JS: Move some promise-related store steps into PromiseFlow::storeStep

asgerf · asgerf · commit 08ee51cbc4a3 · 2025-03-13T12:53:04.000+01:00
API graphs calls PromiseFlow::storeStep to propagate promises, which means it missed a store steps added elsewhere in the old promise library model.

We want API graphs to rely on type-tracking steps in general, like in Ruby, but for now just fixing the bug.
diff --git a/javascript/ql/lib/semmle/javascript/Promises.qll b/javascript/ql/lib/semmle/javascript/Promises.qll
@@ -4,6 +4,7 @@
 
 import javascript
 private import dataflow.internal.StepSummary
+private import semmle.javascript.dataflow.internal.FlowSteps
 
 /**
  * A call to the `Promise` constructor, such as `new Promise((resolve, reject) => { ... })`.
@@ -397,6 +398,17 @@ module PromiseFlow {
       value = call.getCallback(0).getExceptionalReturn() and
       obj = call
     )
+    or
+    exists(DataFlow::FunctionNode f | f.getFunction().isAsync() |
+      // ordinary return
+      prop = valueProp() and
+      value = f.getAReturn() and
+      obj = f.getReturnNode()
+      or
+      // exceptional return
+      prop = errorProp() and
+      localExceptionStepWithAsyncFlag(value, obj, true)
+    )
   }
 
   /**
@@ -525,30 +537,6 @@ private class PromiseTaintStep extends TaintTracking::LegacyTaintStep {
  * Defines flow steps for return on async functions.
  */
 private module AsyncReturnSteps {
-  private predicate valueProp = Promises::valueProp/0;
-
-  private predicate errorProp = Promises::errorProp/0;
-
-  private import semmle.javascript.dataflow.internal.FlowSteps
-
-  /**
-   * A data-flow step for ordinary and exceptional returns from async functions.
-   */
-  private class AsyncReturn extends LegacyPreCallGraphStep {
-    override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
-      exists(DataFlow::FunctionNode f | f.getFunction().isAsync() |
-        // ordinary return
-        prop = valueProp() and
-        pred = f.getAReturn() and
-        succ = f.getReturnNode()
-        or
-        // exceptional return
-        prop = errorProp() and
-        localExceptionStepWithAsyncFlag(pred, succ, true)
-      )
-    }
-  }
-
   /**
    * A data-flow step for ordinary return from an async function in a taint configuration.
    */
diff --git a/javascript/ql/test/ApiGraphs/async-await/VerifyAssertions.expected b/javascript/ql/test/ApiGraphs/async-await/VerifyAssertions.expected
@@ -1,2 +0,0 @@
-| wrap-async-in-thunk.js:5:25:5:137 | /* def= ... ed() */ | Node not found on this line (but there is one on line wrap-async-in-thunk.js:14). |
-| wrap-async-in-thunk.js:5:25:5:137 | /* def= ... ed() */ | Node not found on this line (but there is one on line wrap-async-in-thunk.js:24). |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +0,0 @@`
`1`		`-\| wrap-async-in-thunk.js:5:25:5:137 \| /* def= ... ed() */ \| Node not found on this line (but there is one on line wrap-async-in-thunk.js:14). \|`
`2`		`-\| wrap-async-in-thunk.js:5:25:5:137 \| /* def= ... ed() */ \| Node not found on this line (but there is one on line wrap-async-in-thunk.js:24). \|`