refactor miscellaneous expression uses to dataflow nodes

erik-krogh · erik-krogh · commit 024c69024880 · 2022-04-01T14:52:08.000+02:00
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll
@@ -175,7 +175,7 @@ predicate isOtherModeledArgument(DataFlow::Node n, FilteringReason reason) {
   or
   n instanceof CryptographicKey and reason instanceof CryptographicKeyReason
   or
-  any(CryptographicOperation op).getInput().flow() = n and
+  any(CryptographicOperation op).getInput() = n and
   reason instanceof CryptographicOperationFlowReason
   or
   exists(DataFlow::CallNode call | n = call.getAnArgument() |
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
@@ -144,7 +144,7 @@ private module AccessPaths {
       not param = base.getReceiver()
     |
       result = param and
-      name = param.getAnImmediateUse().asExpr().(Parameter).getName()
+      name = param.getAnImmediateUse().(DataFlow::ParameterNode).getName()
       or
       param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and
       result = param.getMember(name)
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -562,6 +562,14 @@ class ObjectLiteralNode extends DataFlow::ValueNode, DataFlow::SourceNode {
   DataFlow::FunctionNode getPropertySetter(string name) {
     result = astNode.getPropertyByName(name).(PropertySetter).getInit().flow()
   }
+
+  /** Gets the value of a computed property name of this object literal, such as `x` in `{[x]: 1}` */
+  DataFlow::Node getAComputedPropertyName() {
+    exists(Property prop | prop = astNode.getAProperty() |
+      prop.isComputed() and
+      result = prop.getNameExpr().flow()
+    )
+  }
 }
 
 /**
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -516,17 +516,13 @@ module TaintTracking {
    */
   private class HeapTaintStep extends SharedTaintStep {
     override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(Expr e, Expr f | e = succ.asExpr() and f = pred.asExpr() |
-        exists(Property prop | e.(ObjectExpr).getAProperty() = prop |
-          prop.isComputed() and f = prop.getNameExpr()
-        )
-        or
-        // spreading a tainted object into an object literal gives a tainted object
-        e.(ObjectExpr).getAProperty().(SpreadProperty).getInit().(SpreadElement).getOperand() = f
-        or
-        // spreading a tainted value into an array literal gives a tainted array
-        e.(ArrayExpr).getAnElement().(SpreadElement).getOperand() = f
-      )
+      succ.(DataFlow::ObjectLiteralNode).getAComputedPropertyName() = pred
+      or
+      // spreading a tainted object into an object literal gives a tainted object
+      succ.(DataFlow::ObjectLiteralNode).getASpreadProperty() = pred
+      or
+      // spreading a tainted value into an array literal gives a tainted array
+      succ.(DataFlow::ArrayCreationNode).getASpreadArgument() = pred
       or
       // arrays with tainted elements and objects with tainted property names are tainted
       succ.(DataFlow::ArrayCreationNode).getAnElement() = pred and
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
@@ -68,7 +68,7 @@ private class TrackStringsInAngularCode extends DataFlow::SourceNode::Range, Dat
  */
 private DataFlow::CallNode angularModuleCall(string name) {
   result = angular().getAMemberCall("module") and
-  result.getArgument(0).asExpr().mayHaveStringValue(name)
+  result.getArgument(0).mayHaveStringValue(name)
 }
 
 /**
@@ -280,7 +280,7 @@ abstract class CustomDirective extends DirectiveInstance {
   InjectableFunction getController() { result = this.getMember("controller") }
 
   /** Gets the template URL of this directive, if any. */
-  string getTemplateUrl() { this.getMember("templateUrl").asExpr().mayHaveStringValue(result) }
+  string getTemplateUrl() { this.getMember("templateUrl").mayHaveStringValue(result) }
 
   /**
    * Gets a template file for this directive, if any.
@@ -298,9 +298,7 @@ abstract class CustomDirective extends DirectiveInstance {
     else result = DirectiveInstance.super.getAScope()
   }
 
-  private string getRestrictionString() {
-    this.getMember("restrict").asExpr().mayHaveStringValue(result)
-  }
+  private string getRestrictionString() { this.getMember("restrict").mayHaveStringValue(result) }
 
   private predicate hasTargetType(DirectiveTargetType type) {
     not exists(this.getRestrictionString()) or
@@ -383,10 +381,12 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {
   override DataFlow::FunctionNode getALinkFunction() { result = this.getLinkFunction(_) }
 
   override predicate bindsToController() {
-    this.getMemberInit("bindToController").asExpr().mayHaveBooleanValue(true)
+    this.getMemberInit("bindToController").mayHaveBooleanValue(true)
   }
 
-  override predicate hasIsolateScope() { this.getMember("scope").asExpr() instanceof ObjectExpr }
+  override predicate hasIsolateScope() {
+    this.getMember("scope") instanceof DataFlow::ObjectLiteralNode
+  }
 }
 
 /**
@@ -930,9 +930,7 @@ class RouteSetup extends DataFlow::CallNode, DependencyInjection {
     |
       result = controllerProperty
       or
-      exists(ControllerDefinition def |
-        controllerProperty.asExpr().mayHaveStringValue(def.getName())
-      |
+      exists(ControllerDefinition def | controllerProperty.mayHaveStringValue(def.getName()) |
         result = def.getAService()
       )
     )
@@ -1012,15 +1010,15 @@ private class RouteInstantiatedController extends Controller {
 
   override predicate boundTo(DOM::ElementDefinition elem) {
     exists(string url, HTML::HtmlFile template |
-      setup.getRouteParam("templateUrl").asExpr().mayHaveStringValue(url) and
+      setup.getRouteParam("templateUrl").mayHaveStringValue(url) and
       template.getAbsolutePath().regexpMatch(".*\\Q" + url + "\\E") and
       elem.getFile() = template
     )
   }
 
   override predicate boundToAs(DOM::ElementDefinition elem, string name) {
     this.boundTo(elem) and
-    setup.getRouteParam("controllerAs").asExpr().mayHaveStringValue(name)
+    setup.getRouteParam("controllerAs").mayHaveStringValue(name)
   }
 }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll b/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/ServiceDefinitions.qll
@@ -244,7 +244,7 @@ abstract class RecipeDefinition extends DataFlow::CallNode, CustomServiceDefinit
       this = moduleRef(_).getAMethodCall(methodName) or
       this = builtinServiceRef("$provide").getAMethodCall(methodName)
     ) and
-    getArgument(0).asExpr().mayHaveStringValue(name)
+    getArgument(0).mayHaveStringValue(name)
   }
 
   override string getName() { result = name }
@@ -281,7 +281,7 @@ private predicate isCustomServiceDefinitionOnModule(
   DataFlow::Node factoryArgument
 ) {
   mce = moduleRef(_).getAMethodCall(moduleMethodName) and
-  mce.getArgument(0).asExpr().mayHaveStringValue(serviceName) and
+  mce.getArgument(0).mayHaveStringValue(serviceName) and
   factoryArgument = mce.getArgument(1)
 }
 
@@ -296,7 +296,7 @@ private predicate isCustomServiceDefinitionOnProvider(
     factoryArgument = mce.getOptionArgument(0, serviceName)
     or
     mce.getNumArgument() = 2 and
-    mce.getArgument(0).asExpr().mayHaveStringValue(serviceName) and
+    mce.getArgument(0).mayHaveStringValue(serviceName) and
     factoryArgument = mce.getArgument(1)
   )
 }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -962,7 +962,7 @@ module Express {
      * Example: `fun` for `router1.use(fun)` or `router.use("/route", fun)`
      */
     HTTP::RouteHandler getARouteHandler() {
-      result.(DataFlow::SourceNode).flowsToExpr(this.getARouteSetup().getAnArgument().asExpr())
+      result.(DataFlow::SourceNode).flowsTo(this.getARouteSetup().getAnArgument())
     }
 
     /**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -35,11 +35,10 @@ module NextJS {
    */
   Module getAModuleWithFallbackPaths() {
     result = getAPagesModule() and
-    exists(DataFlow::FunctionNode staticPaths, Expr fallback |
+    exists(DataFlow::FunctionNode staticPaths, DataFlow::Node fallback |
       staticPaths = result.getAnExportedValue("getStaticPaths").getAFunctionValue() and
-      fallback =
-        staticPaths.getAReturn().getALocalSource().getAPropertyWrite("fallback").getRhs().asExpr() and
-      not fallback.(BooleanLiteral).getValue() = "false"
+      fallback = staticPaths.getAReturn().getALocalSource().getAPropertyWrite("fallback").getRhs() and
+      not fallback.mayHaveBooleanValue(false)
     )
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll
@@ -165,7 +165,7 @@ module ExternalApiUsedWithUntrustedData {
       not param = base.getReceiver()
     |
       result = param and
-      name = param.getAnImmediateUse().asExpr().(Parameter).getName()
+      name = param.getAnImmediateUse().(DataFlow::ParameterNode).getName()
       or
       param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and
       result = param.getMember(name)

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ private module AccessPaths {`
`144`	`144`	`not param = base.getReceiver()`
`145`	`145`	`\|`
`146`	`146`	`result = param and`
`147`		`- name = param.getAnImmediateUse().asExpr().(Parameter).getName()`
	`147`	`+ name = param.getAnImmediateUse().(DataFlow::ParameterNode).getName()`
`148`	`148`	`or`
`149`	`149`	`param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and`
`150`	`150`	`result = param.getMember(name)`
Original file line number	Diff line number	Diff line change
`@@ -562,6 +562,14 @@ class ObjectLiteralNode extends DataFlow::ValueNode, DataFlow::SourceNode {`
`562`	`562`	`DataFlow::FunctionNode getPropertySetter(string name) {`
`563`	`563`	`result = astNode.getPropertyByName(name).(PropertySetter).getInit().flow()`
`564`	`564`	`}`
	`565`	`+`
	`566`	+ /** Gets the value of a computed property name of this object literal, such as `x` in `{[x]: 1}` */
	`567`	`+ DataFlow::Node getAComputedPropertyName() {`
	`568`	`+ exists(Property prop \| prop = astNode.getAProperty() \|`
	`569`	`+ prop.isComputed() and`
	`570`	`+ result = prop.getNameExpr().flow()`
	`571`	`+ )`
	`572`	`+ }`
`565`	`573`	`}`
`566`	`574`
`567`	`575`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ private class TrackStringsInAngularCode extends DataFlow::SourceNode::Range, Dat`
`68`	`68`	`*/`
`69`	`69`	`private DataFlow::CallNode angularModuleCall(string name) {`
`70`	`70`	`result = angular().getAMemberCall("module") and`
`71`		`- result.getArgument(0).asExpr().mayHaveStringValue(name)`
	`71`	`+ result.getArgument(0).mayHaveStringValue(name)`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`/**`
`@@ -280,7 +280,7 @@ abstract class CustomDirective extends DirectiveInstance {`
`280`	`280`	`InjectableFunction getController() { result = this.getMember("controller") }`
`281`	`281`
`282`	`282`	`/** Gets the template URL of this directive, if any. */`
`283`		`- string getTemplateUrl() { this.getMember("templateUrl").asExpr().mayHaveStringValue(result) }`
	`283`	`+ string getTemplateUrl() { this.getMember("templateUrl").mayHaveStringValue(result) }`
`284`	`284`
`285`	`285`	`/**`
`286`	`286`	`* Gets a template file for this directive, if any.`
`@@ -298,9 +298,7 @@ abstract class CustomDirective extends DirectiveInstance {`
`298`	`298`	`else result = DirectiveInstance.super.getAScope()`
`299`	`299`	`}`
`300`	`300`
`301`		`- private string getRestrictionString() {`
`302`		`- this.getMember("restrict").asExpr().mayHaveStringValue(result)`
`303`		`- }`
	`301`	`+ private string getRestrictionString() { this.getMember("restrict").mayHaveStringValue(result) }`
`304`	`302`
`305`	`303`	`private predicate hasTargetType(DirectiveTargetType type) {`
`306`	`304`	`not exists(this.getRestrictionString()) or`
`@@ -383,10 +381,12 @@ class GeneralDirective extends CustomDirective, MkCustomDirective {`
`383`	`381`	`override DataFlow::FunctionNode getALinkFunction() { result = this.getLinkFunction(_) }`
`384`	`382`
`385`	`383`	`override predicate bindsToController() {`
`386`		`- this.getMemberInit("bindToController").asExpr().mayHaveBooleanValue(true)`
	`384`	`+ this.getMemberInit("bindToController").mayHaveBooleanValue(true)`
`387`	`385`	`}`
`388`	`386`
`389`		`- override predicate hasIsolateScope() { this.getMember("scope").asExpr() instanceof ObjectExpr }`
	`387`	`+ override predicate hasIsolateScope() {`
	`388`	`+ this.getMember("scope") instanceof DataFlow::ObjectLiteralNode`
	`389`	`+ }`
`390`	`390`	`}`
`391`	`391`
`392`	`392`	`/**`
`@@ -930,9 +930,7 @@ class RouteSetup extends DataFlow::CallNode, DependencyInjection {`
`930`	`930`	`\|`
`931`	`931`	`result = controllerProperty`
`932`	`932`	`or`
`933`		`- exists(ControllerDefinition def \|`
`934`		`- controllerProperty.asExpr().mayHaveStringValue(def.getName())`
`935`		`- \|`
	`933`	`+ exists(ControllerDefinition def \| controllerProperty.mayHaveStringValue(def.getName()) \|`
`936`	`934`	`result = def.getAService()`
`937`	`935`	`)`
`938`	`936`	`)`
`@@ -1012,15 +1010,15 @@ private class RouteInstantiatedController extends Controller {`
`1012`	`1010`
`1013`	`1011`	`override predicate boundTo(DOM::ElementDefinition elem) {`
`1014`	`1012`	`exists(string url, HTML::HtmlFile template \|`
`1015`		`- setup.getRouteParam("templateUrl").asExpr().mayHaveStringValue(url) and`
	`1013`	`+ setup.getRouteParam("templateUrl").mayHaveStringValue(url) and`
`1016`	`1014`	`template.getAbsolutePath().regexpMatch(".*\\Q" + url + "\\E") and`
`1017`	`1015`	`elem.getFile() = template`
`1018`	`1016`	`)`
`1019`	`1017`	`}`
`1020`	`1018`
`1021`	`1019`	`override predicate boundToAs(DOM::ElementDefinition elem, string name) {`
`1022`	`1020`	`this.boundTo(elem) and`
`1023`		`- setup.getRouteParam("controllerAs").asExpr().mayHaveStringValue(name)`
	`1021`	`+ setup.getRouteParam("controllerAs").mayHaveStringValue(name)`
`1024`	`1022`	`}`
`1025`	`1023`	`}`
`1026`	`1024`
Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,7 @@ abstract class RecipeDefinition extends DataFlow::CallNode, CustomServiceDefinit`
`244`	`244`	`this = moduleRef(_).getAMethodCall(methodName) or`
`245`	`245`	`this = builtinServiceRef("$provide").getAMethodCall(methodName)`
`246`	`246`	`) and`
`247`		`- getArgument(0).asExpr().mayHaveStringValue(name)`
	`247`	`+ getArgument(0).mayHaveStringValue(name)`
`248`	`248`	`}`
`249`	`249`
`250`	`250`	`override string getName() { result = name }`
`@@ -281,7 +281,7 @@ private predicate isCustomServiceDefinitionOnModule(`
`281`	`281`	`DataFlow::Node factoryArgument`
`282`	`282`	`) {`
`283`	`283`	`mce = moduleRef(_).getAMethodCall(moduleMethodName) and`
`284`		`- mce.getArgument(0).asExpr().mayHaveStringValue(serviceName) and`
	`284`	`+ mce.getArgument(0).mayHaveStringValue(serviceName) and`
`285`	`285`	`factoryArgument = mce.getArgument(1)`
`286`	`286`	`}`
`287`	`287`
`@@ -296,7 +296,7 @@ private predicate isCustomServiceDefinitionOnProvider(`
`296`	`296`	`factoryArgument = mce.getOptionArgument(0, serviceName)`
`297`	`297`	`or`
`298`	`298`	`mce.getNumArgument() = 2 and`
`299`		`- mce.getArgument(0).asExpr().mayHaveStringValue(serviceName) and`
	`299`	`+ mce.getArgument(0).mayHaveStringValue(serviceName) and`
`300`	`300`	`factoryArgument = mce.getArgument(1)`
`301`	`301`	`)`
`302`	`302`	`}`
Original file line number	Diff line number	Diff line change
`@@ -962,7 +962,7 @@ module Express {`
`962`	`962`	* Example: `fun` for `router1.use(fun)` or `router.use("/route", fun)`
`963`	`963`	`*/`
`964`	`964`	`HTTP::RouteHandler getARouteHandler() {`
`965`		`- result.(DataFlow::SourceNode).flowsToExpr(this.getARouteSetup().getAnArgument().asExpr())`
	`965`	`+ result.(DataFlow::SourceNode).flowsTo(this.getARouteSetup().getAnArgument())`
`966`	`966`	`}`
`967`	`967`
`968`	`968`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -35,11 +35,10 @@ module NextJS {`
`35`	`35`	`*/`
`36`	`36`	`Module getAModuleWithFallbackPaths() {`
`37`	`37`	`result = getAPagesModule() and`
`38`		`- exists(DataFlow::FunctionNode staticPaths, Expr fallback \|`
	`38`	`+ exists(DataFlow::FunctionNode staticPaths, DataFlow::Node fallback \|`
`39`	`39`	`staticPaths = result.getAnExportedValue("getStaticPaths").getAFunctionValue() and`
`40`		`- fallback =`
`41`		`- staticPaths.getAReturn().getALocalSource().getAPropertyWrite("fallback").getRhs().asExpr() and`
`42`		`- not fallback.(BooleanLiteral).getValue() = "false"`
	`40`	`+ fallback = staticPaths.getAReturn().getALocalSource().getAPropertyWrite("fallback").getRhs() and`
	`41`	`+ not fallback.mayHaveBooleanValue(false)`
`43`	`42`	`)`
`44`	`43`	`}`
`45`	`44`
Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,7 @@ module ExternalApiUsedWithUntrustedData {`
`165`	`165`	`not param = base.getReceiver()`
`166`	`166`	`\|`
`167`	`167`	`result = param and`
`168`		`- name = param.getAnImmediateUse().asExpr().(Parameter).getName()`
	`168`	`+ name = param.getAnImmediateUse().(DataFlow::ParameterNode).getName()`
`169`	`169`	`or`
`170`	`170`	`param.getAnImmediateUse().asExpr() instanceof DestructuringPattern and`
`171`	`171`	`result = param.getMember(name)`