JS: Better support for contextual types

Author: asgerf

javascript/ql/lib/semmle/javascript/internal/TypeResolution.qll

@@ -8,7 +8,15 @@ module TypeResolution {
 
   predicate trackType = TypeFlow::TrackNode<TypeDefinition>::track/1;
 
-  predicate trackFunctionType = TypeFlow::TrackNode<Function>::track/1;
+  Node trackFunctionType(Function fun) {
+    result = fun
+    or
+    exists(Node mid | mid = trackFunctionType(fun) |
+      TypeFlow::step(mid, result)
+      or
+      UnderlyingTypes::underlyingTypeStep(mid, result)
+    )
+  }
 
   predicate trackFunctionValue = ValueFlow::TrackNode<Function>::track/1;
 
@@ -47,6 +55,24 @@ module TypeResolution {
       content.isUnknownArrayElement()
     )
     or
+    // Ad-hoc support for array types
+    content.isUnknownArrayElement() and
+    (
+      memberType = host.(ArrayTypeExpr).getElementType()
+      or
+      exists(GenericTypeExpr type |
+        host = type and
+        type.getTypeAccess().(LocalTypeAccess).getName() = ["Array", "ReadonlyArray"] and
+        memberType = type.getTypeArgument(0)
+      )
+      or
+      exists(JSDocAppliedTypeExpr type |
+        host = type and
+        type.getHead().(JSDocLocalTypeAccess).getName() = "Array" and
+        memberType = type.getArgument(0)
+      )
+    )
+    or
     // Inherit members from base types
     exists(ClassOrInterface baseType | typeMember(baseType, content, memberType) |
       host.(ClassDefinition).getSuperClass() = trackClassValue(baseType)
@@ -115,11 +141,38 @@ module TypeResolution {
     )
   }
 
-  private predicate contextualType(Node value, Node contextualType) {
+  private predicate contextualType(Node value, Node type) {
     exists(InvokeExpr call, Function target, int i |
       callTarget(call, target) and
       value = call.getArgument(i) and
-      contextualType = target.getParameter(i).getTypeAnnotation()
+      type = target.getParameter(i).getTypeAnnotation()
+    )
+    or
+    exists(Function lambda |
+      not lambda.isAsyncOrGenerator() and
+      value = lambda.getAReturnedExpr()
+    |
+      type = lambda.getReturnTypeAnnotation()
+      or
+      not exists(lambda.getReturnTypeAnnotation()) and
+      exists(Function functionType |
+        contextualType(lambda, trackFunctionType(functionType)) and
+        type = functionType.getReturnTypeAnnotation()
+      )
+    )
+    or
+    exists(ObjectExpr object, Node objectType, Node host, string name |
+      contextualType(object, objectType) and
+      typeMemberHostReaches(host, objectType) and
+      typeMember(host, any(DataFlow::Content c | c.asPropertyName() = name), type) and
+      value = object.getPropertyByName(name).getInit()
+    )
+    or
+    exists(ArrayExpr array, Node arrayType, Node host |
+      contextualType(array, arrayType) and
+      typeMemberHostReaches(host, arrayType) and
+      typeMember(host, any(DataFlow::Content c | c.isUnknownArrayElement()), type) and
+      value = array.getAnElement()
     )
   }
 

javascript/ql/test/library-tests/UnderlyingTypes/contextualTypes.ts

@@ -8,22 +8,30 @@ declare function doSomething(options: Options);
 
 function t1() {
     doSomething({
-        handle(req) { // $ MISSING: hasUnderlyingType='express'.Request
+        handle(req) { // $ hasUnderlyingType='express'.Request
         }
     });
 }
 
 function t2(callback: ((opts: Options) => void) | undefined) {
     callback({
-        handle(req) { } // $ MISSING: hasUnderlyingType='express'.Request
+        handle(req) { } // $ hasUnderlyingType='express'.Request
     })
     callback!({
-        handle(req) { } // $ MISSING: hasUnderlyingType='express'.Request
+        handle(req) { } // $ hasUnderlyingType='express'.Request
     })
 }
 
 function t3(): Options {
     return {
-        handle(req) { } // $ MISSING: hasUnderlyingType='express'.Request
+        handle(req) { } // $ hasUnderlyingType='express'.Request
     }
 }
+
+function t4(): Options[] {
+    return [
+        {
+            handle(req) { } // $ hasUnderlyingType='express'.Request
+        }
+    ]
+}