JS: Also check contextual type

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll

@@ -229,7 +229,10 @@ module DataFlow {
     predicate hasUnderlyingType(string globalName) {
       Stages::TypeTracking::ref() and
       exists(NameResolution::Node type |
-        TypeResolution::valueHasType(this.getNameResolutionNode(), type) and
+        TypeResolution::valueHasType(this.getNameResolutionNode(), type)
+        or
+        TypeResolution::contextualType(this.getNameResolutionNode(), type)
+      |
         UnderlyingTypes::nodeHasUnderlyingType(type, globalName)
       )
     }
@@ -243,7 +246,12 @@ module DataFlow {
       Stages::TypeTracking::ref() and
       moduleName != "global" and
       exists(NameResolution::Node type |
-        TypeResolution::valueHasType(this.getNameResolutionNode(), type) and
+        TypeResolution::valueHasType(this.getNameResolutionNode(), type)
+        or
+        // Also check contextual type as this helps when tracking facts between SourceNode only.
+        // For example, for `var x: T = getFoo()` we need `getFoo()` to have the type T.
+        TypeResolution::contextualType(this.getNameResolutionNode(), type)
+      |
         UnderlyingTypes::nodeHasUnderlyingType(type, moduleName, typeName)
       )
     }

javascript/ql/lib/semmle/javascript/internal/TypeResolution.qll

@@ -170,7 +170,12 @@ module TypeResolution {
     )
   }
 
-  private predicate contextualType(Node value, Node type) {
+  predicate contextualType(Node value, Node type) {
+    exists(LocalVariable v |
+      type = v.getADeclaration().getTypeAnnotation() and
+      value = v.getAnAssignedExpr()
+    )
+    or
     exists(InvokeExpr call, Function target, int i |
       callTarget(call, target) and
       value = call.getArgument(i) and