JS: Type track mssql model

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/SQL.qll

@@ -270,15 +270,27 @@ private module Sqlite {
  */
 private module MsSql {
   /** Gets a reference to the `mssql` module. */
-  DataFlow::ModuleImportNode mssql() { result.getPath() = "mssql" }
+  DataFlow::SourceNode mssql() { result = DataFlow::moduleImport("mssql") }
 
-  /** Gets an expression that creates a request object. */
-  DataFlow::SourceNode request() {
-    // new require('mssql').Request()
-    result = mssql().getAConstructorInvocation("Request")
+  /** Gets a data flow node referring to a request object. */
+  private DataFlow::SourceNode request(DataFlow::TypeTracker t) {
+    t.start() and
+    (
+      // new require('mssql').Request()
+      result = mssql().getAConstructorInvocation("Request")
+      or
+      // request.input(...)
+      result = request().getAMethodCall("input")
+    )
     or
-    // request.input(...)
-    result = request().getAMethodCall("input")
+    exists(DataFlow::TypeTracker t2 |
+      result = request(t2).track(t2, t)
+    )
+  }
+  
+  /** Gets a data flow node referring to a request object. */
+  DataFlow::SourceNode request() {
+    result = request(DataFlow::TypeTracker::end())
   }
 
   /** A tagged template evaluated as a query. */
@@ -293,15 +305,13 @@ private module MsSql {
   }
 
   /** A call to a MsSql query method. */
-  private class QueryCall extends DatabaseAccess, DataFlow::ValueNode {
-    override MethodCallExpr astNode;
-
+  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
-      exists(string meth | this = request().getAMethodCall(meth) | meth = "query" or meth = "batch")
+      this = request().getAMethodCall(["query", "batch"])
     }
 
     override DataFlow::Node getAQueryArgument() {
-      result = DataFlow::valueNode(astNode.getArgument(0))
+      result = getArgument(0)
     }
   }
 

javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected

@@ -2,6 +2,7 @@
 | mssql1.js:7:75:7:79 | value |
 | mssql2.js:5:15:5:34 | 'select 1 as number' |
 | mssql2.js:13:15:13:66 | 'create ...  table' |
+| mssql2.js:22:24:22:43 | 'select 1 as number' |
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql2.js:12:12:12:37 | 'SELECT ... lution' |

javascript/ql/test/library-tests/frameworks/SQL/mssql2.js

@@ -13,3 +13,13 @@ request.query('select 1 as number', (err, result) => {
 request.batch('create procedure #temporary as select * from table', (err, result) => {
     // ... error checks
 })
+
+class C {
+    constructor(req) {
+        this.req = req;
+    }
+    send() {
+        this.req.query('select 1 as number', (err, result) => {})
+    }
+}
+new C(new sql.Request());