JS: Introduce SharedTaintStep #3603

asgerf · 2020-06-02T15:17:04Z

Adds the SharedTaintStep class as discussed in https://github.com/github/codeql-javascript-team/issues/110.

This PR first bases it on a unit type, and then towards the end changes it to a string type. The categorization of steps is then evolved a bit more at the end.

Performance is OK.

Some previous experimental results that are not quite up-to-date with this PR or the performance PRs that landed separately in the meantime.

The unit type was slightly faster (without changes to the optimizer)
The FlowLabel.isSharedStep trick reduced tuple counts but caused a regression in real time anyway.

Some points to discuss:

Is this the right degree of categorization? I have feeling that I went slightly overboard with it.
Is it worth all the boilerplate?

erik-krogh · 2020-06-04T15:37:42Z

What was the point of the Cache in different order commit?
Because if we go back to the previous approach, then I don't think we need the heapStep(), arrayStep() etc. predicates.

asgerf · 2020-06-04T16:04:57Z

That was for performance reasons. It seemed to be faster and my theory is:

Projecting away a suffix of columns (in this case the last column) preserves the ordering of tuples, so the projection is cheaper. (In fact, it shouldn't even need to materialize the projection at all as it can be done during the join, but our optimizier materializes it anyway.)
Projecting away the first column requires a re-sorting of tuples even if the input relation was sorted.

The heapStep predicates etc are boilerplate on the implementation side, but serve a real purpose. I'd like to keep separate the predicate used to access steps from the one that must be overridden to contribute steps. If you use the same predicate for both, there is no way to ever change that predicate without breaking changes.

A concrete example of this is InvokeNode.getACallee(int imprecision). This can be overridden to augment the call graph, or called to read the call graph. If we wanted to deprecate that predicate there is no way to make it have the correct value (for callers of the predicate) while also ensuring that the data-flow library sees all call edges contributed through that predicate (without introducing spurious recursion, that is).

To support people overriding InvokeNode.getACallee(int) the flow of information goes like this:

FlowSteps::calls <--- InvokeNode.getACallee(int) <---- CallGraphs::getACallee
                                            ^--------- Overriders

But as far as I can tell, there is no way to change this without breaking either the callers or the overriders of InvokeNode.getACallee(int).

asgerf · 2021-03-15T14:04:11Z

Superseded by the backlinked PR above.

asgerf added 30 commits June 1, 2020 08:56

JS: Add SharedTaintStep

6f19b00

JS: HeapTaintStep

2fc5ded

JS: DictionaryTaintStep

e9dcf16

JS: ReactPropStep

a1b05d8

JS: StringConcatStep

a2cfe9f

JS: StringManipulationStep

c6b1b14

JS: StringFormattingStep

3c2a66b

JS: StringMatchTaintStep

ff6bb41

JS: JsonStringifyTaintStep

225d046

JS: JsonParserTaintStep

2c7338e

JS: SortTaintStep

571682b

JS: ErrorConstructorTaintStep

14f0e3f

JS: UtilInspectTaintStep

be5f573

JS: ArrayFunctionTaintStep

014007b

JS: PathFlowStep

d7388db

JS: FsFlowStep

f3009e7

JS: BufferTaintStep

e9c74a6

JS: Vue::InstanceHeapStep

98172d8

JS: PropertyProjectionTest

117d6fc

JS: Fix regexp tracking

2d22ef4

JS: Fix TaintedPath

aedc7a5

JS: Typeahead

e710070

JS: Remove a column from UriLibraryStep test case

b4ed48c

JS: UriLibraryStep

cdabed2

JS: AsyncPackage

ab9f27c

JS: ComposedFunctions

05f61e8

JS: ClosureLibrary

8114403

JS: Extend

e4b5d01

JS: Base64

5f9a2b1

JS: Move VHtmlSourceWrite step into Vue library (as its a shared step)

7ced399

asgerf added 22 commits June 1, 2020 08:56

JS: Fixup comment in heuristics

9a8aaec

JS: Use sharedTaintStep

5056915

JS: Fix bad join order in Vue model

385958b

JS: Fix bad join order from use of getAType() = TTRegExp

d7915f0

JS: Fix join orders and use SourceNode API in React model

d15752e

JS: Refactor steps into subcategories

cb8f124

JS: Add category for promise steps

d6ba794

JS: Remove duplicate await step

036fa42

JS: Add arrayStep but ignore overlap with heapStep for now

02ce0a2

JS: Move React steps into React library

e448ce9

JS: Cache taint steps in same stage

153ea67

JS: Fix promiseStep documentation

823d632

JS: Autoformat

10f0a80

JS: Switch to string base type

08cafa6

JS: Cache in different order

d5e6a64

JS: Fix typo

0418a5e

JS: Autoformat

86b301e

JS: Fix qldoc for step classes

e929590

JS: Reclassify some generic steps

b57521e

fixup! typo in qldoc for SerializeStep

7b32c3d

JS: Add EncodingStep and DecodingStep

0b27698

JS: Add FilePathStep

ffab601

asgerf added the JS label Jun 2, 2020

asgerf mentioned this pull request Jun 8, 2020

JS: Add PreCallGraphStep and use some array steps in type tracking #3641

Merged

2 tasks

adityasharad changed the base branch from master to main August 14, 2020 18:34

asgerf mentioned this pull request Mar 15, 2021

JS: Add SharedTaintStep (again) #5396

Merged

asgerf closed this Mar 15, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

JS: Introduce SharedTaintStep #3603

JS: Introduce SharedTaintStep #3603

Uh oh!

asgerf commented Jun 2, 2020

Uh oh!

erik-krogh commented Jun 4, 2020

Uh oh!

asgerf commented Jun 4, 2020

Uh oh!

asgerf commented Mar 15, 2021

Uh oh!

Uh oh!

JS: Introduce SharedTaintStep #3603

JS: Introduce SharedTaintStep #3603

Uh oh!

Conversation

asgerf commented Jun 2, 2020

Uh oh!

erik-krogh commented Jun 4, 2020

Uh oh!

asgerf commented Jun 4, 2020

Uh oh!

asgerf commented Mar 15, 2021

Uh oh!

Uh oh!