JS: Implement a call-sensitive data-flow analysis for .apply() call arguments

Author: yuske

javascript/ql/lib/semmle/javascript/Arrays.qll

@@ -404,20 +404,4 @@ private module ArrayLibraries {
       )
     }
   }
-
-  /**
-   * A step modelling that a call of `.apply()` function with passing an array of arguments via 2nd parameter.
-   */
-  private class ApplyCallStep extends DataFlow::SharedFlowStep {
-    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
-      exists(DataFlow::MethodCallNode call, DataFlow::FunctionNode func, int i |
-        call.getMethodName() = "apply" and
-        call.getReceiver().getABoundFunctionValue(_) = func and
-        prop = arrayElement(i) and
-        not prop = arrayElement() and
-        pred = call.getArgument(1) and
-        succ = func.getParameter(i)
-      )
-    }
-  }
 }

javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll

@@ -1161,14 +1161,46 @@ module DataFlow {
       override NewExpr astNode;
     }
 
+    /**
+     * A data flow node representing arguments of the `.apply` function call 
+     * to emulate a separate argument for each parameter of a reflective function call.
+     */
+    private class ApplyArgumentNode extends DataFlow::Node {
+      ExplicitMethodCallNode call;
+      Node arrayArgument;
+      int index;
+
+      ApplyArgumentNode() {
+        this = TApplyArgumentNode(
+          call.asExpr(), 
+          call.getReceiver().getABoundFunctionValue(_).getFunction(), 
+          index) and
+        arrayArgument = call.getArgument(1)
+      }
+
+      /** 
+       * Gets an explicit call of the `.apply` function call 
+       * that takes an argument represented by this data flow node. 
+       * */
+      ExplicitMethodCallNode getCall() { result = call }
+
+      /** Gets an argument index represented by this data flow node. */
+      int getIndex() { result = index }
+
+      override string toString() { result = arrayArgument.toString() + "[" + index.toString() + "]" }
+      
+      override predicate hasLocationInfo(
+        string filepath, int startline, int startcolumn, int endline, int endcolumn
+      ) {
+        arrayArgument.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+      }
+    }
+
     /**
      * A data flow node representing a reflective function call.
      */
-    private class ReflectiveCallNodeDef extends CallNodeDef {
+    private abstract class ReflectiveCallNodeDef extends CallNodeDef {
       ExplicitMethodCallNode originalCall;
-      string kind;
-
-      ReflectiveCallNodeDef() { this = TReflectiveCallNode(originalCall.asExpr(), kind) }
 
       override InvokeExpr getInvokeExpr() { result = originalCall.getInvokeExpr() }
 
@@ -1179,25 +1211,65 @@ module DataFlow {
       override DataFlow::Node getCalleeNode() { result = originalCall.getReceiver() }
 
       override DataFlow::Node getReceiver() { result = originalCall.getArgument(0) }
+    }
+
+    /**
+     * A data flow node representing a `.call` reflective function call.
+     */
+    private class CallReflectiveCallNodeDef extends ReflectiveCallNodeDef {
+      CallReflectiveCallNodeDef() { this = TReflectiveCallNode(originalCall.asExpr(), "call") }
 
       override DataFlow::Node getArgument(int i) {
-        i >= 0 and kind = "call" and result = originalCall.getArgument(i + 1)
+        i >= 0 and result = originalCall.getArgument(i + 1)
       }
 
       override DataFlow::Node getAnArgument() {
-        kind = "call" and result = originalCall.getAnArgument() and result != getReceiver()
+        result = originalCall.getAnArgument() and 
+        result != getReceiver()
       }
 
       override DataFlow::Node getASpreadArgument() {
-        kind = "apply" and
-        result = originalCall.getArgument(1)
-        or
-        kind = "call" and
         result = originalCall.getASpreadArgument()
       }
 
       override int getNumArgument() {
-        result >= 0 and kind = "call" and result = originalCall.getNumArgument() - 1
+        result >= 0 and result = originalCall.getNumArgument() - 1
+      }
+    }
+
+    /**
+     * A data flow node representing a `.apply` reflective function call.
+     */
+    class ApplyReflectiveCallNodeDef extends ReflectiveCallNodeDef {
+      ApplyReflectiveCallNodeDef() { this = TReflectiveCallNode(originalCall.asExpr(), "apply") }
+
+      ApplyArgumentNode getApplyArgument(int i) {
+        result.getCall() = originalCall and 
+        result.getIndex() = i
+      }
+
+      override DataFlow::Node getArgument(int i) { none() }
+
+      override DataFlow::Node getAnArgument() { none() }
+
+      override DataFlow::Node getASpreadArgument() {
+        result = originalCall.getArgument(1)
+      }
+
+      override int getNumArgument() { none() }
+    }
+
+    /**
+     * A step modelling that a call of `.apply()` function with passing an array of arguments via 2nd parameter.
+     */
+    private class ApplyCallStep extends PreCallGraphStep {
+      override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+        exists(ApplyReflectiveCallNodeDef call, int i |
+          prop = DataFlow::PseudoProperties::arrayElement(i) and
+          not prop = DataFlow::PseudoProperties::arrayElement() and
+          pred = call.getASpreadArgument().getALocalSource() and
+          succ = call.getApplyArgument(i)
+        )
       }
     }
   }

javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowNode.qll

@@ -31,4 +31,7 @@ newtype TNode =
   TExceptionalFunctionReturnNode(Function f) or
   TExceptionalInvocationReturnNode(InvokeExpr e) or
   TGlobalAccessPathRoot() or
-  TTemplatePlaceholderTag(Templating::TemplatePlaceholderTag tag)
+  TTemplatePlaceholderTag(Templating::TemplatePlaceholderTag tag) or
+  TApplyArgumentNode(MethodCallExpr ce, Function func, int i) {
+    exists(func.getParameter(i))
+  }

javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -204,7 +204,7 @@ private module CachedSteps {
   ) {
     calls(invk, f) and
     (
-      exists(int i | arg = invk.(DataFlow::InvokeNode).getArgument(i) |
+      exists(int i | arg = invk.(DataFlow::InvokeNode).getArgument(i) or arg = invk.(DataFlow::Impl::ApplyReflectiveCallNodeDef).getApplyArgument(i) |
         exists(Parameter p |
           f.getParameter(i) = p and
           not p.isRestParameter() and

javascript/ql/test/library-tests/InterProceduralFlow/call-apply.js

@@ -6,10 +6,15 @@ function foo2(arg1, arg2) {
   return arg2;
 }
 
-function foo11(arr) {
+function foo1_apply(arr) {
   return foo1.apply(this, arr);
 }
 
+function foo1_call(arr) {
+  return foo1.call(this, arr[0], arr[1]);
+}
+
+
 var source = "source";
 
 var sink0 = foo1.call(null, source, "");     // OK
@@ -18,5 +23,8 @@ var sink1 = foo2.call(null, source, "");     // NOT OK
 var sink2 = foo1.apply(null, [source, ""]);  // OK
 var sink3 = foo2.apply(null, [source, ""]);  // NOT OK
 
-var sink4 = foo11([source, ""]);  // OK
-var sink5 = foo11(["", source]);  // NOT OK
+var sink4 = foo1_apply([source, ""]);  // OK
+var sink5 = foo1_apply(["", source]);  // NOT OK
+
+var sink6 = foo1_call([source, ""]);  // OK
+var sink7 = foo1_call(["", source]);  // NOT OK

javascript/ql/test/library-tests/InterProceduralFlow/tests.expected

@@ -11,7 +11,10 @@ dataFlow
 | async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
 | async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
 | async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
-| call-apply.js:13:14:13:21 | "source" | call-apply.js:15:13:15:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:20:13:20:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:23:13:23:42 | foo1.ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:26:13:26:36 | foo1_ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:29:13:29:35 | foo1_ca ... e, ""]) |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
@@ -94,7 +97,11 @@ taintTracking
 | async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
 | async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
 | async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
-| call-apply.js:13:14:13:21 | "source" | call-apply.js:15:13:15:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:20:13:20:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:23:13:23:42 | foo1.ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:26:13:26:36 | foo1_ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:29:13:29:35 | foo1_ca ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:30:13:30:35 | foo1_ca ... ource]) |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |
@@ -200,7 +207,10 @@ germanFlow
 | async.js:79:16:79:23 | "source" | async.js:80:14:80:36 | (await  ... ce))).p |
 | async.js:79:16:79:23 | "source" | async.js:92:15:92:30 | await (getP(o3)) |
 | async.js:96:18:96:25 | "source" | async.js:101:15:101:27 | await readP() |
-| call-apply.js:13:14:13:21 | "source" | call-apply.js:15:13:15:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:20:13:20:39 | foo1.ca ... ce, "") |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:23:13:23:42 | foo1.ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:26:13:26:36 | foo1_ap ... e, ""]) |
+| call-apply.js:18:14:18:21 | "source" | call-apply.js:29:13:29:35 | foo1_ca ... e, ""]) |
 | callback.js:16:14:16:21 | "source" | callback.js:13:14:13:14 | x |
 | callback.js:17:15:17:23 | "source2" | callback.js:13:14:13:14 | x |
 | callback.js:27:15:27:23 | "source3" | callback.js:13:14:13:14 | x |