Skip to content

JS: Add backwards-compatible predicates to SocketIO #3262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 21, 2020
Merged

JS: Add backwards-compatible predicates to SocketIO #3262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6668a7a
JS: Add backwards-compatible predicates to SocketIO
asgerf Apr 14, 2020
6792599
JS: Address review comments
asgerf Apr 15, 2020
d497890
JS: Use SendCallback/ReceiveCallback in getAck
asgerf Apr 20, 2020
4fc79e3
JS: Also fix typo in test case
asgerf Apr 20, 2020
997b449
JS: Autoformat
asgerf Apr 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 49 additions & 2 deletions javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@ module SocketIO {
}

override DataFlow::SourceNode ref() { result = server(DataFlow::TypeTracker::end()) }

/**
* DEPRECATED. Always returns `this` as a `ServerObject` now represents the origin of a server.
*/
deprecated DataFlow::SourceNode getOrigin() { result = this }
}

/** A data flow node that may produce (that is, create or return) a socket.io server. */
Expand Down Expand Up @@ -270,6 +275,18 @@ module SocketIO {
}

override string getChannel() { this.getArgument(0).mayHaveStringValue(result) }

/** Gets a parameter through which data is received from a client. */
DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }

/** Gets a client-side node that may be sending the data received here. */
SendNode getASender() { result.getAReceiver() = this }

/** Gets the acknowledgment callback, if any. */
ReceiveCallback getAck() { result.getReceiveNode() = this }

/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = getChannel() }
}

/** An acknowledgment callback when receiving a message. */
Expand All @@ -289,6 +306,9 @@ module SocketIO {
override SocketIOClient::SendCallback getAReceiver() {
result.getSendNode().getAReceiver() = rcv
}

/** Gets the API call to which this is a callback. */
ReceiveNode getReceiveNode() { result = rcv }
}

/**
Expand Down Expand Up @@ -350,6 +370,12 @@ module SocketIO {
override SocketIOClient::ReceiveNode getAReceiver() {
result.getSocket().getATargetNamespace() = getNamespace()
}

/** Gets the acknowledgment callback, if any. */
SendCallback getAck() { result.getSendNode() = this }

/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = getChannel() }
}

/** A socket.io namespace, identified by its server and its path. */
Expand Down Expand Up @@ -538,14 +564,26 @@ module SocketIOClient {
result != cb.getLastParameter() or not exists(result.getAnInvocation())
)
}

/** Gets a data flow node representing data received from the server. */
DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }

/** Gets the acknowledgment callback, if any. */
DataFlow::SourceNode getAck() { result.(ReceiveCallback).getReceiveNode() = this }

/** Gets a server-side node that may be sending the data received here. */
SocketIO::SendNode getASender() {
result.getNamespace() = getSocket().getATargetNamespace() and
not result.getChannel() != getChannel()
}
}

/** An acknowledgment callback from a receive node. */
class RecieveCallback extends EventDispatch::Range, DataFlow::SourceNode {
class ReceiveCallback extends EventDispatch::Range, DataFlow::SourceNode {
override SocketObject emitter;
ReceiveNode rcv;

RecieveCallback() {
ReceiveCallback() {
this = rcv.getListener().getLastParameter() and
exists(this.getAnInvocation()) and
emitter = rcv.getEmitter()
Expand Down Expand Up @@ -607,10 +645,19 @@ module SocketIOClient {
)
}

/** Gets a data flow node representing data sent to the client. */
DataFlow::Node getASentItem() { result = getSentItem(_) }

/** Gets a server-side node that may be receiving the data sent here. */
override SocketIO::ReceiveNode getAReceiver() {
result.getSocket().getNamespace() = getSocket().getATargetNamespace()
}

/** Gets the acknowledgment callback, if any. */
DataFlow::FunctionNode getAck() { result.(SendCallback).getSendNode() = this }

/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = getChannel() }
}

/**
Expand Down
2 changes: 1 addition & 1 deletion javascript/ql/test/library-tests/frameworks/SocketIO/ClientReceiveNode_getAck.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import javascript

query predicate test_ClientReceiveNode_getAck(
SocketIOClient::ReceiveNode rn, SocketIOClient::RecieveCallback res
SocketIOClient::ReceiveNode rn, SocketIOClient::ReceiveCallback res
) {
res.getReceiveNode() = rn
}