Merge pull request #18125 from asgerf/jss/summary-type-tracker

JS: Derive type-tracking steps from flow summaries

Author: asgerf

javascript/ql/lib/qlpack.yml

@@ -12,6 +12,7 @@ dependencies:
   codeql/ssa: ${workspace}
   codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}
+  codeql/typetracking: ${workspace}
   codeql/util: ${workspace}
   codeql/xml: ${workspace}
   codeql/yaml: ${workspace}

javascript/ql/lib/semmle/javascript/dataflow/FlowSummary.qll

@@ -11,19 +11,18 @@ abstract class SummarizedCallable extends LibraryCallable, Impl::Public::Summari
   bindingset[this]
   SummarizedCallable() { any() }
 
-  // TODO: rename 'propagatesFlowExt' and/or override 'propagatesFlow' directly
   /**
    * Holds if data may flow from `input` to `output` through this callable.
    *
    * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
    */
   pragma[nomagic]
-  predicate propagatesFlowExt(string input, string output, boolean preservesValue) { none() }
+  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
 
   override predicate propagatesFlow(
     string input, string output, boolean preservesValue, string model
   ) {
-    this.propagatesFlowExt(input, output, preservesValue) and model = this
+    this.propagatesFlow(input, output, preservesValue) and model = this
   }
 
   /**

javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll

@@ -1,6 +1,8 @@
 import javascript
 private import semmle.javascript.dataflow.TypeTracking
 private import semmle.javascript.internal.CachedStages
+private import semmle.javascript.dataflow.internal.Contents as Contents
+private import sharedlib.SummaryTypeTracker as SummaryTypeTracker
 private import FlowSteps
 
 cached
@@ -29,6 +31,8 @@ private module Cached {
         SharedTypeTrackingStep::loadStoreStep(_, _, _, this)
         or
         this = DataFlow::PseudoProperties::arrayLikeElement()
+        or
+        this instanceof Contents::Private::PropertyName
       }
     }
 
@@ -46,6 +50,12 @@ private module Cached {
       LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
         SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
         or
+        exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+          SummaryTypeTracker::basicLoadStoreStep(_, _, loadContent, storeContent) and
+          fromProp = loadContent.asPropertyName() and
+          toProp = storeContent.asPropertyName()
+        )
+        or
         summarizedLoadStoreStep(_, _, fromProp, toProp)
       } or
       WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
@@ -205,6 +215,21 @@ private module Cached {
       succ = getACallbackSource(parameter).getParameter(i) and
       summary = ReturnStep()
     )
+    or
+    SummaryTypeTracker::levelStepNoCall(pred, succ) and summary = LevelStep()
+    or
+    exists(DataFlow::ContentSet content |
+      SummaryTypeTracker::basicLoadStep(pred, succ, content) and
+      summary = LoadStep(content.asPropertyName())
+      or
+      SummaryTypeTracker::basicStoreStep(pred, succ, content) and
+      summary = StoreStep(content.asPropertyName())
+    )
+    or
+    exists(DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent |
+      SummaryTypeTracker::basicLoadStoreStep(pred, succ, loadContent, storeContent) and
+      summary = LoadStoreStep(loadContent.asPropertyName(), storeContent.asPropertyName())
+    )
   }
 }
 

javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/SummaryTypeTracker.qll

@@ -0,0 +1,83 @@
+private import semmle.javascript.Locations
+private import codeql.typetracking.internal.SummaryTypeTracker
+private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.javascript.dataflow.FlowSummary as FlowSummary
+private import FlowSummaryImpl as FlowSummaryImpl
+private import DataFlowArg
+
+private module SummaryFlowConfig implements Input {
+  import JSDataFlow
+  import FlowSummaryImpl::Public
+  import FlowSummaryImpl::Private
+  import FlowSummaryImpl::Private::SummaryComponent
+
+  class Content = DataFlow::ContentSet;
+
+  class ContentFilter extends Unit {
+    ContentFilter() { none() }
+  }
+
+  ContentFilter getFilterFromWithoutContentStep(Content content) { none() }
+
+  ContentFilter getFilterFromWithContentStep(Content content) { none() }
+
+  predicate singleton = SummaryComponentStack::singleton/1;
+
+  predicate push = SummaryComponentStack::push/2;
+
+  SummaryComponent return() {
+    result = SummaryComponent::return(DataFlowPrivate::MkNormalReturnKind())
+  }
+
+  Node argumentOf(Node call, SummaryComponent arg, boolean isPostUpdate) {
+    // Note: we cannot rely on DataFlowPrivate::DataFlowCall here because that depends on the call graph.
+    exists(ArgumentPosition apos, ParameterPosition ppos, Node argNode |
+      arg = argument(ppos) and
+      parameterMatch(ppos, apos) and
+      (
+        argNode = call.(DataFlow::InvokeNode).getArgument(apos.asPositional())
+        or
+        apos.isThis() and
+        argNode = call.(DataFlow::CallNode).getReceiver()
+      )
+    |
+      isPostUpdate = true and result = argNode.getPostUpdateNode()
+      or
+      isPostUpdate = false and result = argNode
+    )
+  }
+
+  Node parameterOf(Node callable, SummaryComponent param) {
+    exists(ArgumentPosition apos, ParameterPosition ppos, DataFlow::FunctionNode function |
+      param = parameter(apos) and
+      parameterMatch(ppos, apos) and
+      callable = function
+    |
+      result = function.getParameter(ppos.asPositional())
+      or
+      ppos.isThis() and
+      result = function.getReceiver()
+    )
+  }
+
+  Node returnOf(Node callable, SummaryComponent return) {
+    return = return() and
+    result = callable.(DataFlow::FunctionNode).getReturnNode()
+  }
+
+  class SummarizedCallable instanceof SummarizedCallableImpl {
+    predicate propagatesFlow(
+      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+    ) {
+      super.propagatesFlow(input, output, preservesValue, _)
+    }
+
+    string toString() { result = super.toString() }
+  }
+
+  Node callTo(SummarizedCallable callable) {
+    result = callable.(FlowSummary::SummarizedCallable).getACallSimple()
+  }
+}
+
+import SummaryFlow<SummaryFlowConfig>

javascript/ql/lib/semmle/javascript/internal/flow_summaries/AmbiguousCoreMethods.qll

@@ -31,7 +31,7 @@ class At extends SummarizedCallable {
 
   override InstanceCall getACallSimple() { result.getMethodName() = "at" }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     input = "Argument[this].ArrayElement" and
     output = "ReturnValue"
@@ -45,7 +45,7 @@ class Concat extends SummarizedCallable {
 
   override InstanceCall getACallSimple() { result.getMethodName() = "concat" }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     input = "Argument[this,0..].ArrayElement" and
     output = "ReturnValue.ArrayElement"
@@ -61,7 +61,7 @@ class Slice extends SummarizedCallable {
 
   override InstanceCall getACallSimple() { result.getMethodName() = "slice" }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     input = "Argument[this].ArrayElement" and
     output = "ReturnValue.ArrayElement"
@@ -80,7 +80,7 @@ class Entries extends SummarizedCallable {
     result.getNumArgument() = 0
   }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     (
       input = "Argument[this]." + ["MapKey", "SetElement"] and
@@ -97,7 +97,7 @@ class ForEach extends SummarizedCallable {
 
   override InstanceCall getACallSimple() { result.getMethodName() = "forEach" }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     /*
      * array.forEach(callbackfn, thisArg)
@@ -128,7 +128,7 @@ class Keys extends SummarizedCallable {
     result.getNumArgument() = 0
   }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     input = "Argument[this]." + ["MapKey", "SetElement"] and
     output = "ReturnValue.IteratorElement"
@@ -143,7 +143,7 @@ class Values extends SummarizedCallable {
     result.getNumArgument() = 0
   }
 
-  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     preservesValue = true and
     input = "Argument[this]." + ["ArrayElement", "SetElement", "MapValue"] and
     output = "ReturnValue.IteratorElement"