Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams

Napalys · Napalys · commit c27157f02162 · 2025-05-21T11:38:57.000+02:00
diff --git a/javascript/ql/src/Quality/UnhandledStreamPipe.ql b/javascript/ql/src/Quality/UnhandledStreamPipe.ql
@@ -0,0 +1,97 @@
+/**
+ * @id js/nodejs-stream-pipe-without-error-handling
+ * @name Node.js stream pipe without error handling
+ * @description Calling `pipe()` on a stream without error handling may silently drop errors and prevent proper propagation.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @tags quality
+ *       frameworks/nodejs
+ */
+
+import javascript
+
+/**
+ * A call to the `pipe` method on a Node.js stream.
+ */
+class PipeCall extends DataFlow::MethodCallNode {
+  PipeCall() { this.getMethodName() = "pipe" }
+
+  /** Gets the source stream (receiver of the pipe call). */
+  DataFlow::Node getSourceStream() { result = this.getReceiver() }
+
+  /** Gets the destination stream (argument of the pipe call). */
+  DataFlow::Node getDestinationStream() { result = this.getArgument(0) }
+}
+
+/**
+ * Gets the method names used to register event handlers on Node.js streams.
+ * These methods are used to attach handlers for events like `error`.
+ */
+string getEventHandlerMethodName() { result = ["on", "once", "addListener"] }
+
+/**
+ * A call to register an event handler on a Node.js stream.
+ * This includes methods like `on`, `once`, and `addListener`.
+ */
+class StreamEventRegistration extends DataFlow::MethodCallNode {
+  StreamEventRegistration() { this.getMethodName() = getEventHandlerMethodName() }
+
+  /** Gets the stream (receiver of the event handler). */
+  DataFlow::Node getStream() { result = this.getReceiver() }
+}
+
+/**
+ * Models flow relationships between streams and related operations.
+ * Connects destination streams to their corresponding pipe call nodes.
+ * Connects streams to their event handler registration nodes.
+ */
+predicate streamFlowStep(DataFlow::Node streamNode, DataFlow::Node relatedNode) {
+  exists(PipeCall pipe |
+    streamNode = pipe.getDestinationStream() and
+    relatedNode = pipe
+  )
+  or
+  exists(StreamEventRegistration handler |
+    streamNode = handler.getStream() and
+    relatedNode = handler
+  )
+}
+
+/**
+ * Gets a reference to a stream that may be the source of the given pipe call.
+ * Uses type back-tracking to trace stream references in the data flow.
+ */
+private DataFlow::SourceNode streamRef(DataFlow::TypeBackTracker t, PipeCall pipeCall) {
+  t.start() and
+  result = pipeCall.getSourceStream().getALocalSource()
+  or
+  exists(DataFlow::SourceNode prev |
+    prev = streamRef(t.continue(), pipeCall) and
+    streamFlowStep(result.getALocalUse(), prev)
+  )
+  or
+  exists(DataFlow::TypeBackTracker t2 | result = streamRef(t2, pipeCall).backtrack(t2, t))
+}
+
+/**
+ * Gets a reference to a stream that may be the source of the given pipe call.
+ */
+private DataFlow::SourceNode streamRef(PipeCall pipeCall) {
+  result = streamRef(DataFlow::TypeBackTracker::end(), pipeCall)
+}
+
+/**
+ * Holds if the source stream of the given pipe call has an `error` handler registered.
+ */
+predicate hasErrorHandlerRegistered(PipeCall pipeCall) {
+  exists(StreamEventRegistration handler |
+    handler = streamRef(pipeCall).getAMethodCall(getEventHandlerMethodName()) and
+    handler.getArgument(0).getStringValue() = "error"
+  )
+}
+
+from PipeCall pipeCall
+where not hasErrorHandlerRegistered(pipeCall)
+select pipeCall,
+  "Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped."
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected
@@ -0,0 +1,10 @@
+| test.js:4:5:4:28 | stream. ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:19:5:19:17 | s2.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:45:5:45:30 | stream2 ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:60:5:60:30 | stream2 ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:66:5:66:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:79:5:79:25 | s2.pipe ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:94:5:94:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:109:26:109:37 | s.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:116:5:116:21 | stream.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
+| test.js:125:5:125:26 | getStre ... e(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js
@@ -0,0 +1,137 @@
+function test() {
+  {
+    const stream = getStream();
+    stream.pipe(destination); // $Alert
+  }
+  {
+    const stream = getStream();
+    stream.pipe(destination);
+    stream.on('error', handleError);
+  }
+  {
+    const stream = getStream();
+    stream.on('error', handleError);
+    stream.pipe(destination);
+  }
+  {
+    const stream = getStream();
+    const s2 = stream;
+    s2.pipe(dest); // $Alert
+  }
+  {
+    const stream = getStream();
+    stream.on('error', handleError);
+    const s2 = stream;
+    s2.pipe(dest);
+  }
+  {
+    const stream = getStream();
+    const s2 = stream;
+    s2.on('error', handleError);
+    s2.pipe(dest);
+  }
+  {
+    const s = getStream().on('error', handler);
+    const d = getDest();
+    s.pipe(d); 
+  }
+  {
+    getStream().on('error', handler).pipe(dest);
+  }
+  {
+    const stream = getStream();
+    stream.on('error', handleError);
+    const stream2 = stream.pipe(destination);
+    stream2.pipe(destination2); // $Alert
+  }
+  {
+    const stream = getStream();
+    stream.on('error', handleError);
+    const destination  = getDest();
+    destination.on('error', handleError);
+    const stream2 = stream.pipe(destination);
+    const s3 = stream2;
+    s = s3.pipe(destination2);
+  }
+  {
+    const stream = getStream();
+    stream.on('error', handleError);
+    const stream2 = stream.pipe(destination);
+    stream2.pipe(destination2); // $Alert
+  }
+  { // Error handler on destination instead of source
+    const stream = getStream();
+    const dest = getDest();
+    dest.on('error', handler);
+    stream.pipe(dest); // $Alert
+  }
+  { // Multiple aliases, error handler on one
+    const stream = getStream();
+    const alias1 = stream;
+    const alias2 = alias1;
+    alias2.on('error', handleError);
+    alias1.pipe(dest);
+  }
+  { // Multiple pipes, handler after first pipe
+    const stream = getStream();
+    const s2 = stream.pipe(destination1);
+    stream.on('error', handleError);
+    s2.pipe(destination2); // $Alert
+  }
+  { // Handler registered via .once
+    const stream = getStream();
+    stream.once('error', handleError);
+    stream.pipe(dest);
+  }
+  { // Handler registered with arrow function
+    const stream = getStream();
+    stream.on('error', (err) => handleError(err));
+    stream.pipe(dest);
+  }
+  { // Handler registered for unrelated event
+    const stream = getStream();
+    stream.on('close', handleClose);
+    stream.pipe(dest); // $Alert
+  }
+  { // Error handler registered after pipe, but before error
+    const stream = getStream();
+    stream.pipe(dest);
+    setTimeout(() => stream.on('error', handleError), 8000); // $MISSING:Alert
+  }
+  { // Pipe in a function, error handler outside
+    const stream = getStream();
+    function doPipe(s) { s.pipe(dest); } 
+    stream.on('error', handleError);
+    doPipe(stream);
+  }
+  { // Pipe in a function, error handler not set
+    const stream = getStream();
+    function doPipe(s) { s.pipe(dest); } // $Alert
+    doPipe(stream);
+  }
+  { // Dynamic event assignment
+    const stream = getStream();
+    const event = 'error';
+    stream.on(event, handleError);
+    stream.pipe(dest);  // $SPURIOUS:Alert
+  }
+  { // Handler assigned via variable property
+    const stream = getStream();
+    const handler = handleError;
+    stream.on('error', handler);
+    stream.pipe(dest);
+  }
+  { // Pipe with no intermediate variable, no error handler
+    getStream().pipe(dest); // $Alert
+  }
+  { // Handler set via .addListener synonym
+    const stream = getStream();
+    stream.addListener('error', handleError);
+    stream.pipe(dest);
+  }
+  { // Handler set via .once after .pipe
+    const stream = getStream();
+    stream.pipe(dest);
+    stream.once('error', handleError);
+  }
+}
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.qlref b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.qlref
@@ -0,0 +1,2 @@
+query: Quality/UnhandledStreamPipe.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+query: Quality/UnhandledStreamPipe.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`