address review comments

Author: esbena

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll

@@ -17,22 +17,7 @@ private string getTokenFeature(DataFlow::Node endpoint, string featureName) {
   // Performance optimization: Restrict feature extraction to endpoints we've explicitly asked to featurize.
   endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and
   exists(EndpointFeature f | f.getName() = featureName and result = f.getValue(endpoint)) and
-  isVettedFeature(featureName)
-}
-
-predicate isVettedFeature(string featureName) {
-  // allowlist of vetted features that are permitted in production
-  featureName =
-    any(EndpointFeature f |
-      f instanceof EnclosingFunctionName or
-      f instanceof CalleeName or
-      f instanceof ReceiverName or
-      f instanceof ArgumentIndex or
-      f instanceof CalleeApiName or
-      f instanceof CalleeAccessPath or
-      f instanceof CalleeAccessPathWithStructuralInfo or
-      f instanceof EnclosingFunctionBody
-    ).getName()
+  featureName = getASupportedFeatureName()
 }
 
 /**
@@ -206,7 +191,20 @@ private module FunctionNames {
 }
 
 /** Get a name of a supported generic token-based feature. */
-string getASupportedFeatureName() { isVettedFeature(result) }
+string getASupportedFeatureName() {
+  // allowlist of vetted features that are permitted in production
+  result =
+    any(EndpointFeature f |
+      f instanceof EnclosingFunctionName or
+      f instanceof CalleeName or
+      f instanceof ReceiverName or
+      f instanceof ArgumentIndex or
+      f instanceof CalleeApiName or
+      f instanceof CalleeAccessPath or
+      f instanceof CalleeAccessPathWithStructuralInfo or
+      f instanceof EnclosingFunctionBody
+    ).getName()
+}
 
 /**
  * Generic token-based features for ATM.
@@ -253,7 +251,7 @@ abstract class EndpointFeature extends TEndpointFeature {
    */
   abstract string getValue(DataFlow::Node endpoint);
 
-  string toString() { result = getName() }
+  string toString() { result = this.getName() }
 }
 
 /**
@@ -456,7 +454,7 @@ private module SyntacticUtilities {
         w.getRhs() = node and
         result = getSimpleParameterAccessPath(w.getBase()) + "." + getPropertyNameOrUnknown(w)
       )
-    else result = "?"
+    else result = getUnknownSymbol()
   }
 
   /**
@@ -497,10 +495,12 @@ private module SyntacticUtilities {
                   if node instanceof DataFlow::InvokeNode
                   then
                     result = getSimpleAccessPath(node.(DataFlow::InvokeNode).getCalleeNode()) + "()"
-                  else result = "?"
+                  else result = getUnknownSymbol()
     )
   }
 
+  string getUnknownSymbol() { result = "?" }
+
   /**
    * Gets the imported path.
    *
@@ -514,15 +514,17 @@ private module SyntacticUtilities {
       exists(string p | p = i.getImportedPath().getValue() |
         if p.matches(".%") then result = "\"p\"" else result = "!" // hide absolute imports from the ML training
       )
-    else result = "?"
+    else result = getUnknownSymbol()
   }
-}
 
-/**
- * Gets the property name of a property reference or `?` if it is unknown.
- */
-string getPropertyNameOrUnknown(DataFlow::PropRef ref) {
-  if exists(ref.getPropertyName()) then result = ref.getPropertyName() else result = "?"
+  /**
+   * Gets the property name of a property reference or `?` if it is unknown.
+   */
+  string getPropertyNameOrUnknown(DataFlow::PropRef ref) {
+    if exists(ref.getPropertyName())
+    then result = ref.getPropertyName()
+    else result = getUnknownSymbol()
+  }
 }
 
 /**
@@ -537,11 +539,9 @@ class Callee_AccessPath extends EndpointFeature, TCallee_AccessPath {
 
   override string getValue(DataFlow::Node endpoint) {
     exists(DataFlow::InvokeNode invk |
-      exists(string path |
-        path = SyntacticUtilities::getSimpleAccessPath(invk.getCalleeNode()) and
-        // collapse the unknown path to the empty string, as is convention for old features
-        if path = "?" then result = "" else result = path
-      ) and
+      result = SyntacticUtilities::getSimpleAccessPath(invk.getCalleeNode()) and
+      // ignore the unknown path
+      not result = SyntacticUtilities::getUnknownSymbol() and
       (
         invk.getAnArgument() = endpoint or
         SyntacticUtilities::getANestedInitializerValue(invk.getAnArgument()
@@ -586,20 +586,14 @@ class Input_ArgumentIndexAndAccessPathFromCallee extends EndpointFeature,
 class Input_AccessPathFromCallee extends EndpointFeature, TInput_AccessPathFromCallee {
   override string getName() { result = "Input_AccessPathFromCallee" }
 
-  private string getValueMaybe(DataFlow::Node endpoint) {
+  override string getValue(DataFlow::Node endpoint) {
     exists(DataFlow::InvokeNode invk |
       result = SyntacticUtilities::getSimpleParameterAccessPath(endpoint) and
       SyntacticUtilities::getANestedInitializerValue(invk.getAnArgument()
             .asExpr()
             .getUnderlyingValue()).flow() = endpoint
     )
   }
-
-  override string getValue(DataFlow::Node endpoint) {
-    if exists(this.getValueMaybe(endpoint))
-    then result = this.getValueMaybe(endpoint)
-    else result = ""
-  }
 }
 
 /**

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/EmptyFeature.expected

@@ -1,3 +0,0 @@
-| calleeApiName |
-| enclosingFunctionBody |
-| enclosingFunctionName |

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/EmptyFeature.ql

@@ -1,5 +1,6 @@
 import javascript
 import experimental.adaptivethreatmodeling.EndpointFeatures
+import experimental.adaptivethreatmodeling.FeaturizationConfig
 import TestUtil
 
 // every feature must produce a value for at least one endpoint, otherwise the feature is completely broken, or a relevant test example is missing

javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected

@@ -1,93 +1,127 @@
 | test.html:2:61:2:68 | endpoint | Callee_AccessPath | $event.target.files.item |
-| test.html:2:61:2:68 | endpoint | Input_AccessPathFromCallee |  |
 | test.html:2:61:2:68 | endpoint | Input_ArgumentIndex | 0 |
 | test.html:2:61:2:68 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.html:2:61:2:68 | endpoint | argumentIndex | 0 |
 | test.html:2:61:2:68 | endpoint | calleeAccessPath |  |
 | test.html:2:61:2:68 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.html:2:61:2:68 | endpoint | calleeName | item |
 | test.js:2:7:2:14 | endpoint | Callee_AccessPath | f |
-| test.js:2:7:2:14 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:2:7:2:14 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:2:7:2:14 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:2:7:2:14 | endpoint | argumentIndex | 0 |
 | test.js:2:7:2:14 | endpoint | calleeAccessPath |  |
 | test.js:2:7:2:14 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:2:7:2:14 | endpoint | calleeName | f |
+| test.js:2:7:2:14 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:2:7:2:14 | endpoint | enclosingFunctionName |  |
 | test.js:3:11:3:18 | endpoint | Callee_AccessPath | f |
 | test.js:3:11:3:18 | endpoint | Input_AccessPathFromCallee | 0.p |
 | test.js:3:11:3:18 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:3:11:3:18 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0.p |
 | test.js:3:11:3:18 | endpoint | calleeAccessPath |  |
 | test.js:3:11:3:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:3:11:3:18 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:3:11:3:18 | endpoint | enclosingFunctionName |  |
 | test.js:4:15:4:22 | endpoint | Callee_AccessPath | f |
 | test.js:4:15:4:22 | endpoint | Input_AccessPathFromCallee | 0.p.q |
 | test.js:4:15:4:22 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:4:15:4:22 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0.p.q |
 | test.js:4:15:4:22 | endpoint | calleeAccessPath |  |
 | test.js:4:15:4:22 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:4:15:4:22 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:4:15:4:22 | endpoint | enclosingFunctionName |  |
 | test.js:5:9:5:16 | endpoint | Callee_AccessPath | o.m |
-| test.js:5:9:5:16 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:5:9:5:16 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:5:9:5:16 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:5:9:5:16 | endpoint | argumentIndex | 0 |
 | test.js:5:9:5:16 | endpoint | calleeAccessPath |  |
 | test.js:5:9:5:16 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:5:9:5:16 | endpoint | calleeName | m |
+| test.js:5:9:5:16 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:5:9:5:16 | endpoint | enclosingFunctionName |  |
 | test.js:5:9:5:16 | endpoint | receiverName | o |
 | test.js:6:13:6:20 | endpoint | Callee_AccessPath | o.m |
 | test.js:6:13:6:20 | endpoint | Input_AccessPathFromCallee | 0.p |
 | test.js:6:13:6:20 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:6:13:6:20 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0.p |
 | test.js:6:13:6:20 | endpoint | calleeAccessPath |  |
 | test.js:6:13:6:20 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:6:13:6:20 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:6:13:6:20 | endpoint | enclosingFunctionName |  |
 | test.js:7:17:7:24 | endpoint | Callee_AccessPath | o.m |
 | test.js:7:17:7:24 | endpoint | Input_AccessPathFromCallee | 0.p.q |
 | test.js:7:17:7:24 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:7:17:7:24 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0.p.q |
 | test.js:7:17:7:24 | endpoint | calleeAccessPath |  |
 | test.js:7:17:7:24 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:7:17:7:24 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:7:17:7:24 | endpoint | enclosingFunctionName |  |
 | test.js:8:11:8:18 | endpoint | Callee_AccessPath | F |
-| test.js:8:11:8:18 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:8:11:8:18 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:8:11:8:18 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | ? |
 | test.js:8:11:8:18 | endpoint | calleeAccessPath |  |
 | test.js:8:11:8:18 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:8:11:8:18 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:8:11:8:18 | endpoint | enclosingFunctionName |  |
 | test.js:9:17:9:24 | endpoint | Callee_AccessPath | o.m().m().m |
-| test.js:9:17:9:24 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:9:17:9:24 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:9:17:9:24 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:9:17:9:24 | endpoint | argumentIndex | 0 |
 | test.js:9:17:9:24 | endpoint | calleeAccessPath |  |
 | test.js:9:17:9:24 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:9:17:9:24 | endpoint | calleeName | m |
+| test.js:9:17:9:24 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:9:17:9:24 | endpoint | enclosingFunctionName |  |
 | test.js:10:9:10:16 | endpoint | Callee_AccessPath | f() |
-| test.js:10:9:10:16 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:10:9:10:16 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:10:9:10:16 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:10:9:10:16 | endpoint | argumentIndex | 0 |
 | test.js:10:9:10:16 | endpoint | calleeAccessPath |  |
 | test.js:10:9:10:16 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:10:9:10:16 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:10:9:10:16 | endpoint | enclosingFunctionName |  |
 | test.js:11:12:11:19 | endpoint | Callee_AccessPath | o.?.m |
-| test.js:11:12:11:19 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:11:12:11:19 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:11:12:11:19 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:11:12:11:19 | endpoint | argumentIndex | 0 |
 | test.js:11:12:11:19 | endpoint | calleeAccessPath |  |
 | test.js:11:12:11:19 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:11:12:11:19 | endpoint | calleeName | m |
+| test.js:11:12:11:19 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:11:12:11:19 | endpoint | enclosingFunctionName |  |
 | test.js:12:16:12:23 | endpoint | Callee_AccessPath | o.m.?.p.m |
-| test.js:12:16:12:23 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:12:16:12:23 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:12:16:12:23 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:12:16:12:23 | endpoint | argumentIndex | 0 |
 | test.js:12:16:12:23 | endpoint | calleeAccessPath |  |
 | test.js:12:16:12:23 | endpoint | calleeAccessPathWithStructuralInfo |  |
 | test.js:12:16:12:23 | endpoint | calleeName | m |
+| test.js:12:16:12:23 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:12:16:12:23 | endpoint | enclosingFunctionName |  |
 | test.js:13:15:13:22 | endpoint | Callee_AccessPath | (await p) |
-| test.js:13:15:13:22 | endpoint | Input_AccessPathFromCallee |  |
 | test.js:13:15:13:22 | endpoint | Input_ArgumentIndex | 0 |
 | test.js:13:15:13:22 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
 | test.js:13:15:13:22 | endpoint | argumentIndex | 0 |
 | test.js:13:15:13:22 | endpoint | calleeAccessPath |  |
 | test.js:13:15:13:22 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:13:15:13:22 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:13:15:13:22 | endpoint | enclosingFunctionName |  |
+| test.js:14:27:14:34 | endpoint | Callee_AccessPath | import(!).bar.baz |
+| test.js:14:27:14:34 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:14:27:14:34 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
+| test.js:14:27:14:34 | endpoint | argumentIndex | 0 |
+| test.js:14:27:14:34 | endpoint | calleeAccessPath | foo bar baz |
+| test.js:14:27:14:34 | endpoint | calleeAccessPathWithStructuralInfo | foo member bar member baz instanceorreturn |
+| test.js:14:27:14:34 | endpoint | calleeApiName | foo |
+| test.js:14:27:14:34 | endpoint | calleeName | baz |
+| test.js:14:27:14:34 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:14:27:14:34 | endpoint | enclosingFunctionName |  |
+| test.js:16:13:16:20 | endpoint | Callee_AccessPath | bar |
+| test.js:16:13:16:20 | endpoint | Input_ArgumentIndex | 0 |
+| test.js:16:13:16:20 | endpoint | Input_ArgumentIndexAndAccessPathFromCallee | 0 |
+| test.js:16:13:16:20 | endpoint | argumentIndex | 0 |
+| test.js:16:13:16:20 | endpoint | calleeAccessPath |  |
+| test.js:16:13:16:20 | endpoint | calleeAccessPathWithStructuralInfo |  |
+| test.js:16:13:16:20 | endpoint | calleeName | bar |
+| test.js:16:13:16:20 | endpoint | enclosingFunctionBody | f endpoint f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint |
+| test.js:16:13:16:20 | endpoint | enclosingFunctionName |  |