JS: Do not generate def-nodes for decorated parameters

asgerf · asgerf · commit 75a84378ac81 · 2022-03-29T16:13:45.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -813,12 +813,6 @@ module API {
         lbl = Label::decoratedMember() and
         ref = DataFlow::valueNode(method.getBody())
       )
-      or
-      exists(Parameter param |
-        useNodeFlowsToDecorator(base, param.getADecorator()) and
-        lbl = Label::decoratedParameter() and
-        ref = DataFlow::parameterNode(param)
-      )
     }
 
     /** Holds if `ref` is a use that should have an incoming edge from `base` labelled `lbl`, induced by a decorator. */
@@ -829,6 +823,12 @@ module API {
         lbl = Label::decoratedMember() and
         ref = DataFlow::parameterNode(accessor.getBody().getParameter(0))
       )
+      or
+      exists(Parameter param |
+        useNodeFlowsToDecorator(base, param.getADecorator()) and
+        lbl = Label::decoratedParameter() and
+        ref = DataFlow::parameterNode(param)
+      )
     }
 
     /** Holds if `rhs` is a def node that should have an incoming edge from `base` labelled `lbl`, induced by a decorator. */
diff --git a/javascript/ql/test/library-tests/frameworks/data/paramDecorator.ts b/javascript/ql/test/library-tests/frameworks/data/paramDecorator.ts
@@ -6,12 +6,12 @@ class C {
   decoratedParamSource(@testlib.ParamDecoratorSource x) {
     sink(x) // NOT OK
   }
-  decoratedParamSink(@testlib.ParamDecoratorSink x) { // NOT OK - though slightly weird alert location
+  decoratedParamSink(@testlib.ParamDecoratorSink x) { // OK
   }
   decoratedParamSink2(@testlib.ParamDecoratorSink x) { // OK
-    x.push(source());
+    x.push(source()); // OK
   }
 }
 
-new C().decoratedParamSink(source());
-new C().decoratedParamSink2([]);
+new C().decoratedParamSink(source()); // OK - parameter decorators can't be used to mark the parameter as a sink
+new C().decoratedParamSink2([]); // OK
diff --git a/javascript/ql/test/library-tests/frameworks/data/test.expected b/javascript/ql/test/library-tests/frameworks/data/test.expected
@@ -1,9 +1,6 @@
 consistencyIssue
-| library-tests/frameworks/data/paramDecorator.ts:11 | did not expect an alert, but found an alert for BasicTaintTracking | OK |  |
 taintFlow
 | paramDecorator.ts:6:54:6:54 | x | paramDecorator.ts:7:10:7:10 | x |
-| paramDecorator.ts:12:12:12:19 | source() | paramDecorator.ts:11:51:11:51 | x |
-| paramDecorator.ts:16:28:16:35 | source() | paramDecorator.ts:9:50:9:50 | x |
 | test.js:5:30:5:37 | source() | test.js:5:8:5:38 | testlib ... urce()) |
 | test.js:6:22:6:29 | source() | test.js:6:8:6:30 | preserv ... urce()) |
 | test.js:7:41:7:48 | source() | test.js:7:8:7:49 | require ... urce()) |
@@ -59,8 +56,6 @@ taintFlow
 | test.js:187:31:187:31 | x | test.js:189:10:189:10 | x |
 | test.js:203:32:203:39 | source() | test.js:203:32:203:39 | source() |
 isSink
-| paramDecorator.ts:9:50:9:50 | x | test-sink |
-| paramDecorator.ts:11:51:11:51 | x | test-sink |
 | test.js:54:18:54:25 | source() | test-sink |
 | test.js:55:22:55:29 | source() | test-sink |
 | test.js:57:24:57:31 | source() | test-sink |

Original file line number	Diff line number	Diff line change
`@@ -813,12 +813,6 @@ module API {`
`813`	`813`	`lbl = Label::decoratedMember() and`
`814`	`814`	`ref = DataFlow::valueNode(method.getBody())`
`815`	`815`	`)`
`816`		`- or`
`817`		`- exists(Parameter param \|`
`818`		`- useNodeFlowsToDecorator(base, param.getADecorator()) and`
`819`		`- lbl = Label::decoratedParameter() and`
`820`		`- ref = DataFlow::parameterNode(param)`
`821`		`- )`
`822`	`816`	`}`
`823`	`817`
`824`	`818`	/** Holds if `ref` is a use that should have an incoming edge from `base` labelled `lbl`, induced by a decorator. */
`@@ -829,6 +823,12 @@ module API {`
`829`	`823`	`lbl = Label::decoratedMember() and`
`830`	`824`	`ref = DataFlow::parameterNode(accessor.getBody().getParameter(0))`
`831`	`825`	`)`
	`826`	`+ or`
	`827`	`+ exists(Parameter param \|`
	`828`	`+ useNodeFlowsToDecorator(base, param.getADecorator()) and`
	`829`	`+ lbl = Label::decoratedParameter() and`
	`830`	`+ ref = DataFlow::parameterNode(param)`
	`831`	`+ )`
`832`	`832`	`}`
`833`	`833`
`834`	`834`	/** Holds if `rhs` is a def node that should have an incoming edge from `base` labelled `lbl`, induced by a decorator. */
Original file line number	Diff line number	Diff line change
`@@ -6,12 +6,12 @@ class C {`
`6`	`6`	`decoratedParamSource(@testlib.ParamDecoratorSource x) {`
`7`	`7`	`sink(x) // NOT OK`
`8`	`8`	`}`
`9`		`- decoratedParamSink(@testlib.ParamDecoratorSink x) { // NOT OK - though slightly weird alert location`
	`9`	`+ decoratedParamSink(@testlib.ParamDecoratorSink x) { // OK`
`10`	`10`	`}`
`11`	`11`	`decoratedParamSink2(@testlib.ParamDecoratorSink x) { // OK`
`12`		`- x.push(source());`
	`12`	`+ x.push(source()); // OK`
`13`	`13`	`}`
`14`	`14`	`}`
`15`	`15`
`16`		`-new C().decoratedParamSink(source());`
`17`		`-new C().decoratedParamSink2([]);`
	`16`	`+new C().decoratedParamSink(source()); // OK - parameter decorators can't be used to mark the parameter as a sink`
	`17`	`+new C().decoratedParamSink2([]); // OK`