Merge pull request #2102 from erik-krogh/deferredModel

asger-semmle · web-flow · commit d9beb54dde20 · 2019-11-06T14:30:03.000Z
JS: add Deferred model in js/use-of-returnless-function
diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -149,6 +149,57 @@ predicate voidArrayCallback(DataFlow::CallNode call, Function func) {
   )
 }
 
+
+/**
+ * Provides classes for working with various Deferred implementations. 
+ * It is a heuristic. The heuristic assume that a class is a promise defintion 
+ * if the class is called "Deferred" and the method `resolve` is called on an instance.
+ *  
+ * Removes some false positives in the js/use-of-returnless-function query.  
+ */
+module Deferred {
+  /**
+   * An instance of a `Deferred` class. 
+   * For example the result from `new Deferred()` or `new $.Deferred()`.
+   */
+  class DeferredInstance extends DataFlow::NewNode {
+  	// Describes both `new Deferred()`, `new $.Deferred` and other variants. 
+    DeferredInstance() { this.getCalleeName() = "Deferred" }
+
+    private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      t.start() and
+      result = this
+      or
+      exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+    }
+    
+    DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+  }
+
+  /**
+   * A promise object created by a Deferred constructor
+   */
+  private class DeferredPromiseDefinition extends PromiseDefinition, DeferredInstance {
+    DeferredPromiseDefinition() {
+      // hardening of the "Deferred" heuristic: a method call to `resolve`. 
+      exists(ref().getAMethodCall("resolve"))
+    }
+
+    override DataFlow::FunctionNode getExecutor() { result = getCallback(0) }
+  }
+
+  /**
+   * A resolved promise created by a `new Deferred().resolve()` call.
+   */
+  class ResolvedDeferredPromiseDefinition extends ResolvedPromiseDefinition {
+    ResolvedDeferredPromiseDefinition() {
+      this = any(DeferredPromiseDefinition def).ref().getAMethodCall("resolve")
+    }
+
+    override DataFlow::Node getValue() { result = getArgument(0) }
+  }
+}
+
 from DataFlow::CallNode call, Function func, string name, string msg
 where
   (
diff --git a/javascript/ql/test/library-tests/TaintTracking/promise.js b/javascript/ql/test/library-tests/TaintTracking/promise.js
@@ -11,4 +11,4 @@ function closure() {
   let resolver = Promise.withResolver();
   resolver.resolve(source());
   sink(resolver.promise); // NOT OK
-}
+}
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -82,4 +82,10 @@
 	
 	var baz = [1,2,3].filter(n => {n === 3}) // OK
 	console.log(baz);
+	
+	class Deferred {
+	
+	}
+	
+	new Deferred().resolve(onlySideEffects()); // OK
 })();
