Merge pull request #2758 from asger-semmle/js/string-concat-concat

esbena · web-flow · commit f6ad22dd1fd6 · 2020-02-05T10:41:02.000+01:00
JS: Model concat() calls as string concatenation
diff --git a/javascript/ql/src/semmle/javascript/StringConcatenation.qll b/javascript/ql/src/semmle/javascript/StringConcatenation.qll
@@ -51,6 +51,24 @@ module StringConcatenation {
       call = Closure::moduleImport("goog.string.buildString").getACall() and
       result = call.getArgument(n)
     )
+    or
+    exists(DataFlow::MethodCallNode call |
+      node = call and
+      call.getMethodName() = "concat" and
+      not (
+        exists(DataFlow::ArrayCreationNode array |
+          array.flowsTo(call.getAnArgument()) or array.flowsTo(call.getReceiver())
+        )
+        or
+        DataFlow::reflectiveCallNode(_) = call
+      ) and
+      (
+        n = 0 and
+        result = call.getReceiver()
+        or
+        result = call.getArgument(n - 1)
+      )
+    )
   }
 
   /** Gets an operand to the string concatenation defining `node`. */
diff --git a/javascript/ql/test/library-tests/StringConcatenation/ClassContainsTwo.expected b/javascript/ql/test/library-tests/StringConcatenation/ClassContainsTwo.expected
@@ -42,3 +42,7 @@
 | tst.js:89:3:89:3 | x |
 | tst.js:89:3:89:14 | x += 'three' |
 | tst.js:90:10:90:10 | x |
+| tst.js:95:3:95:30 | x = x.c ... three') |
+| tst.js:95:7:95:30 | x.conca ... three') |
+| tst.js:95:16:95:20 | 'two' |
+| tst.js:96:10:96:10 | x |
diff --git a/javascript/ql/test/library-tests/StringConcatenation/ContainsTwo.expected b/javascript/ql/test/library-tests/StringConcatenation/ContainsTwo.expected
@@ -42,3 +42,7 @@
 | tst.js:89:3:89:3 | x |
 | tst.js:89:3:89:14 | x += 'three' |
 | tst.js:90:10:90:10 | x |
+| tst.js:95:3:95:30 | x = x.c ... three') |
+| tst.js:95:7:95:30 | x.conca ... three') |
+| tst.js:95:16:95:20 | 'two' |
+| tst.js:96:10:96:10 | x |
diff --git a/javascript/ql/test/library-tests/StringConcatenation/StringOps.expected b/javascript/ql/test/library-tests/StringConcatenation/StringOps.expected
@@ -45,6 +45,7 @@ concatenation
 | tst.js:87:5:87:14 | x += 'two' |
 | tst.js:89:3:89:14 | x |
 | tst.js:89:3:89:14 | x += 'three' |
+| tst.js:95:7:95:30 | x.conca ... three') |
 concatenationOperand
 | closure.js:5:1:5:37 | build(' ... 'four') |
 | closure.js:5:7:5:11 | 'one' |
@@ -123,6 +124,9 @@ concatenationOperand
 | tst.js:87:10:87:14 | 'two' |
 | tst.js:89:3:89:3 | x |
 | tst.js:89:8:89:14 | 'three' |
+| tst.js:95:7:95:7 | x |
+| tst.js:95:16:95:20 | 'two' |
+| tst.js:95:23:95:29 | 'three' |
 concatenationLeaf
 | closure.js:5:7:5:11 | 'one' |
 | closure.js:5:14:5:18 | 'two' |
@@ -192,6 +196,9 @@ concatenationLeaf
 | tst.js:87:10:87:14 | 'two' |
 | tst.js:89:3:89:3 | x |
 | tst.js:89:8:89:14 | 'three' |
+| tst.js:95:7:95:7 | x |
+| tst.js:95:16:95:20 | 'two' |
+| tst.js:95:23:95:29 | 'three' |
 concatenationNode
 | closure.js:5:1:5:37 | build(' ... 'four') |
 | closure.js:5:1:5:46 | build(' ...  'five' |
@@ -307,6 +314,10 @@ concatenationNode
 | tst.js:89:3:89:14 | x |
 | tst.js:89:3:89:14 | x += 'three' |
 | tst.js:89:8:89:14 | 'three' |
+| tst.js:95:7:95:7 | x |
+| tst.js:95:7:95:30 | x.conca ... three') |
+| tst.js:95:16:95:20 | 'two' |
+| tst.js:95:23:95:29 | 'three' |
 operand
 | closure.js:5:1:5:37 | build(' ... 'four') | 0 | closure.js:5:7:5:11 | 'one' |
 | closure.js:5:1:5:37 | build(' ... 'four') | 1 | closure.js:5:14:5:28 | 'two' + 'three' |
@@ -407,6 +418,9 @@ operand
 | tst.js:89:3:89:14 | x | 1 | tst.js:89:8:89:14 | 'three' |
 | tst.js:89:3:89:14 | x += 'three' | 0 | tst.js:89:3:89:3 | x |
 | tst.js:89:3:89:14 | x += 'three' | 1 | tst.js:89:8:89:14 | 'three' |
+| tst.js:95:7:95:30 | x.conca ... three') | 0 | tst.js:95:7:95:7 | x |
+| tst.js:95:7:95:30 | x.conca ... three') | 1 | tst.js:95:16:95:20 | 'two' |
+| tst.js:95:7:95:30 | x.conca ... three') | 2 | tst.js:95:23:95:29 | 'three' |
 nextLeaf
 | closure.js:5:7:5:11 | 'one' | closure.js:5:14:5:18 | 'two' |
 | closure.js:5:14:5:18 | 'two' | closure.js:5:22:5:28 | 'three' |
@@ -450,6 +464,8 @@ nextLeaf
 | tst.js:61:27:61:27 | x | tst.js:61:29:61:33 |  last |
 | tst.js:87:5:87:5 | x | tst.js:87:10:87:14 | 'two' |
 | tst.js:89:3:89:3 | x | tst.js:89:8:89:14 | 'three' |
+| tst.js:95:7:95:7 | x | tst.js:95:16:95:20 | 'two' |
+| tst.js:95:16:95:20 | 'two' | tst.js:95:23:95:29 | 'three' |
 htmlRoot
 | html-concat.js:2:14:2:26 | `<b>${x}</b>` |
 | html-concat.js:3:14:3:26 | `<B>${x}</B>` |
diff --git a/javascript/ql/test/library-tests/StringConcatenation/tst.js b/javascript/ql/test/library-tests/StringConcatenation/tst.js
@@ -89,3 +89,13 @@ function addExprPhi(b) {
   x += 'three';
   return x;
 }
+
+function concatCall() {
+  let x = 'one';
+  x = x.concat('two', 'three');
+  return x;
+}
+
+function arrayConcat(a, b) {
+  return [].concat(a, b);
+}
