forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFlowSummaryPrivate.qll
More file actions
272 lines (239 loc) · 8.22 KB
/
FlowSummaryPrivate.qll
File metadata and controls
272 lines (239 loc) · 8.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
/**
* Provides JS specific classes and predicates for defining flow summaries.
*/
private import javascript
private import semmle.javascript.dataflow.internal.DataFlowPrivate
private import semmle.javascript.dataflow.internal.Contents::Private
private import sharedlib.DataFlowImplCommon
private import sharedlib.FlowSummaryImpl::Private as Private
private import sharedlib.FlowSummaryImpl::Public
private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax
private import semmle.javascript.internal.flow_summaries.ExceptionFlow
/**
* A class of callables that are candidates for flow summary modeling.
*/
class SummarizedCallableBase = string;
class SourceBase extends Unit {
SourceBase() { none() }
}
class SinkBase extends Unit {
SinkBase() { none() }
}
/** Gets the parameter position representing a callback itself, if any. */
ArgumentPosition callbackSelfParameterPosition() { result.isFunctionSelfReference() }
/**
* Gets the content set corresponding to `Awaited[arg]`.
*/
private ContentSet getPromiseContent(string arg) {
arg = "value" and result = ContentSet::promiseValue()
or
arg = "error" and result = ContentSet::promiseError()
}
pragma[nomagic]
private predicate positionName(ParameterPosition pos, string operand) {
operand = pos.asPositional().toString()
or
pos.isThis() and operand = "this"
or
pos.isFunctionSelfReference() and operand = "function"
or
operand = pos.asPositionalLowerBound() + ".."
}
/**
* Holds if `operand` desugars to the given `pos`. Only used for parsing.
*/
bindingset[operand]
private predicate desugaredPositionName(ParameterPosition pos, string operand) {
operand = "any" and
pos.asPositionalLowerBound() = 0
or
pos.asPositional() = AccessPathSyntax::parseInt(operand) // parse closed intervals
}
private string encodeContentAux(ContentSet cs, string arg) {
cs = ContentSet::arrayElement() and
result = "ArrayElement" and
arg = ""
or
cs = ContentSet::arrayElementUnknown() and
result = "ArrayElement" and
arg = "?"
or
exists(int n |
cs = ContentSet::arrayElementLowerBound(n) and
result = "ArrayElement" and
arg = n + ".." and
n > 0 // n=0 is just 'ArrayElement'
or
cs = ContentSet::arrayElementKnown(n) and
result = "ArrayElement" and
arg = n.toString()
or
n = cs.asPropertyName().toInt() and
n >= 0 and
result = "ArrayElement" and
arg = n + "!"
)
or
arg = "" and
(
cs = ContentSet::mapValueAll() and result = "MapValue"
or
cs = ContentSet::mapKey() and result = "MapKey"
or
cs = ContentSet::setElement() and result = "SetElement"
or
cs = ContentSet::iteratorElement() and result = "IteratorElement"
or
cs = ContentSet::iteratorError() and result = "IteratorError"
or
cs = ContentSet::anyProperty() and result = "AnyMember"
)
or
cs = getPromiseContent(arg) and
result = "Awaited"
or
cs = MkAwaited() and result = "Awaited" and arg = ""
or
cs = MkAnyPropertyDeep() and result = "AnyMemberDeep" and arg = ""
or
cs = MkArrayElementDeep() and result = "ArrayElementDeep" and arg = ""
or
cs = MkOptionalStep(arg) and result = "OptionalStep"
or
cs = MkOptionalBarrier(arg) and result = "OptionalBarrier"
}
/**
* Gets the textual representation of content `cs` used in MaD.
*
* `arg` will be printed in square brackets (`[]`) after the result, unless
* `arg` is the empty string.
*/
string encodeContent(ContentSet cs, string arg) {
result = encodeContentAux(cs, arg)
or
not exists(encodeContentAux(cs, _)) and
result = "Member" and
arg = cs.asSingleton().toString()
}
/** Gets the textual representation of a parameter position in the format used for flow summaries. */
string encodeParameterPosition(ParameterPosition pos) {
positionName(pos, result) and result != "any"
}
/** Gets the textual representation of an argument position in the format used for flow summaries. */
string encodeArgumentPosition(ArgumentPosition pos) {
positionName(pos, result) and result != "any"
}
/** Gets the return kind corresponding to specification `"ReturnValue"`. */
ReturnKind getStandardReturnValueKind() { result = MkNormalReturnKind() and Stage::ref() }
private module FlowSummaryStepInput implements Private::StepsInputSig {
DataFlowCall getACall(SummarizedCallable sc) {
exists(LibraryCallable callable | callable = sc |
result.asOrdinaryCall() =
[
callable.getACall(), callable.getACallSimple(),
callable.(LibraryCallableInternal).getACallStage2()
]
)
}
DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponent sc) { none() }
DataFlow::Node getSinkNode(SinkBase sink, Private::SummaryComponent sc) { none() }
}
module Steps = Private::Steps<FlowSummaryStepInput>;
module RenderSummarizedCallable = Private::RenderSummarizedCallable<FlowSummaryStepInput>;
class AccessPath = Private::AccessPath;
class AccessPathToken = Private::AccessPathToken;
/**
* Gets the textual representation of return kind `rk` used in MaD.
*
* `arg` will be printed in square brackets (`[]`) after the result, unless
* `arg` is the empty string.
*/
string encodeReturn(ReturnKind rk, string arg) {
result = "ReturnValue" and
(
rk = MkNormalReturnKind() and arg = ""
or
rk = MkExceptionalReturnKind() and arg = "exception"
)
}
/**
* Gets the textual representation of without-content `c` used in MaD.
*
* `arg` will be printed in square brackets (`[]`) after the result, unless
* `arg` is the empty string.
*/
string encodeWithoutContent(ContentSet c, string arg) { result = "Without" + encodeContent(c, arg) }
/**
* Gets the textual representation of with-content `c` used in MaD.
*
* `arg` will be printed in square brackets (`[]`) after the result, unless
* `arg` is the empty string.
*/
string encodeWithContent(ContentSet c, string arg) { result = "With" + encodeContent(c, arg) }
/**
* Gets a parameter position corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeParameterPosition` predicate. This is useful for example when a
* single token gives rise to multiple parameter positions, such as ranges
* `0..n`.
*/
bindingset[token]
ParameterPosition decodeUnknownParameterPosition(AccessPathSyntax::AccessPathTokenBase token) {
token.getName() = "Argument" and
desugaredPositionName(result, token.getAnArgument())
}
/**
* Gets an argument position corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeArgumentPosition` predicate. This is useful for example when a
* single token gives rise to multiple argument positions, such as ranges
* `0..n`.
*/
bindingset[token]
ArgumentPosition decodeUnknownArgumentPosition(AccessPathSyntax::AccessPathTokenBase token) {
token.getName() = "Parameter" and
desugaredPositionName(result, token.getAnArgument())
}
/**
* Gets a content corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeContent` predicate.
*/
bindingset[token]
ContentSet decodeUnknownContent(AccessPathSyntax::AccessPathTokenBase token) { none() }
/**
* Gets a return kind corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeReturn` predicate.
*/
bindingset[token]
ReturnKind decodeUnknownReturn(AccessPathSyntax::AccessPathTokenBase token) { none() }
/**
* Gets a without-content corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeWithoutContent` predicate.
*/
bindingset[token]
ContentSet decodeUnknownWithoutContent(AccessPathSyntax::AccessPathTokenBase token) { none() }
/**
* Gets a with-content corresponding to the unknown token `token`.
*
* The token is unknown because it could not be reverse-encoded using the
* `encodeWithContent` predicate.
*/
bindingset[token]
ContentSet decodeUnknownWithContent(AccessPathSyntax::AccessPathTokenBase token) { none() }
cached
module Stage {
cached
predicate ref() { 1 = 1 }
cached
predicate backref() { optionalStep(_, _, _) }
}
predicate unsupportedCallable = Private::unsupportedCallable/1;
predicate unsupportedCallable = Private::unsupportedCallable/4;