Merge pull request #383 from esben-semmle/js/unused-eval-variable

semmle-qlci · web-flow · commit f00863fb5898 · 2018-10-31T10:42:55.000Z
Approved by xiemaisi
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -35,6 +35,7 @@
 | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
 | Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. |
 | Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. |
+| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that may be used by `eval` calls. |
 | Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
 | User-controlled bypass of security check | Fewer results | This rule no longer flags conditions that guard early returns. The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | 
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
diff --git a/javascript/ql/src/Declarations/UnusedVariable.ql b/javascript/ql/src/Declarations/UnusedVariable.ql
@@ -163,6 +163,12 @@ predicate whitelisted(UnusedLocal v) {
     isEnumMember(vd) or
     // ignore ambient declarations - too noisy
     vd.isAmbient()
+  ) or
+  exists (DirectEval eval |
+    // eval nearby
+    eval.getEnclosingFunction() = v.getADeclaration().getEnclosingFunction() and
+    // ... but not on the RHS
+    not v.getAnAssignedExpr() = eval
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected
@@ -1,6 +1,8 @@
 | Babelrc/importPragma.jsx:2:1:2:27 | import  ... react'; | Unused import q. |
 | decorated.ts:1:1:1:126 | import  ... where'; | Unused import actionHandler. |
 | decorated.ts:4:10:4:12 | fun | Unused function fun. |
+| eval.js:10:9:10:24 | not_used_by_eval | Unused variable not_used_by_eval. |
+| eval.js:19:9:19:24 | not_used_by_eval | Unused variable not_used_by_eval. |
 | externs.js:6:5:6:13 | iAmUnused | Unused variable iAmUnused. |
 | importWithoutPragma.jsx:1:1:1:27 | import  ... react'; | Unused import h. |
 | multi-imports.js:1:1:1:29 | import  ... om 'x'; | Unused imports a, b, d. |
diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/eval.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/eval.js
@@ -0,0 +1,20 @@
+(function(){
+    var used_by_eval = f();
+    eval(src);
+});
+(function(){
+    eval(src);
+    var used_by_eval = f();
+});
+(function(){
+    var not_used_by_eval = f();
+    (function(){
+        eval(src);
+    })
+});
+(function(){
+    (function(){
+        eval(src);
+    })
+    var not_used_by_eval = f();
+});

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,12 @@ predicate whitelisted(UnusedLocal v) {`
`163`	`163`	`isEnumMember(vd) or`
`164`	`164`	`// ignore ambient declarations - too noisy`
`165`	`165`	`vd.isAmbient()`
	`166`	`+ ) or`
	`167`	`+ exists (DirectEval eval \|`
	`168`	`+ // eval nearby`
	`169`	`+ eval.getEnclosingFunction() = v.getADeclaration().getEnclosingFunction() and`
	`170`	`+ // ... but not on the RHS`
	`171`	`+ not v.getAnAssignedExpr() = eval`
`166`	`172`	`)`
`167`	`173`	`}`
`168`	`174`