add support for creating a promise with another resolved promise, e.g: Promise.resolve(otherPromise)

erik-krogh · erik-krogh · commit 8370699344a0 · 2020-01-21T20:11:27.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -162,6 +162,13 @@ private module PromiseFlow {
       ) and
       succ = this
     }
+
+    override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      // Copy the value of a resolved promise to the value of this promise.
+      prop = resolveField() and
+      pred = promise.getResolveParameter().getACall().getArgument(0) and
+      succ = this
+    }
   }
   
   /**
@@ -178,6 +185,13 @@ private module PromiseFlow {
       pred = promise.getValue() and
       succ = this
     }
+
+    override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      // Copy the value of a resolved promise to the value of this promise.
+      prop = resolveField() and
+      pred = promise.getValue() and
+      succ = this
+    }
   }
 
 
diff --git a/javascript/ql/test/library-tests/Promises/flow.js b/javascript/ql/test/library-tests/Promises/flow.js
@@ -125,4 +125,8 @@
 	Promise.resolve(123).then(x => rejected).catch(x => sink(x)) // NOT OK
 	
 	Promise.resolve(123).then(x => rejected).then(x => sink(x)) // OK
+	
+	new Promise((resolve, reject) => resolve(resolved)).then(x => sink(x)); // NOT OK
+	
+	Promise.resolve(resolved).then(x => sink(x)); // NOT OK
 })();
diff --git a/javascript/ql/test/library-tests/Promises/flow.qll b/javascript/ql/test/library-tests/Promises/flow.qll
@@ -1,7 +1,19 @@
 import javascript
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PromiseFlowTestingConfig" }
+class Configuration extends DataFlow::Configuration {
+  Configuration() { this = "PromiseDataFlowFlowTestingConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.getEnclosingExpr().getStringValue() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    any(DataFlow::InvokeNode call | call.getCalleeName() = "sink").getAnArgument() = sink
+  }
+}
+
+class TaintConfig extends TaintTracking::Configuration {
+  TaintConfig() { this = "PromiseTaintFlowTestingConfig" }
 
   override predicate isSource(DataFlow::Node source) {
     source.getEnclosingExpr().getStringValue() = "source"
@@ -13,5 +25,10 @@ class Configuration extends TaintTracking::Configuration {
 }
 
 query predicate flow(DataFlow::Node source, DataFlow::Node sink) {
-  any(Configuration a).hasFlow(source, sink)
+  any(Configuration c).hasFlow(source, sink)
 }
+
+query predicate exclusiveTaintFlow(DataFlow::Node source, DataFlow::Node sink) {
+  not any(Configuration c).hasFlow(source, sink) and
+  any(TaintConfig c).hasFlow(source, sink)
+}
diff --git a/javascript/ql/test/library-tests/Promises/tests.expected b/javascript/ql/test/library-tests/Promises/tests.expected
@@ -15,6 +15,7 @@ test_ResolvedPromiseDefinition
 | flow.js:123:2:123:21 | Promise.resolve(123) | flow.js:123:18:123:20 | 123 |
 | flow.js:125:2:125:21 | Promise.resolve(123) | flow.js:125:18:125:20 | 123 |
 | flow.js:127:2:127:21 | Promise.resolve(123) | flow.js:127:18:127:20 | 123 |
+| flow.js:131:2:131:26 | Promise ... solved) | flow.js:131:18:131:25 | resolved |
 | promises.js:53:19:53:41 | Promise ... source) | promises.js:53:35:53:40 | source |
 | promises.js:62:19:62:41 | Promise ... source) | promises.js:62:35:62:40 | source |
 | promises.js:71:5:71:27 | Promise ... source) | promises.js:71:21:71:26 | source |
@@ -58,6 +59,7 @@ test_PromiseDefinition_getExecutor
 | flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:14:113:47 | (resolv ... ("BLA") |
 | flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:14:117:47 | (resolv ... ("BLA") |
 | flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:14:119:47 | (resolv ... ("BLA") |
+| flow.js:129:2:129:52 | new Pro ... olved)) | flow.js:129:14:129:51 | (resolv ... solved) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:24:15:5 | functio ... ;\\n    } |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:29:5:3 | functio ... e);\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:30:17:3 | (res, r ... e);\\n  } |
@@ -92,6 +94,7 @@ test_PromiseDefinition
 | flow.js:113:2:113:48 | new Pro ... "BLA")) |
 | flow.js:117:2:117:48 | new Pro ... "BLA")) |
 | flow.js:119:2:119:48 | new Pro ... "BLA")) |
+| flow.js:129:2:129:52 | new Pro ... olved)) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) |
@@ -108,6 +111,7 @@ test_PromiseDefinition_getAResolveHandler
 | flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:75:91:82 | () => {} |
 | flow.js:105:2:105:48 | new Pro ... "BLA")) | flow.js:105:58:105:76 | x => {throw source} |
 | flow.js:109:2:109:48 | new Pro ... "BLA")) | flow.js:109:58:109:70 | x => rejected |
+| flow.js:129:2:129:52 | new Pro ... olved)) | flow.js:129:59:129:70 | x => sink(x) |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:6:16:8:3 | functio ... al;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:18:17:20:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
@@ -137,6 +141,7 @@ test_PromiseDefinition_getRejectParameter
 | flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:24:113:29 | reject |
 | flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:24:117:29 | reject |
 | flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:24:119:29 | reject |
+| flow.js:129:2:129:52 | new Pro ... olved)) | flow.js:129:24:129:29 | reject |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:43:11:48 | reject |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:48:3:53 | reject |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:36:10:38 | rej |
@@ -166,6 +171,7 @@ test_PromiseDefinition_getResolveParameter
 | flow.js:113:2:113:48 | new Pro ... "BLA")) | flow.js:113:15:113:21 | resolve |
 | flow.js:117:2:117:48 | new Pro ... "BLA")) | flow.js:117:15:117:21 | resolve |
 | flow.js:119:2:119:48 | new Pro ... "BLA")) | flow.js:119:15:119:21 | resolve |
+| flow.js:129:2:129:52 | new Pro ... olved)) | flow.js:129:15:129:21 | resolve |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:34:11:40 | resolve |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:39:3:45 | resolve |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:31:10:33 | res |
@@ -210,4 +216,7 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:119:86:119:86 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:123:58:123:58 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:125:59:125:59 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:129:69:129:69 | x |
+| flow.js:2:15:2:22 | "source" | flow.js:131:43:131:43 | x |
+exclusiveTaintFlow
 | interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,13 @@ private module PromiseFlow {`
`162`	`162`	`) and`
`163`	`163`	`succ = this`
`164`	`164`	`}`
	`165`	`+`
	`166`	`+ override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {`
	`167`	`+ // Copy the value of a resolved promise to the value of this promise.`
	`168`	`+ prop = resolveField() and`
	`169`	`+ pred = promise.getResolveParameter().getACall().getArgument(0) and`
	`170`	`+ succ = this`
	`171`	`+ }`
`165`	`172`	`}`
`166`	`173`
`167`	`174`	`/**`
`@@ -178,6 +185,13 @@ private module PromiseFlow {`
`178`	`185`	`pred = promise.getValue() and`
`179`	`186`	`succ = this`
`180`	`187`	`}`
	`188`	`+`
	`189`	`+ override predicate copyProperty(DataFlow::Node pred, DataFlow::Node succ, string prop) {`
	`190`	`+ // Copy the value of a resolved promise to the value of this promise.`
	`191`	`+ prop = resolveField() and`
	`192`	`+ pred = promise.getValue() and`
	`193`	`+ succ = this`
	`194`	`+ }`
`181`	`195`	`}`
`182`	`196`
`183`	`197`