {
+    node = cls
+    or
+    exists(Node mid | nodeHasUnderlyingClassType(mid, cls) |
+      TypeFlow::step(mid, node)
+      or
+      underlyingTypeStep(mid, node)
+      // Note: unlike for external types, we do not use subtype steps here.
+      // The caller is responsible for handling the class hierarchy.
+    )
+  }
+}