JS: Add initial type resolution

asgerf · asgerf · commit 651f07d182ba · 2025-03-20T14:35:29.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/internal/TypeResolution.qll b/javascript/ql/lib/semmle/javascript/internal/TypeResolution.qll
@@ -0,0 +1,375 @@
+/**
+ * Provides name resolution and propagates type information.
+ */
+
+private import javascript
+
+/**
+ * Provides name resolution and propagates type information.
+ */
+module TypeResolution {
+  private class NodeBase =
+    @expr or @typeexpr or @lexical_name or @toplevel or @function_decl_stmt or @class_decl_stmt or
+        @namespace_declaration or @enum_declaration;
+
+  /**
+   * A node in a graph which we use to perform name and type resolution.
+   */
+  class Node extends NodeBase {
+    string toString() {
+      result = this.(AstNode).toString()
+      or
+      result = this.(LexicalName).toString()
+    }
+
+    Location getLocation() {
+      result = this.(AstNode).getLocation()
+      or
+      result = this.(LocalVariable).getLocation()
+    }
+  }
+
+  private signature predicate nodeSig(Node node);
+
+  /**
+   * A module top-level, or a `module {}` or `enum {}` statement.
+   */
+  private class ModuleLike extends AstNode {
+    ModuleLike() {
+      this instanceof Module
+      or
+      this instanceof NamespaceDefinition // `module {}` or `enum {}` statement
+    }
+  }
+
+  /**
+   * Holds if values/namespaces/types in `node1` can flow to values/namespaces/types in `node2`.
+   */
+  private predicate commonStep(Node node1, Node node2) {
+    // Import paths are part of the graph and has an incoming edge from the imported module, if found.
+    // This ensures we can also use the PathExpr as a source when working with external (unresolved) modules.
+    exists(Import imprt |
+      node1 = imprt.getImportedModule() and
+      node2 = imprt.getImportedPath()
+    )
+    or
+    exists(ImportNamespaceSpecifier spec |
+      node1 = spec.getImportDeclaration().getImportedPath() and
+      node2 = spec.getLocal()
+    )
+    or
+    exists(ExportNamespaceSpecifier spec |
+      node1 = spec.getExportDeclaration().(ReExportDeclaration).getImportedPath() and
+      node2 = spec
+    )
+    or
+    exists(ExportAssignDeclaration assign |
+      node1 = assign.getExpression() and
+      node2 = assign.getContainer()
+    )
+    or
+    exists(ImportEqualsDeclaration imprt |
+      node1 = imprt.getImportedEntity() and
+      node2 = imprt.getIdentifier()
+    )
+    or
+    exists(ExternalModuleReference ref |
+      node1 = ref.getImportedPath() and
+      node2 = ref
+    )
+    or
+    exists(ImportTypeExpr imprt |
+      node1 = imprt.getPathExpr() and // TODO: ImportTypeExpr does not seem to be resolved to a Module
+      node2 = imprt
+    )
+    or
+    exists(ClassOrInterface cls |
+      node1 = cls and
+      node2 = cls.getIdentifier()
+    )
+    or
+    exists(NamespaceDefinition def |
+      node1 = def and
+      node2 = def.getIdentifier()
+    )
+    or
+    exists(EnumMember def |
+      node1 = def.getInitializer() and
+      node2 = def.getIdentifier()
+    )
+    or
+    exists(TypeAliasDeclaration alias |
+      node1 = alias.getDefinition() and
+      node2 = alias.getIdentifier()
+    )
+    or
+    exists(VariableDeclarator decl |
+      node1 = decl.getInit() and
+      node2 = decl.getBindingPattern()
+    )
+    or
+    exists(ParenthesizedTypeExpr type |
+      node1 = type.getElementType() and
+      node2 = type
+    )
+    or
+    exists(ParenthesisExpr expr |
+      node1 = expr.getExpression() and
+      node2 = expr
+    )
+    or
+    exists(FunctionTypeExpr fun |
+      node1 = fun.getFunction() and
+      node2 = fun
+    )
+  }
+
+  /**
+   * Holds if there is a read from `node1` to `node2` that accesses the member `name`.
+   */
+  predicate readStep(Node node1, string name, Node node2) {
+    exists(QualifiedTypeAccess access |
+      node1 = access.getQualifier() and
+      name = access.getIdentifier().getName() and
+      node2 = access
+    )
+    or
+    exists(QualifiedNamespaceAccess access |
+      node1 = access.getQualifier() and
+      name = access.getIdentifier().getName() and
+      node2 = access
+    )
+    or
+    exists(PropAccess access |
+      node1 = access.getBase() and
+      name = access.getPropertyName() and
+      node2 = access
+    )
+    or
+    exists(ImportSpecifier spec |
+      node1 = spec.getImportDeclaration().getImportedPath() and
+      name = spec.getImportedName() and
+      node2 = spec.getLocal()
+    )
+  }
+
+  private signature module TypeResolutionInputSig {
+    /**
+     * Holds if flow is permitted through the given variable.
+     */
+    predicate isRelevantVariable(LexicalName var);
+  }
+
+  /**
+   * A local variable with exactly one definition, not counting implicit initialization.
+   */
+  private class EffectivelyConstantVariable extends LocalVariable {
+    EffectivelyConstantVariable() {
+      count(SsaExplicitDefinition ssa | ssa.getSourceVariable() = this) <= 1 // count may be zero if ambient
+    }
+  }
+
+  /** Configuration for propagating values and namespaces */
+  private module ValueConfig implements TypeResolutionInputSig {
+    predicate isRelevantVariable(LexicalName var) {
+      var instanceof EffectivelyConstantVariable
+      or
+      // We merge the namespace and value declaration spaces as it seems there is
+      // no need to distinguish them in practice.
+      var instanceof LocalNamespaceName
+    }
+  }
+
+  /**
+   * Associates information about values, such as references to a class, module, or namespace.
+   */
+  module ValueFlow = FlowImpl<ValueConfig>;
+
+  private module TypeConfig implements TypeResolutionInputSig {
+    predicate isRelevantVariable(LexicalName var) { var instanceof LocalTypeName }
+  }
+
+  /**
+   * Associates nodes with information about types.
+   */
+  module TypeFlow = FlowImpl<TypeConfig>;
+
+  private module FlowImpl<TypeResolutionInputSig S> {
+    /**
+     * Gets the exported member of `mod` named `name`.
+     */
+    Node getModuleExport(ModuleLike mod, string name) {
+      exists(ExportDeclaration exprt |
+        mod = exprt.getContainer() and
+        exprt.exportsAs(result, name) and
+        S::isRelevantVariable(result)
+      )
+      or
+      exists(ExportNamespaceSpecifier spec |
+        result = spec and
+        mod = spec.getContainer() and
+        name = spec.getExportedName()
+      )
+      or
+      exists(EnumDeclaration enum |
+        mod = enum and
+        result = enum.getMemberByName(name).getIdentifier()
+      )
+    }
+
+    /** Steps that only apply for this configuration. */
+    private predicate specificStep(Node node1, Node node2) {
+      exists(LexicalName var | S::isRelevantVariable(var) |
+        node1.(LexicalDecl).getALexicalName() = var and
+        node2 = var
+        or
+        node1 = var and
+        node2.(LexicalAccess).getALexicalName() = var
+      )
+      or
+      exists(Node base, string name, ModuleLike mod |
+        readStep(base, name, node2) and
+        base = trackModule(mod) and
+        node1 = getModuleExport(mod, name)
+      )
+    }
+
+    /**
+     * Holds if data should propagate from `node1` to `node2`.
+     */
+    pragma[inline]
+    predicate step(Node node1, Node node2) {
+      commonStep(node1, node2)
+      or
+      specificStep(node1, node2)
+    }
+
+    /** Helps track flow from a particular set of source nodes. */
+    module Track<nodeSig/1 isSource> {
+      /** Gets the set of nodes reachable from `source`. */
+      Node track(Node source) {
+        isSource(source) and
+        result = source
+        or
+        step(track(source), result)
+      }
+    }
+
+    signature class AstNodeSig extends AstNode;
+
+    /** Helps track flow from a particular set of source nodes. */
+    module TrackNode<AstNodeSig Source> {
+      /** Gets the set of nodes reachable from `source`. */
+      Node track(Source source) {
+        result = source
+        or
+        step(track(source), result)
+      }
+    }
+  }
+
+  /**
+   * Gets a node to which the given module flows.
+   */
+  predicate trackModule = ValueFlow::TrackNode<ModuleLike>::track/1;
+
+  /**
+   * Gets a node to which the given class flows.
+   */
+  predicate trackClassValue = ValueFlow::TrackNode<ClassDefinition>::track/1;
+
+  /**
+   * Gets the string constant referred to by `node`.
+   */
+  cached
+  string getStringValue(Node node) {
+    result = node.(Expr).getStringValue()
+    or
+    result = node.(Label).getName()
+    or
+    exists(Node mid |
+      result = getStringValue(mid) and
+      ValueFlow::step(mid, node) and
+      // Exclude steps where we use the import path as representative for the imported module
+      not mid = any(Import imprt).getImportedPath()
+    )
+  }
+
+  /**
+   * Gets the int constant referred to by `node`.
+   */
+  cached
+  int getIntValue(Node node) {
+    result = node.(Expr).getIntValue()
+    or
+    exists(Node mid |
+      result = getIntValue(mid) and
+      ValueFlow::step(mid, node)
+    )
+  }
+
+  /**
+   * Tracks types that have a certain property, in the sense that:
+   * - an intersection type has the property if any operand has the property
+   * - a union type has the property if all its operands have the property
+   */
+  module TrackMustProp<nodeSig/1 directlyHasProperty> {
+    predicate hasProperty(Node node) {
+      directlyHasProperty(node)
+      or
+      exists(Node mid |
+        hasProperty(mid) and
+        TypeFlow::step(mid, node)
+      )
+      or
+      unionHasProp(node)
+      or
+      hasProperty(node.(IntersectionTypeExpr).getAnElementType())
+      or
+      exists(ConditionalTypeExpr cond |
+        hasProperty(cond.getTrueType()) and
+        hasProperty(cond.getFalseType())
+      )
+    }
+
+    private predicate unionHasProp(UnionTypeExpr node, int n) {
+      hasProperty(node.getElementType(0)) and n = 1
+      or
+      unionHasProp(node, n - 1) and
+      hasProperty(node.getElementType(n - 1))
+    }
+
+    private predicate unionHasProp(UnionTypeExpr node) {
+      unionHasProp(node, node.getNumElementType())
+    }
+  }
+
+  private predicate isSanitizingPrimitiveTypeBase(Node node) {
+    node.(TypeExpr).isNumbery()
+    or
+    node.(TypeExpr).isBooleany()
+    or
+    node.(TypeExpr).isNull()
+    or
+    node.(TypeExpr).isUndefined()
+    or
+    node.(TypeExpr).isVoid()
+    or
+    node.(TypeExpr).isNever()
+    or
+    node instanceof LiteralTypeExpr
+    or
+    node = any(EnumMember m).getIdentifier() // enum members are constant
+    or
+    node instanceof EnumDeclaration // enums are unions of constants
+  }
+
+  /**
+   * Holds if `node` refers to a type that is considered untaintable (if actually enforced at runtime).
+   *
+   * Specifically, the types `number`, `boolean`, `null`, `undefined`, `void`, `never`, as well as literal types (`"foo"`)
+   * and enums and enum members have this property.
+   */
+  predicate isSanitizingPrimitiveType =
+    TrackMustProp<isSanitizingPrimitiveTypeBase/1>::hasProperty/1;
+}
