change ArrayCreationStep to a PreCallGraphStep and unrestrict the storeStep

erik-krogh · erik-krogh · commit 7b1ef7473e3d · 2022-08-22T08:15:54.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Arrays.qll b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -261,14 +261,12 @@ private module ArrayDataFlow {
   /**
    * A step for creating an array and storing the elements in the array.
    */
-  private class ArrayCreationStep extends DataFlow::SharedFlowStep {
+  private class ArrayCreationStep extends PreCallGraphStep {
     override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {
       exists(DataFlow::ArrayCreationNode array, int i |
         element = array.getElement(i) and
         obj = array and
-        if array = any(PromiseAllCreation c).getArrayNode()
-        then prop = arrayElement(i)
-        else prop = arrayElement()
+        prop = arrayElement(i)
       )
     }
   }
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/tests.expected b/javascript/ql/test/library-tests/InterProceduralFlow/tests.expected
@@ -14,6 +14,7 @@ dataFlow
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
+| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:5:14:5:20 | tainted |
 | destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
 | destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |
 | destructuring.js:20:15:20:28 | "also tainted" | destructuring.js:15:15:15:15 | r |
@@ -201,6 +202,7 @@ germanFlow
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
 | custom.js:1:14:1:26 | "verschmutzt" | custom.js:2:15:2:20 | quelle |
+| destructuring.js:2:16:2:24 | "tainted" | destructuring.js:5:14:5:20 | tainted |
 | destructuring.js:2:16:2:24 | "tainted" | destructuring.js:9:15:9:22 | tainted2 |
 | destructuring.js:19:15:19:23 | "tainted" | destructuring.js:14:15:14:15 | p |
 | destructuring.js:20:15:20:28 | "also tainted" | destructuring.js:15:15:15:15 | r |
diff --git a/javascript/ql/test/library-tests/frameworks/Collections/test.expected b/javascript/ql/test/library-tests/frameworks/Collections/test.expected
@@ -24,6 +24,7 @@ typeTracking
 | tst.js:2:16:2:23 | source() | tst.js:29:14:29:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:33:14:33:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:37:14:37:14 | e |
+| tst.js:2:16:2:23 | source() | tst.js:41:14:41:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:45:14:45:14 | e |
 | tst.js:2:16:2:23 | source() | tst.js:53:8:53:21 | map.get("key") |
 | tst.js:2:16:2:23 | source() | tst.js:59:8:59:22 | map2.get("foo") |
diff --git a/javascript/ql/test/library-tests/frameworks/Collections/tst.js b/javascript/ql/test/library-tests/frameworks/Collections/tst.js
@@ -39,7 +39,7 @@
   }
 
   for (const e of new Set([source])) {
-	sink(e); // NOT OK (not caught by type-tracking, as it doesn't include array steps).
+	sink(e); // NOT OK
   }
 
   for (const e of new Set(set)) {
diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.expected b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.expected
@@ -1,5 +1,4 @@
 | src/hapi.js:1:1:1:30 | functio ... t, h){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
-| src/iterated-handlers.js:4:2:4:22 | functio ...  res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/route-objects.js:7:19:7:38 | function(req, res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/route-objects.js:8:12:10:5 | (req, res) {\\n\\n    } | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/route-objects.js:20:16:22:9 | (req, r ...       } | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/tests.expected b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/tests.expected
@@ -16,6 +16,7 @@ routeHandler
 | src/exported-middleware-attacher.js:2:13:2:32 | function(req, res){} |
 | src/handler-in-property.js:5:14:5:33 | function(req, res){} |
 | src/handler-in-property.js:12:18:12:37 | function(req, res){} |
+| src/iterated-handlers.js:4:2:4:22 | functio ...  res){} |
 | src/middleware-attacher-getter.js:4:17:4:36 | function(req, res){} |
 | src/middleware-attacher-getter.js:19:19:19:38 | function(req, res){} |
 | src/middleware-attacher-getter.js:29:32:29:51 | function(req, res){} |

Original file line number	Diff line number	Diff line change
`@@ -261,14 +261,12 @@ private module ArrayDataFlow {`
`261`	`261`	`/**`
`262`	`262`	`* A step for creating an array and storing the elements in the array.`
`263`	`263`	`*/`
`264`		`- private class ArrayCreationStep extends DataFlow::SharedFlowStep {`
	`264`	`+ private class ArrayCreationStep extends PreCallGraphStep {`
`265`	`265`	`override predicate storeStep(DataFlow::Node element, DataFlow::SourceNode obj, string prop) {`
`266`	`266`	`exists(DataFlow::ArrayCreationNode array, int i \|`
`267`	`267`	`element = array.getElement(i) and`
`268`	`268`	`obj = array and`
`269`		`- if array = any(PromiseAllCreation c).getArrayNode()`
`270`		`- then prop = arrayElement(i)`
`271`		`- else prop = arrayElement()`
	`269`	`+ prop = arrayElement(i)`
`272`	`270`	`)`
`273`	`271`	`}`
`274`	`272`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`for (const e of new Set([source])) {`
`42`		`- sink(e); // NOT OK (not caught by type-tracking, as it doesn't include array steps).`
	`42`	`+ sink(e); // NOT OK`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`for (const e of new Set(set)) {`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	\| src/hapi.js:1:1:1:30 \| functio ... t, h){} \| A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. \|
`2`		-\| src/iterated-handlers.js:4:2:4:22 \| functio ... res){} \| A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. \|
`3`	`2`	\| src/route-objects.js:7:19:7:38 \| function(req, res){} \| A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. \|
`4`	`3`	\| src/route-objects.js:8:12:10:5 \| (req, res) {\\n\\n } \| A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. \|
`5`	`4`	\| src/route-objects.js:20:16:22:9 \| (req, r ... } \| A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. \|