Merge pull request #9281 from erik-krogh/jsQL

JS: various QL-for-QL fixes

Author: erik-krogh

javascript/ql/lib/change-notes/2022-05-24-isLibraryFile.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `isLibaryFile` predicate from `ClassifyFiles.qll` has been renamed to `isLibraryFile` to fix a typo. 

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -87,7 +87,7 @@ module TaintTracking {
     override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
       super.isLabeledBarrier(node, lbl)
       or
-      isSanitizer(node) and lbl.isTaint()
+      this.isSanitizer(node) and lbl.isTaint()
     }
 
     override predicate isBarrier(DataFlow::Node node) {
@@ -103,15 +103,15 @@ module TaintTracking {
     ) {
       super.isBarrierEdge(source, sink, lbl)
       or
-      isSanitizerEdge(source, sink, lbl)
+      this.isSanitizerEdge(source, sink, lbl)
       or
-      isSanitizerEdge(source, sink) and lbl.isTaint()
+      this.isSanitizerEdge(source, sink) and lbl.isTaint()
     }
 
     final override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
       super.isBarrierGuard(guard) or
       guard.(AdditionalSanitizerGuardNode).appliesTo(this) or
-      isSanitizerGuard(guard)
+      this.isSanitizerGuard(guard)
     }
 
     /**
@@ -121,14 +121,14 @@ module TaintTracking {
     predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
 
     final override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-      isAdditionalTaintStep(pred, succ) or
+      this.isAdditionalTaintStep(pred, succ) or
       sharedTaintStep(pred, succ)
     }
 
     final override predicate isAdditionalFlowStep(
       DataFlow::Node pred, DataFlow::Node succ, boolean valuePreserving
     ) {
-      isAdditionalFlowStep(pred, succ) and valuePreserving = false
+      this.isAdditionalFlowStep(pred, succ) and valuePreserving = false
     }
 
     override DataFlow::FlowLabel getDefaultSourceLabel() { result.isTaint() }
@@ -173,9 +173,9 @@ module TaintTracking {
     abstract predicate sanitizes(boolean outcome, Expr e);
 
     override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      sanitizes(outcome, e) and label.isTaint()
+      this.sanitizes(outcome, e) and label.isTaint()
       or
-      sanitizes(outcome, e, label)
+      this.sanitizes(outcome, e, label)
     }
 
     /**
@@ -1032,13 +1032,13 @@ module TaintTracking {
         name = "has" or
         name = "hasOwnProperty"
       |
-        getMethodName() = name
+        this.getMethodName() = name
       )
     }
 
     override predicate sanitizes(boolean outcome, Expr e) {
       outcome = true and
-      e = getArgument(0).asExpr()
+      e = this.getArgument(0).asExpr()
     }
 
     override predicate appliesTo(Configuration cfg) { any() }
@@ -1053,14 +1053,14 @@ module TaintTracking {
    */
   class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
     AdHocWhitelistCheckSanitizer() {
-      getCalleeName()
+      this.getCalleeName()
           .regexpMatch("(?i).*((?<!un)safe|whitelist|(?<!in)valid|allow|(?<!un)auth(?!or\\b)).*") and
-      getNumArgument() = 1
+      this.getNumArgument() = 1
     }
 
     override predicate sanitizes(boolean outcome, Expr e) {
       outcome = true and
-      e = getArgument(0).asExpr()
+      e = this.getArgument(0).asExpr()
     }
   }
 

javascript/ql/lib/semmle/javascript/filters/ClassifyFiles.qll

@@ -73,7 +73,10 @@ predicate isExternsFile(File f) {
 /**
  * Holds if `f` contains library code.
  */
-predicate isLibaryFile(File f) { f.getATopLevel() instanceof FrameworkLibraryInstance }
+predicate isLibraryFile(File f) { f.getATopLevel() instanceof FrameworkLibraryInstance }
+
+/** DEPRECATED: Alias for isLibraryFile */
+deprecated predicate isLibaryFile = isLibraryFile/1;
 
 /**
  * Holds if `f` contains template code.
@@ -106,7 +109,7 @@ predicate classify(File f, string category) {
   or
   isExternsFile(f) and category = "externs"
   or
-  isLibaryFile(f) and category = "library"
+  isLibraryFile(f) and category = "library"
   or
   isTemplateFile(f) and category = "template"
 }

javascript/ql/lib/semmle/javascript/frameworks/ClosureLibrary.qll

@@ -13,38 +13,40 @@ module ClosureLibrary {
         call = Closure::moduleImport("goog.string." + name).getACall() and succ = call
       |
         pred = call.getAnArgument() and
-        (
-          name = "canonicalizeNewlines" or
-          name = "capitalize" or
-          name = "collapseBreakingSpaces" or
-          name = "collapseWhitespace" or
-          name = "format" or
-          name = "makeSafe" or // makeSafe just guards against null and undefined
-          name = "newLineOrBr" or
-          name = "normalizeSpaces" or
-          name = "normalizeWhitespace" or
-          name = "preserveSpaces" or
-          name = "remove" or // removes first occurrence of a substring
-          name = "repeat" or
-          name = "splitLimit" or
-          name = "stripNewlines" or
-          name = "subs" or
-          name = "toCamelCase" or
-          name = "toSelectorCase" or
-          name = "toTitleCase" or
-          name = "trim" or
-          name = "trimLeft" or
-          name = "trimRight" or
-          name = "unescapeEntities" or
-          name = "whitespaceEscape"
-        )
+        name =
+          [
+            "canonicalizeNewlines", //
+            "capitalize", //
+            "collapseBreakingSpaces", //
+            "collapseWhitespace", //
+            "format", //
+            "makeSafe", // makeSafe just guards against null and undefined
+            "newLineOrBr", //
+            "normalizeSpaces", //
+            "normalizeWhitespace", //
+            "preserveSpaces", //
+            "remove", // removes first occurrence of a substring
+            "repeat", //
+            "splitLimit", //
+            "stripNewlines", //
+            "subs", //
+            "toCamelCase", //
+            "toSelectorCase", //
+            "toTitleCase", //
+            "trim", //
+            "trimLeft", //
+            "trimRight", //
+            "unescapeEntities", //
+            "whitespaceEscape"
+          ]
         or
         pred = call.getArgument(0) and
-        (
-          name = "truncate" or
-          name = "truncateMiddle" or
-          name = "unescapeEntitiesWithDocument"
-        )
+        name =
+          [
+            "truncate", //
+            "truncateMiddle", //
+            "unescapeEntitiesWithDocument", //
+          ]
       )
     }
   }

javascript/ql/lib/semmle/javascript/frameworks/Handlebars.qll

@@ -150,8 +150,6 @@ private module HandlebarsTaintSteps {
    * helpers registered.
    */
   class HandlebarsStep extends DataFlow::SharedFlowStep {
-    DataFlow::CallNode templatingCall;
-
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
       isHandlebarsArgStep(pred, succ)
     }

javascript/ql/lib/semmle/javascript/frameworks/History.qll

@@ -35,10 +35,10 @@ module History {
   /**
    * A user-controlled location value read from the [history](http://npmjs.org/package/history) library.
    */
-  private class HistoryLibaryRemoteFlow extends ClientSideRemoteFlowSource {
+  private class HistoryLibraryRemoteFlow extends ClientSideRemoteFlowSource {
     ClientSideRemoteFlowKind kind;
 
-    HistoryLibaryRemoteFlow() {
+    HistoryLibraryRemoteFlow() {
       exists(API::Node loc | loc = [getBrowserHistory(), getHashHistory()].getMember("location") |
         this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
         or

javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll

@@ -362,29 +362,31 @@ private module ClosureLibraryUri {
         // static methods in goog.uri.utils
         arg = 0 and
         exists(string name | invoke = Closure::moduleImport("goog.uri.utils." + name).getACall() |
-          name = "appendParam" or // preserve taint from the original URI, but not from the appended param
-          name = "appendParams" or
-          name = "appendParamsFromMap" or
-          name = "appendPath" or
-          name = "getParamValue" or
-          name = "getParamValues" or
-          name = "getPath" or
-          name = "getPathAndAfter" or
-          name = "getQueryData" or
-          name = "parseQueryData" or
-          name = "removeFragment" or
-          name = "removeParam" or
-          name = "setParam" or
-          name = "setParamsFromMap" or
-          name = "setPath" or
-          name = "split"
+          name =
+            [
+              "appendParam", // preserve taint from the original URI, but not from the appended param
+              "appendParams", //
+              "appendParamsFromMap", //
+              "appendPath", //
+              "getParamValue", //
+              "getParamValues", //
+              "getPath", //
+              "getPathAndAfter", //
+              "getQueryData", //
+              "parseQueryData", //
+              "removeFragment", //
+              "removeParam", //
+              "setParam", //
+              "setParamsFromMap", //
+              "setPath", //
+              "split", //
+            ]
         )
         or
         // static methods in goog.string
         arg = 0 and
         exists(string name | invoke = Closure::moduleImport("goog.string." + name).getACall() |
-          name = "urlDecode" or
-          name = "urlEncode"
+          name = ["urlDecode", "urlEncode"]
         )
       )
     }

javascript/ql/lib/semmle/javascript/security/dataflow/ExceptionXssCustomizations.qll

@@ -5,7 +5,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
 
 /**
  * Provides sources, sinks, and sanitizers for reasoning about

javascript/ql/src/Expressions/StringInsteadOfRegex.ql

@@ -14,13 +14,16 @@ import javascript
  * Gets a regular expression pattern that matches the syntax of likely regular expressions.
  */
 private string getALikelyRegExpPattern() {
-  result = "/.*/[gimuy]{1,5}" or // pattern with at least one flag: /foo/i
-  result = "/\\^.*/[gimuy]{0,5}" or // pattern with anchor: /^foo/
-  result = "/.*\\$/[gimuy]{0,5}" or // pattern with anchor: /foo$/
-  result = "\\^.*\\$" or // pattern body with anchors: ^foo$
-  result = ".*(?<!\\\\)\\\\[dDwWsSB].*" or // contains a builtin character class: \s
-  result = ".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*" or // contains an escaped meta-character: \(
-  result = ".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
+  result =
+    [
+      "/.*/[gimuy]{1,5}", // pattern with at least one flag: /foo/i
+      "/\\^.*/[gimuy]{0,5}", // pattern with anchor: /^foo/
+      "/.*\\$/[gimuy]{0,5}", // pattern with anchor: /foo$/
+      "\\^.*\\$", // pattern body with anchors: ^foo$
+      ".*(?<!\\\\)\\\\[dDwWsSB].*", // contains a builtin character class: \s
+      ".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*", // contains an escaped meta-character: \(
+      ".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
+    ]
 }
 
 /**

javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql

@@ -24,7 +24,7 @@ class DangerousScheme extends string {
   string getWithoutColon() { this = result + ":" }
 
   /** Gets the name of this scheme, with or without the `:`. */
-  string getWithOrWithoutColon() { result = this or result = getWithoutColon() }
+  string getWithOrWithoutColon() { result = this or result = this.getWithoutColon() }
 }
 
 /** Returns a node that refers to the scheme of `url`. */