JavaScript: address comments

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -337,7 +337,7 @@ private class LibraryPartialCall extends AdditionalPartialInvokeNode {
   override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) {
     callback = getArgument(0) and
     exists (DataFlow::ArrayLiteralNode array |
-      array = getArgument(1) and
+      array.flowsTo(getArgument(1)) and
       argument = array.getElement(index))
   }
 }

javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -32,9 +32,9 @@ predicate calls(DataFlow::InvokeNode invk, Function f) {
  *
  * This only holds for explicitly modeled partial calls.
  */
-predicate partiallyCalls(DataFlow::AdditionalPartialInvokeNode invk, DataFlow::Node callback, Function f) {
+private predicate partiallyCalls(DataFlow::AdditionalPartialInvokeNode invk, DataFlow::AnalyzedNode callback, Function f) {
   invk.isPartialArgument(callback, _, _) and
-  exists (AbstractFunction callee | callee = callback.analyze().getAValue() |
+  exists (AbstractFunction callee | callee = callback.getAValue() |
     if invk.isIndefinite("global") then
       (f = callee.getFunction() and f.getFile() = invk.getFile())
     else

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,3 +1,8 @@
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
 | tst.js:2:13:2:20 | source() | tst.js:5:10:5:22 | "/" + x + "!" |
 | tst.js:2:13:2:20 | source() | tst.js:14:10:14:17 | x.sort() |

javascript/ql/test/library-tests/TaintTracking/partialCalls.js

@@ -0,0 +1,58 @@
+let R = require('ramda');
+
+function test() {
+    let taint = source();
+
+    function safe1(x, y) {
+        sink(x); // OK - x is not tainted
+    }
+    function safe2(x, y) {
+        sink(y); // OK - y is not tainted
+    }
+
+    safe1.bind(null, "hello", taint)();
+    safe2.bind(null, taint, "hello")();
+
+    function unsafe1(x, y) {
+        sink(x); // NOT OK - x is tainted
+    }
+    function unsafe2(x ,y) {
+        sink(y); // NOT OK - y is tainted
+    }
+
+    unsafe1.bind(null, taint, "hello")();
+    unsafe2.bind(null, "hello", taint)();
+
+    function safeprop(x) {
+        sink(x.value); // OK - property `value` is not tainted
+    }
+    function unsafeprop(x) {
+        sink(x.value); // NOT OK - property `value` is tainted
+    }
+
+    safeprop.bind(null, {value: "hello", somethingElse: taint})();
+    unsafeprop.bind(null, {value: taint, somethingElse: "hello"})();
+
+    function id(x) {
+        return x;
+    }
+
+    sink(id("hello")); // OK
+    sink(id(taint));   // NOT OK
+
+    let taintGetter = id.bind(null, taint);
+    sink(taintGetter);   // OK - this is a function object
+    sink(taintGetter()); // NOT OK - but not currently detected
+
+    function safearray(x) {
+        sink(x); // OK
+    }
+    function unsafearray(x) {
+        sink(x); // NOT OK
+    }
+
+    let xs = ["hello"];
+    let ys = [taint];
+    R.partial(safearray, xs)();
+    R.partial(unsafearray, ys)();
+}