JS: Add more features to AdditionalFlowInternal

asgerf · asgerf · commit 25c3d8fce947 · 2025-04-11T10:27:51.000+02:00
This lets us place some more logic outside of the giant DataFlowPrivate file
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/AdditionalFlowInternal.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/AdditionalFlowInternal.qll
@@ -9,6 +9,14 @@ DataFlow::Node getSynthesizedNode(AstNode node, string tag) {
   result = TGenericSynthesizedNode(node, tag, _)
 }
 
+DataFlowCallable getSynthesizedCallable(AstNode node, string tag) {
+  result = MkGenericSynthesizedCallable(node, tag)
+}
+
+DataFlowCall getSynthesizedCall(AstNode node, string tag) {
+  result = MkGenericSynthesizedCall(node, tag, _)
+}
+
 /**
  * An extension to `AdditionalFlowStep` with additional internal-only predicates.
  */
@@ -22,6 +30,10 @@ class AdditionalFlowInternal extends DataFlow::AdditionalFlowStep {
    */
   predicate needsSynthesizedNode(AstNode node, string tag, DataFlowCallable container) { none() }
 
+  predicate needsSynthesizedCallable(AstNode node, string tag) { none() }
+
+  predicate needsSynthesizedCall(AstNode node, string tag, DataFlowCallable container) { none() }
+
   /**
    * Holds if `node` should only permit flow of values stored in `contents`.
    */
@@ -31,4 +43,10 @@ class AdditionalFlowInternal extends DataFlow::AdditionalFlowStep {
    * Holds if `node` should not permit flow of values stored in `contents`.
    */
   predicate clearsContent(DataFlow::Node node, DataFlow::ContentSet contents) { none() }
+
+  predicate argument(DataFlowCall call, ArgumentPosition pos, DataFlow::Node value) { none() }
+
+  predicate postUpdate(DataFlow::Node pre, DataFlow::Node post) { none() }
+
+  predicate viableCallable(DataFlowCall call, DataFlowCallable target) { none() }
 }
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll
@@ -13,6 +13,7 @@ private import sharedlib.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
 private import semmle.javascript.dataflow.FlowSummary as FlowSummary
 private import semmle.javascript.dataflow.internal.BarrierGuards
+private import codeql.util.Boolean
 
 class DataFlowSecondLevelScope = Unit;
 
@@ -363,6 +364,8 @@ predicate postUpdatePair(Node pre, Node post) {
     pre.(FlowSummaryNode).getSummaryNode())
   or
   VariableCaptureOutput::capturePostUpdateNode(getClosureNode(post), getClosureNode(pre))
+  or
+  any(AdditionalFlowInternal f).postUpdate(pre, post)
 }
 
 class CastNode extends DataFlow::Node {
@@ -381,10 +384,16 @@ newtype TDataFlowCallable =
     not f instanceof ArrowFunctionExpr and
     // We also don't need harnesses for externs
     not f.getTopLevel().isExterns()
+  } or
+  /**
+   * A callable entity. This is a wrapper around either a `StmtContainer`, `LibraryCallable`, or `File`.
+   */
+  MkGenericSynthesizedCallable(AstNode node, string tag) {
+    any(AdditionalFlowInternal f).needsSynthesizedCallable(node, tag)
   }
 
 /**
- * A callable entity. This is a wrapper around either a `StmtContainer`, `LibraryCallable`, or `File`.
+ * A callable entity.
  */
 class DataFlowCallable extends TDataFlowCallable {
   /** Gets a string representation of this callable. */
@@ -395,7 +404,7 @@ class DataFlowCallable extends TDataFlowCallable {
     or
     result = this.asFileCallable().toString()
     or
-    result = this.asClassHarness().toString()
+    this.isGenericSynthesizedCallable(_, result)
   }
 
   /** Gets the location of this callable, if it is present in the source code. */
@@ -404,7 +413,10 @@ class DataFlowCallable extends TDataFlowCallable {
     or
     result = this.asFileCallable().getLocation()
     or
-    result = this.asClassHarness().getLocation()
+    exists(AstNode node |
+      this.isGenericSynthesizedCallable(node, _) and
+      result = node.getLocation()
+    )
   }
 
   /** Gets the corresponding `StmtContainer` if this is a source callable. */
@@ -414,7 +426,9 @@ class DataFlowCallable extends TDataFlowCallable {
   File asFileCallable() { this = MkFileCallable(result) }
 
   /** Gets the class constructor for which this is a class harness. */
-  Function asClassHarness() { this = MkClassHarnessCallable(result) }
+  predicate isGenericSynthesizedCallable(AstNode node, string tag) {
+    this = MkGenericSynthesizedCallable(node, tag)
+  }
 
   /** Gets the corresponding `StmtContainer` if this is a source callable. */
   pragma[nomagic]
@@ -544,6 +558,8 @@ private predicate isArgumentNodeImpl(Node n, DataFlowCall call, ArgumentPosition
     n = TDynamicArgumentArrayNode(invoke) and
     pos.isDynamicArgumentArray()
   )
+  or
+  any(AdditionalFlowInternal f).argument(call, pos, n)
 }
 
 predicate isArgumentNode(ArgumentNode n, DataFlowCall call, ArgumentPosition pos) {
@@ -791,7 +807,7 @@ ContentApprox getContentApprox(Content c) {
 }
 
 cached
-private newtype TDataFlowCall =
+newtype TDataFlowCall =
   MkOrdinaryCall(DataFlow::InvokeNode node) or
   MkPartialCall(DataFlow::PartialInvokeNode node, DataFlow::Node callback) {
     callback = node.getACallbackNode()
@@ -812,6 +828,9 @@ private newtype TDataFlowCall =
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
   ) {
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+  } or
+  MkGenericSynthesizedCall(AstNode node, string tag, DataFlowCallable container) {
+    any(AdditionalFlowInternal f).needsSynthesizedCall(node, tag, container)
   }
 
 private module TotalOrdering {
@@ -877,6 +896,10 @@ class DataFlowCall extends TDataFlowCall {
     this = MkSummaryCall(enclosingCallable, receiver)
   }
 
+  predicate isGenericSynthesizedCall(AstNode node, string tag, DataFlowCallable container) {
+    this = MkGenericSynthesizedCall(node, tag, container)
+  }
+
   Location getLocation() { none() } // Overridden in subclass
 
   int totalorder() {
@@ -995,6 +1018,20 @@ private class ImpliedLambdaCall extends DataFlowCall, MkImpliedLambdaCall {
   }
 }
 
+class GenericSynthesizedCall extends DataFlowCall, MkGenericSynthesizedCall {
+  private AstNode node;
+  private string tag;
+  private DataFlowCallable container;
+
+  GenericSynthesizedCall() { this = MkGenericSynthesizedCall(node, tag, container) }
+
+  override string toString() { result = tag }
+
+  override Location getLocation() { result = node.getLocation() }
+
+  override DataFlowCallable getEnclosingCallable() { result = container }
+}
+
 private int getMaxArity() {
   // TODO: account for flow summaries
   result =
@@ -1092,6 +1129,8 @@ DataFlowCallable viableCallable(DataFlowCall node) {
   )
   or
   result.asSourceCallableNotExterns() = node.asImpliedLambdaCall()
+  or
+  any(AdditionalFlowInternal f).viableCallable(node, result)
 }
 
 private DataFlowCall getACallOnThis(DataFlow::ClassNode cls) {
