Merge pull request #8533 from asgerf/mad-receiver-token

JS/Ruby: Represent non-positional arguments with Argument/Parameter tokens

Author: asgerf

javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -120,6 +120,10 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
   // API graphs do not use store/load steps for arrays
   token.getName() = ["ArrayElement", "Element"] and
   result = node.getUnknownMember()
+  or
+  token.getName() = "Parameter" and
+  token.getAnArgument() = "this" and
+  result = node.getReceiver()
 }
 
 /**
@@ -129,6 +133,10 @@ bindingset[token]
 API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken token) {
   token.getName() = "Instance" and
   result = node.getInstance()
+  or
+  token.getName() = "Argument" and
+  token.getAnArgument() = "this" and
+  result.getARhs() = node.(DataFlow::CallNode).getReceiver()
 }
 
 /**

javascript/ql/test/library-tests/frameworks/data/test.expected

@@ -14,69 +14,73 @@ taintFlow
 | test.js:24:43:24:50 | source() | test.js:24:8:24:51 | testlib ... urce()) |
 | test.js:31:29:31:36 | source() | test.js:32:10:32:10 | y |
 | test.js:37:29:37:36 | source() | test.js:38:10:38:10 | y |
-| test.js:46:18:46:25 | source() | test.js:46:18:46:25 | source() |
-| test.js:47:22:47:29 | source() | test.js:47:22:47:29 | source() |
-| test.js:49:24:49:31 | source() | test.js:49:24:49:31 | source() |
-| test.js:53:27:53:34 | source() | test.js:53:27:53:34 | source() |
-| test.js:58:31:58:38 | source() | test.js:58:31:58:38 | source() |
-| test.js:62:34:62:41 | source() | test.js:62:34:62:41 | source() |
-| test.js:67:31:67:38 | source() | test.js:67:31:67:38 | source() |
-| test.js:68:34:68:41 | source() | test.js:68:34:68:41 | source() |
-| test.js:72:36:72:43 | source() | test.js:72:36:72:43 | source() |
-| test.js:73:39:73:46 | source() | test.js:73:39:73:46 | source() |
-| test.js:75:28:75:35 | source() | test.js:75:28:75:35 | source() |
-| test.js:76:31:76:38 | source() | test.js:76:31:76:38 | source() |
-| test.js:77:34:77:41 | source() | test.js:77:34:77:41 | source() |
-| test.js:81:28:81:35 | source() | test.js:81:28:81:35 | source() |
-| test.js:87:17:87:24 | source() | test.js:87:17:87:24 | source() |
-| test.js:88:17:88:24 | source() | test.js:88:17:88:24 | source() |
-| test.js:89:17:89:24 | source() | test.js:89:17:89:24 | source() |
+| test.js:43:29:43:36 | source() | test.js:44:10:44:10 | y |
+| test.js:47:33:47:40 | source() | test.js:49:10:49:13 | this |
+| test.js:54:18:54:25 | source() | test.js:54:18:54:25 | source() |
+| test.js:55:22:55:29 | source() | test.js:55:22:55:29 | source() |
+| test.js:57:24:57:31 | source() | test.js:57:24:57:31 | source() |
+| test.js:61:27:61:34 | source() | test.js:61:27:61:34 | source() |
+| test.js:66:31:66:38 | source() | test.js:66:31:66:38 | source() |
+| test.js:70:34:70:41 | source() | test.js:70:34:70:41 | source() |
+| test.js:75:31:75:38 | source() | test.js:75:31:75:38 | source() |
+| test.js:76:34:76:41 | source() | test.js:76:34:76:41 | source() |
+| test.js:80:36:80:43 | source() | test.js:80:36:80:43 | source() |
+| test.js:81:39:81:46 | source() | test.js:81:39:81:46 | source() |
+| test.js:83:28:83:35 | source() | test.js:83:28:83:35 | source() |
+| test.js:84:31:84:38 | source() | test.js:84:31:84:38 | source() |
+| test.js:85:34:85:41 | source() | test.js:85:34:85:41 | source() |
+| test.js:89:28:89:35 | source() | test.js:89:28:89:35 | source() |
+| test.js:95:17:95:24 | source() | test.js:95:17:95:24 | source() |
+| test.js:96:17:96:24 | source() | test.js:96:17:96:24 | source() |
+| test.js:97:17:97:24 | source() | test.js:97:17:97:24 | source() |
+| test.js:102:16:102:34 | testlib.getSource() | test.js:103:8:103:13 | source |
+| test.js:102:16:102:34 | testlib.getSource() | test.js:104:8:104:24 | source.continue() |
 isSink
-| test.js:46:18:46:25 | source() | test-sink |
-| test.js:47:22:47:29 | source() | test-sink |
-| test.js:49:24:49:31 | source() | test-sink |
-| test.js:53:27:53:34 | source() | test-sink |
-| test.js:55:38:55:38 | 4 | test-sink |
-| test.js:56:38:56:38 | 4 | test-sink |
-| test.js:57:38:57:38 | 4 | test-sink |
-| test.js:58:31:58:38 | source() | test-sink |
-| test.js:60:41:60:41 | 3 | test-sink |
-| test.js:61:41:61:41 | 3 | test-sink |
-| test.js:62:34:62:41 | source() | test-sink |
-| test.js:63:34:63:34 | 3 | test-sink |
-| test.js:65:38:65:38 | 3 | test-sink |
-| test.js:65:41:65:41 | 4 | test-sink |
-| test.js:66:38:66:38 | 3 | test-sink |
-| test.js:66:41:66:41 | 4 | test-sink |
-| test.js:67:31:67:38 | source() | test-sink |
-| test.js:67:41:67:41 | 4 | test-sink |
-| test.js:68:31:68:31 | 3 | test-sink |
-| test.js:68:34:68:41 | source() | test-sink |
-| test.js:70:43:70:43 | 3 | test-sink |
-| test.js:70:46:70:46 | 4 | test-sink |
-| test.js:71:43:71:43 | 3 | test-sink |
-| test.js:71:46:71:46 | 4 | test-sink |
-| test.js:72:36:72:43 | source() | test-sink |
-| test.js:72:46:72:46 | 4 | test-sink |
-| test.js:73:36:73:36 | 3 | test-sink |
-| test.js:73:39:73:46 | source() | test-sink |
-| test.js:75:28:75:35 | source() | test-sink |
-| test.js:75:38:75:38 | 2 | test-sink |
-| test.js:75:41:75:41 | 3 | test-sink |
-| test.js:76:28:76:28 | 1 | test-sink |
-| test.js:76:31:76:38 | source() | test-sink |
-| test.js:76:41:76:41 | 3 | test-sink |
-| test.js:77:28:77:28 | 1 | test-sink |
-| test.js:77:31:77:31 | 2 | test-sink |
-| test.js:77:34:77:41 | source() | test-sink |
-| test.js:78:28:78:28 | 1 | test-sink |
-| test.js:78:31:78:31 | 2 | test-sink |
-| test.js:78:34:78:34 | 3 | test-sink |
-| test.js:81:28:81:35 | source() | test-sink |
-| test.js:82:28:82:28 | 1 | test-sink |
-| test.js:87:17:87:24 | source() | test-sink |
-| test.js:88:17:88:24 | source() | test-sink |
-| test.js:89:17:89:24 | source() | test-sink |
+| test.js:54:18:54:25 | source() | test-sink |
+| test.js:55:22:55:29 | source() | test-sink |
+| test.js:57:24:57:31 | source() | test-sink |
+| test.js:61:27:61:34 | source() | test-sink |
+| test.js:63:38:63:38 | 4 | test-sink |
+| test.js:64:38:64:38 | 4 | test-sink |
+| test.js:65:38:65:38 | 4 | test-sink |
+| test.js:66:31:66:38 | source() | test-sink |
+| test.js:68:41:68:41 | 3 | test-sink |
+| test.js:69:41:69:41 | 3 | test-sink |
+| test.js:70:34:70:41 | source() | test-sink |
+| test.js:71:34:71:34 | 3 | test-sink |
+| test.js:73:38:73:38 | 3 | test-sink |
+| test.js:73:41:73:41 | 4 | test-sink |
+| test.js:74:38:74:38 | 3 | test-sink |
+| test.js:74:41:74:41 | 4 | test-sink |
+| test.js:75:31:75:38 | source() | test-sink |
+| test.js:75:41:75:41 | 4 | test-sink |
+| test.js:76:31:76:31 | 3 | test-sink |
+| test.js:76:34:76:41 | source() | test-sink |
+| test.js:78:43:78:43 | 3 | test-sink |
+| test.js:78:46:78:46 | 4 | test-sink |
+| test.js:79:43:79:43 | 3 | test-sink |
+| test.js:79:46:79:46 | 4 | test-sink |
+| test.js:80:36:80:43 | source() | test-sink |
+| test.js:80:46:80:46 | 4 | test-sink |
+| test.js:81:36:81:36 | 3 | test-sink |
+| test.js:81:39:81:46 | source() | test-sink |
+| test.js:83:28:83:35 | source() | test-sink |
+| test.js:83:38:83:38 | 2 | test-sink |
+| test.js:83:41:83:41 | 3 | test-sink |
+| test.js:84:28:84:28 | 1 | test-sink |
+| test.js:84:31:84:38 | source() | test-sink |
+| test.js:84:41:84:41 | 3 | test-sink |
+| test.js:85:28:85:28 | 1 | test-sink |
+| test.js:85:31:85:31 | 2 | test-sink |
+| test.js:85:34:85:41 | source() | test-sink |
+| test.js:86:28:86:28 | 1 | test-sink |
+| test.js:86:31:86:31 | 2 | test-sink |
+| test.js:86:34:86:34 | 3 | test-sink |
+| test.js:89:28:89:35 | source() | test-sink |
+| test.js:90:28:90:28 | 1 | test-sink |
+| test.js:95:17:95:24 | source() | test-sink |
+| test.js:96:17:96:24 | source() | test-sink |
+| test.js:97:17:97:24 | source() | test-sink |
 syntaxErrors
 | Member[foo |
 | Member[foo] .Member[bar] |

javascript/ql/test/library-tests/frameworks/data/test.js

@@ -40,6 +40,14 @@ function testPreserveTaint() {
   testlib.taintIntoCallback(source(), undefined, undefined, y => {
     sink(y); // OK - only callback 1-2 receive taint
   });
+  testlib.taintIntoCallback(source(), function(y) {
+    sink(y); // NOT OK
+    sink(this); // OK - receiver is not tainted
+  });
+  testlib.taintIntoCallbackThis(source(), function(y) {
+    sink(y); // OK - only receiver is tainted
+    sink(this); // NOT OK
+  });
 }
 
 function testSinks() {
@@ -89,3 +97,10 @@ function testSinks() {
   testlib.sink3(source()); // NOT OK
   testlib.sink4(source()); // OK
 }
+
+function testFlowThroughReceiver() {
+  let source = testlib.getSource();
+  sink(source); // NOT OK
+  sink(source.continue()); // NOT OK
+  sink(source.blah()); // OK
+}

javascript/ql/test/library-tests/frameworks/data/test.ql

@@ -9,9 +9,11 @@ class Steps extends ModelInput::SummaryModelCsv {
       [
         "testlib;;Member[preserveTaint];Argument[0];ReturnValue;taint",
         "testlib;;Member[taintIntoCallback];Argument[0];Argument[1..2].Parameter[0];taint",
+        "testlib;;Member[taintIntoCallbackThis];Argument[0];Argument[1..2].Parameter[this];taint",
         "testlib;;Member[preserveArgZeroAndTwo];Argument[0,2];ReturnValue;taint",
         "testlib;;Member[preserveAllButFirstArgument];Argument[1..];ReturnValue;taint",
-        "testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint"
+        "testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint",
+        "testlib;;Member[getSource].ReturnValue.Member[continue];Argument[this];ReturnValue;taint",
       ]
   }
 }
@@ -35,11 +37,17 @@ class Sinks extends ModelInput::SinkModelCsv {
   }
 }
 
+class Sources extends ModelInput::SourceModelCsv {
+  override predicate row(string row) { row = "testlib;;Member[getSource].ReturnValue;test-source" }
+}
+
 class BasicTaintTracking extends TaintTracking::Configuration {
   BasicTaintTracking() { this = "BasicTaintTracking" }
 
   override predicate isSource(DataFlow::Node source) {
     source.(DataFlow::CallNode).getCalleeName() = "source"
+    or
+    source = ModelOutput::getASourceNode("test-source").getAnImmediateUse()
   }
 
   override predicate isSink(DataFlow::Node sink) {

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -473,36 +473,6 @@ module API {
     /** Gets a data flow node that flows to the RHS of a def-node. */
     private DataFlow::LocalSourceNode defCand() { result = defCand(TypeBackTracker::end()) }
 
-    private Label::ApiLabel getLabelFromArgumentPosition(DataFlowDispatch::ArgumentPosition pos) {
-      exists(int n |
-        pos.isPositional(n) and
-        result = Label::parameter(n)
-      )
-      or
-      exists(string name |
-        pos.isKeyword(name) and
-        result = Label::keywordParameter(name)
-      )
-      or
-      pos.isBlock() and
-      result = Label::blockParameter()
-    }
-
-    private Label::ApiLabel getLabelFromParameterPosition(DataFlowDispatch::ParameterPosition pos) {
-      exists(int n |
-        pos.isPositional(n) and
-        result = Label::parameter(n)
-      )
-      or
-      exists(string name |
-        pos.isKeyword(name) and
-        result = Label::keywordParameter(name)
-      )
-      or
-      pos.isBlock() and
-      result = Label::blockParameter()
-    }
-
     /**
      * Holds if there should be a `lbl`-edge from the given call to an argument.
      */
@@ -512,7 +482,7 @@ module API {
     ) {
       exists(DataFlowDispatch::ArgumentPosition argPos |
         argument.sourceArgumentOf(call.asExpr(), argPos) and
-        lbl = getLabelFromArgumentPosition(argPos)
+        lbl = Label::getLabelFromArgumentPosition(argPos)
       )
     }
 
@@ -525,7 +495,7 @@ module API {
     ) {
       exists(DataFlowDispatch::ParameterPosition paramPos |
         paramNode.isSourceParameterOf(callable.asExpr().getExpr(), paramPos) and
-        lbl = getLabelFromParameterPosition(paramPos)
+        lbl = Label::getLabelFromParameterPosition(paramPos)
       )
     }
 
@@ -803,5 +773,37 @@ module API {
 
     /** Gets the label for the edge from the root node to a custom entry point of the given name. */
     LabelEntryPoint entryPoint(API::EntryPoint name) { result.getName() = name }
+
+    /** Gets the API graph label corresponding to the given argument position. */
+    Label::ApiLabel getLabelFromArgumentPosition(DataFlowDispatch::ArgumentPosition pos) {
+      exists(int n |
+        pos.isPositional(n) and
+        result = Label::parameter(n)
+      )
+      or
+      exists(string name |
+        pos.isKeyword(name) and
+        result = Label::keywordParameter(name)
+      )
+      or
+      pos.isBlock() and
+      result = Label::blockParameter()
+    }
+
+    /** Gets the API graph label corresponding to the given parameter position. */
+    Label::ApiLabel getLabelFromParameterPosition(DataFlowDispatch::ParameterPosition pos) {
+      exists(int n |
+        pos.isPositional(n) and
+        result = Label::parameter(n)
+      )
+      or
+      exists(string name |
+        pos.isKeyword(name) and
+        result = Label::keywordParameter(name)
+      )
+      or
+      pos.isBlock() and
+      result = Label::blockParameter()
+    }
   }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -257,6 +257,8 @@ private module Cached {
       name = any(KeywordParameter kp).getName()
       or
       exists(any(Call c).getKeywordArgument(name))
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
     }
 
   cached
@@ -270,7 +272,11 @@ private module Cached {
       or
       FlowSummaryImplSpecific::ParsePositions::isParsedArgumentPosition(_, pos)
     } or
-    TKeywordParameterPosition(string name) { name = any(KeywordParameter kp).getName() }
+    TKeywordParameterPosition(string name) {
+      name = any(KeywordParameter kp).getName()
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
+    }
 }
 
 import Cached