JS: Add more features to AdditionalFlowInternal

This lets us place some more logic outside of the giant DataFlowPrivate file

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/internal/AdditionalFlowInternal.qll

@@ -9,6 +9,14 @@ DataFlow::Node getSynthesizedNode(AstNode node, string tag) {
   result = TGenericSynthesizedNode(node, tag, _)
 }
 
+DataFlowCallable getSynthesizedCallable(AstNode node, string tag) {
+  result = MkGenericSynthesizedCallable(node, tag)
+}
+
+DataFlowCall getSynthesizedCall(AstNode node, string tag) {
+  result = MkGenericSynthesizedCall(node, tag, _)
+}
+
 /**
  * An extension to `AdditionalFlowStep` with additional internal-only predicates.
  */
@@ -22,6 +30,10 @@ class AdditionalFlowInternal extends DataFlow::AdditionalFlowStep {
    */
   predicate needsSynthesizedNode(AstNode node, string tag, DataFlowCallable container) { none() }
 
+  predicate needsSynthesizedCallable(AstNode node, string tag) { none() }
+
+  predicate needsSynthesizedCall(AstNode node, string tag, DataFlowCallable container) { none() }
+
   /**
    * Holds if `node` should only permit flow of values stored in `contents`.
    */
@@ -31,4 +43,10 @@ class AdditionalFlowInternal extends DataFlow::AdditionalFlowStep {
    * Holds if `node` should not permit flow of values stored in `contents`.
    */
   predicate clearsContent(DataFlow::Node node, DataFlow::ContentSet contents) { none() }
+
+  predicate argument(DataFlowCall call, ArgumentPosition pos, DataFlow::Node value) { none() }
+
+  predicate postUpdate(DataFlow::Node pre, DataFlow::Node post) { none() }
+
+  predicate viableCallable(DataFlowCall call, DataFlowCallable target) { none() }
 }

javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll

@@ -13,6 +13,7 @@ private import sharedlib.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
 private import semmle.javascript.dataflow.FlowSummary as FlowSummary
 private import semmle.javascript.dataflow.internal.BarrierGuards
+private import codeql.util.Boolean
 
 class DataFlowSecondLevelScope = Unit;
 
@@ -381,6 +382,8 @@ predicate postUpdatePair(Node pre, Node post) {
     pre.(FlowSummaryNode).getSummaryNode())
   or
   VariableCaptureOutput::capturePostUpdateNode(getClosureNode(post), getClosureNode(pre))
+  or
+  any(AdditionalFlowInternal f).postUpdate(pre, post)
 }
 
 class CastNode extends DataFlow::Node {
@@ -391,17 +394,12 @@ cached
 newtype TDataFlowCallable =
   MkSourceCallable(StmtContainer container) or
   MkLibraryCallable(LibraryCallable callable) or
-  MkClassHarnessCallable(Function f) {
-    // We only need a class harness for functions that act as classes (i.e. constructors),
-    // but since DataFlow::Node has not been materialised at this stage, we can't use DataFlow::ClassNode.
-    // Exclude arrow functions as they can't be called with 'new'.
-    not f instanceof ArrowFunctionExpr and
-    // We also don't need harnesses for externs
-    not f.getTopLevel().isExterns()
+  MkGenericSynthesizedCallable(AstNode node, string tag) {
+    any(AdditionalFlowInternal f).needsSynthesizedCallable(node, tag)
   }
 
 /**
- * A callable entity. This is a wrapper around either a `StmtContainer` or a `LibraryCallable`.
+ * A callable entity.
  */
 class DataFlowCallable extends TDataFlowCallable {
   /** Gets a string representation of this callable. */
@@ -410,19 +408,26 @@ class DataFlowCallable extends TDataFlowCallable {
     or
     result = this.asLibraryCallable()
     or
-    result = this.asClassHarness().toString()
+    this.isGenericSynthesizedCallable(_, result)
   }
 
   /** Gets the location of this callable, if it is present in the source code. */
   Location getLocation() {
-    result = this.asSourceCallable().getLocation() or result = this.asClassHarness().getLocation()
+    result = this.asSourceCallable().getLocation()
+    or
+    exists(AstNode node |
+      this.isGenericSynthesizedCallable(node, _) and
+      result = node.getLocation()
+    )
   }
 
   /** Gets the corresponding `StmtContainer` if this is a source callable. */
   StmtContainer asSourceCallable() { this = MkSourceCallable(result) }
 
   /** Gets the class constructor for which this is a class harness. */
-  Function asClassHarness() { this = MkClassHarnessCallable(result) }
+  predicate isGenericSynthesizedCallable(AstNode node, string tag) {
+    this = MkGenericSynthesizedCallable(node, tag)
+  }
 
   /** Gets the corresponding `StmtContainer` if this is a source callable. */
   pragma[nomagic]
@@ -552,6 +557,8 @@ private predicate isArgumentNodeImpl(Node n, DataFlowCall call, ArgumentPosition
     n = TDynamicArgumentArrayNode(invoke) and
     pos.isDynamicArgumentArray()
   )
+  or
+  any(AdditionalFlowInternal f).argument(call, pos, n)
 }
 
 predicate isArgumentNode(ArgumentNode n, DataFlowCall call, ArgumentPosition pos) {
@@ -749,7 +756,7 @@ ContentApprox getContentApprox(Content c) {
 }
 
 cached
-private newtype TDataFlowCall =
+newtype TDataFlowCall =
   MkOrdinaryCall(DataFlow::InvokeNode node) or
   MkPartialCall(DataFlow::PartialInvokeNode node, DataFlow::Node callback) {
     callback = node.getACallbackNode()
@@ -770,6 +777,9 @@ private newtype TDataFlowCall =
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
   ) {
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+  } or
+  MkGenericSynthesizedCall(AstNode node, string tag, DataFlowCallable container) {
+    any(AdditionalFlowInternal f).needsSynthesizedCall(node, tag, container)
   }
 
 private module TotalOrdering {
@@ -835,6 +845,10 @@ class DataFlowCall extends TDataFlowCall {
     this = MkSummaryCall(enclosingCallable, receiver)
   }
 
+  predicate isGenericSynthesizedCall(AstNode node, string tag, DataFlowCallable container) {
+    this = MkGenericSynthesizedCall(node, tag, container)
+  }
+
   Location getLocation() { none() } // Overridden in subclass
 
   int totalorder() {
@@ -953,6 +967,20 @@ private class ImpliedLambdaCall extends DataFlowCall, MkImpliedLambdaCall {
   }
 }
 
+class GenericSynthesizedCall extends DataFlowCall, MkGenericSynthesizedCall {
+  private AstNode node;
+  private string tag;
+  private DataFlowCallable container;
+
+  GenericSynthesizedCall() { this = MkGenericSynthesizedCall(node, tag, container) }
+
+  override string toString() { result = tag }
+
+  override Location getLocation() { result = node.getLocation() }
+
+  override DataFlowCallable getEnclosingCallable() { result = container }
+}
+
 private int getMaxArity() {
   // TODO: account for flow summaries
   result =
@@ -1050,6 +1078,8 @@ DataFlowCallable viableCallable(DataFlowCall node) {
   )
   or
   result.asSourceCallableNotExterns() = node.asImpliedLambdaCall()
+  or
+  any(AdditionalFlowInternal f).viableCallable(node, result)
 }
 
 /**