Merge pull request #2362 from erik-krogh/promiseAll

semmle-qlci · web-flow · commit a2827e9503b6 · 2019-11-27T12:35:04.000Z
Approved by max-schaefer
diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -68,7 +68,7 @@ predicate benignContext(Expr e) {
   any(InvokeExpr invoke).getCallee() = e
   or
   // arguments to Promise.resolve (and promise library variants) are benign. 
-  e = any(ResolvedPromiseDefinition promise).getValue().asExpr()
+  e = any(PromiseCreationCall promise).getValue().asExpr()
 }
 
 predicate oneshotClosure(DataFlow::CallNode call) {
@@ -198,7 +198,7 @@ module Deferred {
   /**
    * A resolved promise created by a `new Deferred().resolve()` call.
    */
-  class ResolvedDeferredPromiseDefinition extends ResolvedPromiseDefinition {
+  class ResolvedDeferredPromiseDefinition extends PromiseCreationCall {
     ResolvedDeferredPromiseDefinition() {
       this = any(DeferredPromiseDefinition def).ref().getAMethodCall("resolve")
     }
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -30,6 +30,22 @@ module Bluebird {
 
     override DataFlow::Node getValue() { result = getArgument(0) }
   }
+  
+  /**
+   * An aggregated promise produced either by `Promise.all`, `Promise.race` or `Promise.map`. 
+   */
+  class AggregateBluebirdPromiseDefinition extends PromiseCreationCall {
+    AggregateBluebirdPromiseDefinition() {
+      exists(string m | m = "all" or m = "race" or m = "map" | 
+        this = bluebird().getAMemberCall(m)
+      )
+    }
+
+    override DataFlow::Node getValue() {
+      result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+    }
+  }
+  
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/StandardLibrary.qll b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -152,15 +152,20 @@ private class ES2015PromiseDefinition extends PromiseDefinition, DataFlow::NewNo
 }
 
 /**
- * A promise that is resolved with the given value.
+ * A promise that is created and resolved with one or more value.
  */
-abstract class ResolvedPromiseDefinition extends DataFlow::CallNode {
+abstract class PromiseCreationCall extends DataFlow::CallNode {
   /**
    * Gets the value this promise is resolved with.
    */
   abstract DataFlow::Node getValue();
 }
 
+/**
+ * A promise that is created using a `.resolve()` call. 
+ */
+abstract class ResolvedPromiseDefinition extends PromiseCreationCall {}
+
 /**
  * A resolved promise created by the standard ECMAScript 2015 `Promise.resolve` function.
  */
@@ -172,6 +177,21 @@ class ResolvedES2015PromiseDefinition extends ResolvedPromiseDefinition {
   override DataFlow::Node getValue() { result = getArgument(0) }
 }
 
+/**
+ * An aggregated promise produced either by `Promise.all` or `Promise.race`. 
+ */
+class AggregateES2015PromiseDefinition extends PromiseCreationCall {
+  AggregateES2015PromiseDefinition() {
+    exists(string m | m = "all" or m = "race" | 
+      this = DataFlow::globalVarRef("Promise").getAMemberCall(m)
+    )
+  }
+
+  override DataFlow::Node getValue() {
+    result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+  }
+}
+
 /**
  * A data flow edge from a promise reaction to the corresponding handler.
  */
@@ -197,7 +217,7 @@ predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
   pred = succ.(PromiseDefinition).getResolveParameter().getACall().getArgument(0)
   or
   // from `x` to `Promise.resolve(x)`
-  pred = succ.(ResolvedPromiseDefinition).getValue()
+  pred = succ.(PromiseCreationCall).getValue()
   or
   exists(DataFlow::MethodCallNode thn, DataFlow::FunctionNode cb |
     thn.getMethodName() = "then" and cb = thn.getCallback(0)
diff --git a/javascript/ql/test/library-tests/Promises/ResolvedPromiseDefinition.qll b/javascript/ql/test/library-tests/Promises/ResolvedPromiseDefinition.qll
@@ -1,7 +1,7 @@
 import javascript
 
 query predicate test_ResolvedPromiseDefinition(
-  ResolvedPromiseDefinition resolved, DataFlow::Node res
+  PromiseCreationCall resolved, DataFlow::Node res
 ) {
   res = resolved.getValue()
 }
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -88,6 +88,8 @@
 	}
 	
 	new Deferred().resolve(onlySideEffects()); // OK
+	
+	Promise.all([onlySideEffects(), onlySideEffects()])
 })();
 
 +function() {
@@ -104,4 +106,4 @@ class Bar extends Foo {
 	constructor() {
 		console.log(super()); // OK.
 	}
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import javascript`
`2`	`2`
`3`	`3`	`query predicate test_ResolvedPromiseDefinition(`
`4`		`- ResolvedPromiseDefinition resolved, DataFlow::Node res`
	`4`	`+ PromiseCreationCall resolved, DataFlow::Node res`
`5`	`5`	`) {`
`6`	`6`	`res = resolved.getValue()`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,8 @@`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`new Deferred().resolve(onlySideEffects()); // OK`
	`91`	`+`
	`92`	`+ Promise.all([onlySideEffects(), onlySideEffects()])`
`91`	`93`	`})();`
`92`	`94`
`93`	`95`	`+function() {`
`@@ -104,4 +106,4 @@ class Bar extends Foo {`
`104`	`106`	`constructor() {`
`105`	`107`	`console.log(super()); // OK.`
`106`	`108`	`}`
`107`		`-}`
	`109`	`+}`