Merge pull request #396 from esben-semmle/js/unconditional-property-override

JS: add query: js/unconditional-property-override

Author: Max Schaefer

change-notes/1.19/analysis-javascript.md

@@ -23,6 +23,7 @@
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. |
+| Useless assignment to property | maintainability | Highlights property assignments whose value is always overwritten. Results are shown on LGTM by default. |
 | User-controlled data in file | security, external/cwe/cwe-912 | Highlights locations where user-controlled data is written to a file. Results are not shown on LGTM by default. |
 
 ## Changes to existing queries

javascript/config/suites/javascript/maintainability-more

@@ -2,6 +2,7 @@
 + semmlecode-javascript-queries/Comments/TodoComments.ql: /Maintainability/Comments
 + semmlecode-javascript-queries/Declarations/DeadStoreOfGlobal.ql: /Maintainability/Declarations
 + semmlecode-javascript-queries/Declarations/DeadStoreOfLocal.ql: /Maintainability/Declarations
++ semmlecode-javascript-queries/Declarations/DeadStoreOfProperty.ql: /Maintainability/Declarations
 + semmlecode-javascript-queries/Declarations/DuplicateVarDecl.ql: /Maintainability/Declarations
 + semmlecode-javascript-queries/Declarations/UnusedParameter.ql: /Maintainability/Declarations
 + semmlecode-javascript-queries/Declarations/UnusedVariable.ql: /Maintainability/Declarations

javascript/ql/src/Declarations/DeadStore.qhelp

@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+A value is assigned to a variable or property, but either that location is never read
+later on, or its value is always overwritten before being read. This means
+that the original assignment has no effect, and could indicate a logic error or
+incomplete code.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Ensure that you check the control and data flow in the method carefully.
+If a value is really not needed, consider omitting the assignment. Be careful,
+though: if the right-hand side has a side-effect (like performing a method call),
+it is important to keep this to preserve the overall behavior.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+In the following example, the return value of the call to <code>send</code> on line 2
+is assigned to the local variable <code>result</code>, but then never used.
+</p>
+
+<sample src="examples/DeadStoreOfLocal.js" />
+
+<p>
+Assuming that <code>send</code> returns a status code indicating whether the operation
+succeeded or not, the value of <code>result</code> should be checked, perhaps like this:
+</p>
+
+<sample src="examples/DeadStoreOfLocalGood.js" />
+
+</example>
+<references>
+
+
+<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Dead_store">Dead store</a>.</li>
+
+
+
+</references>
+</qhelp>

javascript/ql/src/Declarations/DeadStore.qll

@@ -0,0 +1,22 @@
+/**
+ * Provides classes and predicates for reasoning about dead stores.
+ */
+
+import javascript
+
+/**
+ * Holds if `e` is an expression that may be used as a default initial value,
+ * such as `0` or `-1`, or an empty object or array literal.
+ */
+predicate isDefaultInit(Expr e) {
+  // primitive default values: zero, false, empty string, and (integer) -1
+  e.(NumberLiteral).getValue().toFloat() = 0.0 or
+  e.(NegExpr).getOperand().(NumberLiteral).getValue() = "1" or
+  e.(ConstantString).getStringValue() = "" or
+  e.(BooleanLiteral).getValue() = "false" or
+  // initialising to an empty array or object literal, even if unnecessary,
+  // can convey useful type information to the reader
+  e.(ArrayExpr).getSize() = 0 or
+  e.(ObjectExpr).getNumProperty() = 0 or
+  SyntacticConstants::isNullOrUndefined(e)
+}

javascript/ql/src/Declarations/DeadStoreOfLocal.qhelp

@@ -1,49 +1,9 @@
 <!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>
-A value is assigned to a local variable, but either that variable is never read
-later on, or its value is always overwritten before being read. This means
-that the original assignment has no effect, and could indicate a logic error or
-incomplete code.
-</p>
-
-</overview>
-<recommendation>
-
-<p>
-Ensure that you check the control and data flow in the method carefully.
-If a value is really not needed, consider omitting the assignment. Be careful,
-though: if the right-hand side has a side-effect (like performing a method call),
-it is important to keep this to preserve the overall behavior.
-</p>
-
-</recommendation>
-<example>
-
-<p>
-In the following example, the return value of the call to <code>send</code> on line 2
-is assigned to the local variable <code>result</code>, but then never used.
-</p>
-
-<sample src="examples/DeadStoreOfLocal.js" />
-
-<p>
-Assuming that <code>send</code> returns a status code indicating whether the operation
-succeeded or not, the value of <code>result</code> should be checked, perhaps like this:
-</p>
-
-<sample src="examples/DeadStoreOfLocalGood.js" />
-
-</example>
-<references>
-
-
-<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Dead_store">Dead store</a>.</li>
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
 
+<qhelp>
 
+	<include src="DeadStore.qhelp" />
 
-</references>
 </qhelp>

javascript/ql/src/Declarations/DeadStoreOfLocal.ql

@@ -11,6 +11,7 @@
  */
 
 import javascript
+import DeadStore
 
 /**
  * Holds if `vd` is a definition of variable `v` that is dead, that is,
@@ -25,22 +26,6 @@ predicate deadStoreOfLocal(VarDef vd, PurelyLocalVariable v) {
   not exists (SsaExplicitDefinition ssa | ssa.defines(vd, v))
 }
 
-/**
- * Holds if `e` is an expression that may be used as a default initial value,
- * such as `0` or `-1`, or an empty object or array literal.
- */
-predicate isDefaultInit(Expr e) {
-  // primitive default values: zero, false, empty string, and (integer) -1
-  e.(NumberLiteral).getValue().toFloat() = 0.0 or
-  e.(NegExpr).getOperand().(NumberLiteral).getValue() = "1" or
-  e.(ConstantString).getStringValue() = "" or
-  e.(BooleanLiteral).getValue() = "false" or
-  // initialising to an empty array or object literal, even if unnecessary,
-  // can convey useful type information to the reader
-  e.(ArrayExpr).getSize() = 0 or
-  e.(ObjectExpr).getNumProperty() = 0
-}
-
 from VarDef dead, PurelyLocalVariable v  // captured variables may be read by closures, so don't flag them
 where deadStoreOfLocal(dead, v) and
       // the variable should be accessed somewhere; otherwise it will be flagged by UnusedVariable

javascript/ql/src/Declarations/DeadStoreOfProperty.qhelp

@@ -0,0 +1,9 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+
+<qhelp>
+
+	<include src="DeadStore.qhelp" />
+
+</qhelp>

javascript/ql/src/Declarations/DeadStoreOfProperty.ql

@@ -0,0 +1,142 @@
+/**
+ * @name Useless assignment to property
+ * @description An assignment to a property whose value is always overwritten has no effect.
+ * @kind problem
+ * @problem.severity warning
+ * @id js/useless-assignment-to-property
+ * @tags maintainability
+ * @precision high
+ */
+
+import javascript
+import Expressions.DOMProperties
+import DeadStore
+
+/**
+ * Holds if `write` writes to property `name` of `base`, and `base` is the only base object of `write`.
+ */
+predicate unambiguousPropWrite(DataFlow::SourceNode base, string name, DataFlow::PropWrite write) {
+  write = base.getAPropertyWrite(name) and
+  not exists (DataFlow::SourceNode otherBase |
+    otherBase != base and
+    write = otherBase.getAPropertyWrite(name)
+  )
+}
+
+/**
+ * Holds if `assign1` and `assign2` both assign property `name` of the same object, and `assign2` post-dominates `assign1`.
+ */
+predicate postDominatedPropWrite(string name, DataFlow::PropWrite assign1, DataFlow::PropWrite assign2) {
+  exists (ControlFlowNode write1, ControlFlowNode write2, DataFlow::SourceNode base, ReachableBasicBlock block1, ReachableBasicBlock block2 |
+    write1 = assign1.getWriteNode() and
+    write2 = assign2.getWriteNode() and
+    block1 = write1.getBasicBlock() and
+    block2 = write2.getBasicBlock() and
+    unambiguousPropWrite(base, name, assign1) and
+    unambiguousPropWrite(base, name, assign2) and
+    block2.postDominates(block1) and
+    (block1 = block2 implies
+      exists (int i1, int i2 |
+        write1 = block1.getNode(i1) and
+        write2 = block2.getNode(i2) and
+        i1 < i2
+      )
+    )
+  )
+}
+
+/**
+ * Holds if `e` may access a property named `name`.
+ */
+bindingset[name]
+predicate maybeAccessesProperty(Expr e, string name) {
+  (e.(PropAccess).getPropertyName() = name and e instanceof RValue) or
+  // conservatively reject all side-effects
+  e.isImpure()
+}
+
+/**
+ * Holds if `assign1` and `assign2` both assign property `name`, but `assign1` is dead because of `assign2`.
+ */
+predicate isDeadAssignment(string name, DataFlow::PropWrite assign1, DataFlow::PropWrite assign2) {
+  postDominatedPropWrite(name, assign1, assign2) and
+  noPropAccessBetween(name, assign1, assign2) and
+  not isDOMProperty(name)
+}
+
+/**
+ * Holds if `assign` assigns a property `name` that may be accessed somewhere else in the same block,
+ * `after` indicates if the access happens before or after the node for `assign`.
+ */
+bindingset[name]
+predicate maybeAccessesAssignedPropInBlock(string name, DataFlow::PropWrite assign, boolean after) {
+  exists (ControlFlowNode write, ReachableBasicBlock block, int i, int j, Expr e |
+    write = assign.getWriteNode() and
+    block = assign.getBasicBlock() and
+    write = block.getNode(i) and
+    e = block.getNode(j) and
+    maybeAccessesProperty(e, name) |
+    after = true and i < j
+    or
+    after = false and j < i
+  )
+}
+
+/**
+ * Holds if `assign1` and `assign2` both assign property `name`, and the assigned property is not accessed between the two assignments.
+ */
+bindingset[name]
+predicate noPropAccessBetween(string name, DataFlow::PropWrite assign1, DataFlow::PropWrite assign2) {
+  exists (ControlFlowNode write1, ControlFlowNode write2, ReachableBasicBlock block1, ReachableBasicBlock block2 |
+    write1 = assign1.getWriteNode() and
+    write2 = assign2.getWriteNode() and
+    write1.getBasicBlock() = block1 and
+    write2.getBasicBlock() = block2 and
+    if block1 = block2 then
+      // same block: check for access between
+      not exists (int i1, Expr mid, int i2 |
+        assign1.getWriteNode() = block1.getNode(i1) and
+        assign2.getWriteNode() = block2.getNode(i2) and
+        mid = block1.getNode([i1+1..i2-1]) and
+        maybeAccessesProperty(mid, name)
+      )
+    else
+      // other block:
+      not (
+        // check for an access after the first write node
+        maybeAccessesAssignedPropInBlock(name, assign1, true) or
+        // check for an access between the two write blocks
+        exists (ReachableBasicBlock mid |
+          block1.getASuccessor+() = mid and
+          mid.getASuccessor+() = block2 |
+          maybeAccessesProperty(mid.getANode(), name)
+        ) or
+        // check for an access before the second write node
+        maybeAccessesAssignedPropInBlock(name, assign2, false)
+      )
+  )
+}
+
+from string name, DataFlow::PropWrite assign1, DataFlow::PropWrite assign2
+where isDeadAssignment(name, assign1, assign2) and
+      // whitelist
+      not (
+        // Google Closure Compiler pattern: `o.p = o['p'] = v`
+        exists (PropAccess p1, PropAccess p2 |
+          p1 = assign1.getAstNode() and
+          p2 = assign2.getAstNode() |
+          p1 instanceof DotExpr and p2 instanceof IndexExpr
+          or
+          p2 instanceof DotExpr and p1 instanceof IndexExpr
+        )
+        or
+        // don't flag overwrites for default values
+        isDefaultInit(assign1.getRhs().asExpr().getUnderlyingValue())
+        or
+        // don't flag assignments in externs
+        assign1.getAstNode().inExternsFile()
+        or
+        // exclude result from js/overwritten-property
+        assign2.getBase() instanceof DataFlow::ObjectLiteralNode
+      )
+select assign1.getWriteNode(), "This write to property '" + name + "' is useless, since $@ always overrides it.", assign2.getWriteNode(), "another property write"