JavaScript: add support for NodeJS and Electron http client libraries #14
Conversation
JavaScript: Further improve handling of destructuring patterns.
There was a problem hiding this comment.
A few suggestions and comments.
This adds a lot of new classes. Have you considered which of them could be made private?
I also dislike the amount of repetition. Is there no way of merging some of these definitions or pulling out shared bits of code?
Finally, as I commented on below, you seem to use TrackedNodes (inter-procedural flow) a lot. We have so far got along with SourceNodes (intra-procedural flow). I assume this is because you have seen examples where inter-procedural flow is needed?
| /** | ||
| * A data flow node that is a Node.js HTTP or HTTPS client request. | ||
| */ | ||
| abstract class ClientRequest extends DataFlow::TrackedNode { |
There was a problem hiding this comment.
This seems to overlap with the existing class RequestExpr. What's the rationale for introducing this class, and why is it a TrackedNode? Have you seen cases where we need to track requests inter-procedurally?
There was a problem hiding this comment.
RequestExpr is used in a NodeJS server handling an incoming request, while ClientRequest is when the NodeJS or Electron libraries are used to send a request, as in the call at line 18 of javascript/ql/test/library-tests/frameworks/NodeJSLib/src/http.js
I think I added that because I saw a case where we need to track them interprocedurally - I'll go back through the projects I was testing on and see if I actually needed it.
There was a problem hiding this comment.
It looks like I added it in an attempt to handle a use of bind to create the request callback. It didn't work, so I'll remove it and see if there's a better way to handle bind.
There was a problem hiding this comment.
OK, that's not clear from the description or the name. Please consider whether there is a better name, and extend the qldoc with an example.
bind is tricky; I'd say let's ignore it for now.
| * A data flow node that is a Node.js HTTP or HTTPS client request. | ||
| */ | ||
| abstract class ClientRequest extends DataFlow::TrackedNode { | ||
| abstract DataFlow::Node getOptions(); |
| /** | ||
| * A data flow node that is the parameter of a result callback for an HTTP or HTTPS request made through Node.js. | ||
| */ | ||
| abstract class RequestCallbackParam extends DataFlow::TrackedNode, RemoteFlowSource { |
There was a problem hiding this comment.
This overlaps with RequestSource; same questions as for ClientRequest above.
| RequestCallbackData() { | ||
| exists(RequestCallbackParam rcp, DataFlow::MethodCallNode mcn, DataFlow::FunctionNode fn | | ||
| rcp.flowsTo(mcn.getReceiver()) and | ||
| mcn.getArgument(0).mayHaveStringValue("data") and |
| } | ||
|
|
||
| /** | ||
| * A data flow node that is a data callback for an HTTP or HTTPS request made through Node.js. |
There was a problem hiding this comment.
Here and elsewhere, could you please add a brief example code snippet to the qldoc to clarify what is being modelled?
| exists(DataFlow::MethodCallNode mcn | | ||
| mcn = this and | ||
| DataFlow::moduleMember("electron", "net").flowsTo(mcn.getReceiver()) and | ||
| mcn.getMethodName() = "request" |
There was a problem hiding this comment.
Does this = DataFlow::moduleMember("electron", "net").getAMemberCall("request") not do what you want?
| NewClientRequest() { | ||
| exists(DataFlow::NewNode nn | | ||
| this = nn and | ||
| DataFlow::moduleMember("electron", "ClientRequest").flowsTo(nn.getCallee()) |
There was a problem hiding this comment.
this = DataFlow::moduleMember("electron", "ClientRequest").getAnInstantiation()
There was a problem hiding this comment.
Thanks for addressing the review comments! I've got a few more comments, some of them stylistic, others about opportunities for using the SourceNode fluent API to simplify things. I didn't point out all opportunities for doing this.
Overall, I'd encourage you to make as many of these classes private as possible. If you have two very similar private classes that only exist to extend at abstract class, consider merging them for simplicity.
|
|
||
|
|
||
| /** | ||
| * A Node.js-style HTTP or HTTPS request made using `Electron.client`, e.g. `new client(url)`. |
There was a problem hiding this comment.
You use electron.net above (lower-case electron), and Electron.client here (upper-case Electron). Is that intentional?
There was a problem hiding this comment.
Here and below: we generally avoid "e.g." in favour of "for example" or similar.
| @@ -506,4 +506,270 @@ module NodeJSLib { | |||
| } | |||
| } | |||
|
|
|||
| /** | |||
| * A data flow node that is an HTTP or HTTPS client request made by a Node server, e.g. `http.request(url)` | |||
There was a problem hiding this comment.
We generally use "Node.js" instead of "Node" (although we're not as consistent about it as I'd like). Also, missing a full stop at the end.
| /** | ||
| * A data flow node that is an HTTPS client request made by a Node process, e.g. `https.request(url)`. | ||
| */ | ||
| class HttpsRequest extends ClientRequest { |
There was a problem hiding this comment.
Do we have a good use case for separating this class from HttpsRequest and exposing both of them as public API? If not, I'd prefer merging them and making them private.
| /** | ||
| * A data flow node that is the parameter of a result callback for an HTTPS request made by a Node process, e.g. `res` in `https.request(url, (res) => {})`. | ||
| */ | ||
| class HttpsRequestCallbackParam extends RequestCallbackParam { |
There was a problem hiding this comment.
Same question as for HttpsRequest above.
| class RequestCallbackData extends RemoteFlowSource { | ||
| RequestCallbackData() { | ||
| exists(RequestCallbackParam rcp, DataFlow::MethodCallNode mcn, DataFlow::FunctionNode fn | | ||
| rcp.flowsTo(mcn.getReceiver()) and |
| */ | ||
| class ClientRequestDataHandler extends DataFlow::FunctionNode { | ||
| ClientRequestDataHandler() { | ||
| exists(DataFlow::MethodCallNode mcn, ClientRequestResponseEvent cr | |
There was a problem hiding this comment.
Similar simplifications to above can be made here.
| ClientRequestLoginPassword() { | ||
| exists(ClientRequestLoginCallback callback, DataFlow::CallNode call | | ||
| callback.flowsTo(call.getCallee()) and | ||
| this = call.getArgument(1).asExpr() |
There was a problem hiding this comment.
this = callback.getACall().getArgument(1).asExpr()
| /** | ||
| * A data flow node that is an HTTP or HTTPS client request made by a Node server, e.g. `http.request(url)` | ||
| */ | ||
| abstract class ClientRequest extends DataFlow::SourceNode { |
There was a problem hiding this comment.
It's generally safer to extend DataFlow::DefaultSourceNode, which has (almost) the same extent as SourceNode, but isn't abstract.
| /** | ||
| * A data flow node that is the parameter of a result callback for an HTTP or HTTPS request made by a Node process, e.g. `res` in `http.request(url, (res) => {})`. | ||
| */ | ||
| abstract class RequestCallbackParam extends DataFlow::SourceNode, RemoteFlowSource { |
There was a problem hiding this comment.
As above, extend DefaultSourceNode instead.
| /** | ||
| * A data flow node that is the parameter of a response callback for an HTTP or HTTPS request made by a Node process, e.g. `res` in `http.request(url).on('response', (res) => {})`. | ||
| */ | ||
| class ClientRequestResponseEvent extends RemoteFlowSource, DataFlow::SourceNode { |
rdmarsh2
force-pushed
the
rdmarsh/js/electron-http-client
branch
from
19098f8 to
d966e8d
Compare
| @@ -33,4 +33,53 @@ module Electron { | |||
| this = DataFlow::moduleMember("electron", "BrowserView").getAnInstantiation() | |||
| } | |||
| } | |||
| /** | |||
There was a problem hiding this comment.
Indentation; also, please add blank line above.
|
|
||
|
|
||
| /** | ||
| * A data flow node that is the parameter of a redirect callback for an HTTP or HTTPS request made by a Node process, for example `res` in `net.request(url).on('redirect', (res) => {})`. |
| } | ||
|
|
||
| /** | ||
| * A data flow node that is an HTTPS client request made by a Node.js process, for example `https.get(url)`. |
There was a problem hiding this comment.
This has exactly the same qldoc as the previous class, apart from the code example; either merge (my preferred option) or refine.
There was a problem hiding this comment.
It's also wrong, of course, in that the qldoc talks about HTTPS, while the implementation is about HTTP.
| exists(DataFlow::MethodCallNode mcn, DataFlow::FunctionNode fn | | ||
| mcn = req and | ||
| fn.flowsTo(mcn.getArgument(1)) and | ||
| this = fn.getParameter(0) |
There was a problem hiding this comment.
this = mcn.getCallback(1).getParameter(0)
| rcp.getAMethodCall("on") = mcn and | ||
| mcn.getArgument(0).mayHaveStringValue("data") and | ||
| fn.flowsTo(mcn.getArgument(1)) and | ||
| fn.getParameter(0) = this |
There was a problem hiding this comment.
this = mcn.getCallback(1).getParameter(0)
| /** | ||
| * A data flow node that is the parameter of a response callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `http.request(url).on('response', (res) => {})`. | ||
| */ | ||
| class ClientRequestResponseEvent extends RemoteFlowSource, DataFlow::ParameterNode { |
There was a problem hiding this comment.
A few more comments about inconsistent qldoc. Also, could you add the eslint-scope attack as a test (with appropriate attribution)? With the latest extractor changes, this should now work out of the box.
| } | ||
|
|
||
| /** | ||
| * A data flow node that is an HTTP client request made by a Node.js server, for example `http.request(url)`. |
| } | ||
|
|
||
| /** | ||
| * A data flow node that is an HTTPS client request made by a Node.js process, for example `https.get(url)`. |
| */ | ||
| private class ClientRequestCallbackData extends RemoteFlowSource { | ||
| ClientRequestCallbackData() { | ||
| exists(ClientRequestCallbackParam rcp, DataFlow::MethodCallNode mcn| |
| } | ||
|
|
||
| /** | ||
| * A data flow node that is the parameter of a result callback for an HTTPS request made by a Node.js process, for example `res` in `https.request(url, (res) => {})`. |
| cr.getAMethodCall("on") = mcn and | ||
| mcn.getArgument(0).mayHaveStringValue("data") and | ||
| handler.flowsTo(mcn.getArgument(1)) and | ||
| this = handler.getParameter(0) |
There was a problem hiding this comment.
this = mcn.getCallback(1).getParameter(0)
|
I'd prefer not to check in the unmodified attack to avoid antivirus trouble on Windows. Would a modified version with the URL changed be OK? |
|
Sure, that makes sense. Hadn't thought of the antivirus angle. |
| @@ -33,4 +33,53 @@ module Electron { | |||
| this = DataFlow::moduleMember("electron", "BrowserView").getAnInstantiation() | |||
| } | |||
| } | |||
| /** | |||
| */ | ||
| private class ClientRequestCallbackData extends RemoteFlowSource { | ||
| ClientRequestCallbackData() { | ||
| exists(ClientRequestCallbackParam rcp, DataFlow::MethodCallNode mcn| |
| /** | ||
| * A data flow node that is the parameter of a response callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `http.request(url).on('response', (res) => {})`. | ||
| */ | ||
| class ClientRequestResponseEvent extends RemoteFlowSource, DataFlow::ParameterNode { |
| cr.getAMethodCall("on") = mcn and | ||
| mcn.getArgument(0).mayHaveStringValue("data") and | ||
| this = mcn.getCallback(1).getParameter(0) | ||
|
|
|
Ping @rdmarsh2, could you address the few remaining superficial issues? This is basically good to go, I think. |
rdmarsh2
force-pushed
the
rdmarsh/js/electron-http-client
branch
from
7fe5620 to
aaeda5d
Compare
|
Addressed the last few comments and squashed down to a few commits |
Extractor: fix child index values
Kotlin: Refactoring: Give diagnostic messages locations and severities
This PR adds RemoteFlowSources for both the NodeJS http/https client library and the Electron http/https client library and adds CredentialExprs for auth responses. The majority of the work is in NodeJSLib.qll; the Electron QL library simply extends the ClientRequest class from the QL NodeJS library.