add flowsTo to the use of isAdditionalLoadStep

erik-krogh · erik-krogh · commit ad813ef86c26 · 2020-01-20T14:16:29.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -788,12 +788,14 @@ private predicate parameterPropRead(
   Function f, DataFlow::Node invk, DataFlow::Node arg, string prop, DataFlow::Node read,
   DataFlow::Configuration cfg
 ) {
-  exists(DataFlow::Node parm |
+  exists(DataFlow::SourceNode parm |
     callInputStep(f, invk, arg, parm, cfg) and
     (
-      read = parm.(DataFlow::SourceNode).getAPropertyRead(prop)
+      read = parm.getAPropertyRead(prop)
       or
-      isAdditionalLoadStep(parm, read, prop, cfg)
+      exists(DataFlow::Node use | parm.flowsTo(use) |
+        isAdditionalLoadStep(use, read, prop, cfg)
+      )
     )
   )
 }
@@ -881,7 +883,7 @@ private predicate reachableFromStoreBase(
     (
       flowStep(mid, cfg, nd, newSummary) 
       or
-      existsCopyProperty(mid, nd, prop, cfg) and
+      isAdditionalCopyPropertyStep(mid, nd, prop, cfg) and
       newSummary = PathSummary::level()
     ) and
     summary = oldSummary.appendValuePreserving(newSummary)
@@ -906,29 +908,6 @@ private predicate flowThroughProperty(
   )
 }
 
-/**
- * Holds if the property `prop` is copied from `fromNode` to `toNode`.
- */
-bindingset[prop, cfg]
-private predicate existsCopyProperty(DataFlow::Node fromNode, DataFlow::Node toNode, string prop, DataFlow::Configuration cfg) {
-  fromNode = toNode
-  or
-  existsCopyPropertyRecursive(fromNode, toNode, prop, cfg)
-}
-
-/**
- * Holds if the property `prop` is copied from `fromNode` to `toNode` using at least 1 step.
- *
- * The recursion of this predicate has been unfolded once compared to a naive implementation in order to avoid having no constraint on `prop`.
- * Therefore a caller of this predicate should also test whether the `toNode` and `fromNode` are equal.
- */
-private predicate existsCopyPropertyRecursive(DataFlow::Node fromNode, DataFlow::Node toNode, string prop, DataFlow::Configuration cfg) {
-  exists(DataFlow::Node mid |
-    isAdditionalCopyPropertyStep(fromNode, mid, prop, cfg) and
-    existsCopyProperty(mid, toNode, prop, cfg)
-  )
-}
-
 /**
  * Holds if `arg` and `cb` are passed as arguments to a function which in turn
  * invokes `cb`, passing `arg` as its `i`th argument.
diff --git a/javascript/ql/test/library-tests/Promises/flow.js b/javascript/ql/test/library-tests/Promises/flow.js
@@ -84,4 +84,19 @@
 		p.catch(e => sink(e)); // NOT OK!
 	}
 	leaksRejectedPromise(new Promise((resolve, reject) => reject(source)));
+	
+	function leaksRejectedAgain(p) {
+		("foo", p).then(() => {}).catch(e => sink(e)); // NOT OK!
+	}
+	leaksRejectedAgain(new Promise((resolve, reject) => reject(source)).then(() => {}));
+	
+	async function returnsRejected(p) {
+		try {
+			await p;
+		} catch(e) {
+			return e;
+		}
+	}
+	var foo = returnsRejected(new Promise((resolve, reject) => reject(source)));
+	sink(foo); // NOT OK!
 })();
diff --git a/javascript/ql/test/library-tests/Promises/tests.expected b/javascript/ql/test/library-tests/Promises/tests.expected
@@ -36,6 +36,8 @@ test_PromiseDefinition_getExecutor
 | flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:21:65:55 | (resolv ... source) |
 | flow.js:74:10:74:57 | new Pro ... ource)) | flow.js:74:22:74:56 | (resolv ... source) |
 | flow.js:86:23:86:70 | new Pro ... ource)) | flow.js:86:35:86:69 | (resolv ... source) |
+| flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:33:91:67 | (resolv ... source) |
+| flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:40:100:74 | (resolv ... source) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:24:15:5 | functio ... ;\\n    } |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:29:5:3 | functio ... e);\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:30:17:3 | (res, r ... e);\\n  } |
@@ -58,6 +60,8 @@ test_PromiseDefinition
 | flow.js:65:9:65:56 | new Pro ... ource)) |
 | flow.js:74:10:74:57 | new Pro ... ource)) |
 | flow.js:86:23:86:70 | new Pro ... ource)) |
+| flow.js:91:21:91:68 | new Pro ... ource)) |
+| flow.js:100:28:100:75 | new Pro ... ource)) |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) |
@@ -71,6 +75,7 @@ test_PromiseDefinition_getAResolveHandler
 | flow.js:55:11:55:58 | new Pro ... ource)) | flow.js:56:19:56:26 | () => {} |
 | flow.js:60:12:60:59 | new Pro ... ource)) | flow.js:61:21:61:28 | () => {} |
 | flow.js:74:10:74:57 | new Pro ... ource)) | flow.js:74:64:74:71 | () => {} |
+| flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:75:91:82 | () => {} |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:6:16:8:3 | functio ... al;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:18:17:20:3 | (v) =>  ...  v;\\n  } |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:26:20:28:3 | (v) =>  ...  v;\\n  } |
@@ -90,6 +95,8 @@ test_PromiseDefinition_getRejectParameter
 | flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:31:65:36 | reject |
 | flow.js:74:10:74:57 | new Pro ... ource)) | flow.js:74:32:74:37 | reject |
 | flow.js:86:23:86:70 | new Pro ... ource)) | flow.js:86:45:86:50 | reject |
+| flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:43:91:48 | reject |
+| flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:50:100:55 | reject |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:43:11:48 | reject |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:48:3:53 | reject |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:36:10:38 | rej |
@@ -109,6 +116,8 @@ test_PromiseDefinition_getResolveParameter
 | flow.js:65:9:65:56 | new Pro ... ource)) | flow.js:65:22:65:28 | resolve |
 | flow.js:74:10:74:57 | new Pro ... ource)) | flow.js:74:23:74:29 | resolve |
 | flow.js:86:23:86:70 | new Pro ... ource)) | flow.js:86:36:86:42 | resolve |
+| flow.js:91:21:91:68 | new Pro ... ource)) | flow.js:91:34:91:40 | resolve |
+| flow.js:100:28:100:75 | new Pro ... ource)) | flow.js:100:41:100:47 | resolve |
 | interflow.js:11:12:15:6 | new Pro ... \\n    }) | interflow.js:11:34:11:40 | resolve |
 | promises.js:3:17:5:4 | new Pro ... );\\n  }) | promises.js:3:39:3:45 | resolve |
 | promises.js:10:18:17:4 | new Pro ... );\\n  }) | promises.js:10:31:10:33 | res |
@@ -139,4 +148,6 @@ flow
 | flow.js:2:15:2:22 | "source" | flow.js:76:50:76:50 | e |
 | flow.js:2:15:2:22 | "source" | flow.js:79:20:79:20 | x |
 | flow.js:2:15:2:22 | "source" | flow.js:84:21:84:21 | e |
+| flow.js:2:15:2:22 | "source" | flow.js:89:45:89:45 | e |
+| flow.js:2:15:2:22 | "source" | flow.js:101:7:101:9 | foo |
 | interflow.js:3:18:3:25 | "source" | interflow.js:18:10:18:14 | error |
