JS: Adapt to changes in FlowSummaryImpl

Author: hvitved

javascript/ql/lib/semmle/javascript/dataflow/FlowSummary.qll

@@ -8,78 +8,94 @@ private import semmle.javascript.dataflow.internal.FlowSummaryPrivate
 private import semmle.javascript.dataflow.internal.sharedlib.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.javascript.dataflow.internal.DataFlowPrivate
 
-/**
- * A model for a function that can propagate data flow.
- *
- * This class makes it possible to model flow through functions, using the same mechanism as
- * `summaryModel` as described in the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript).
- *
- * Extend this class to define summary models directly in CodeQL.
- * Data extensions and `summaryModel` are usually preferred; but there are a few cases where direct use of this class may be needed:
- *
- * - The relevant call sites cannot be matched by the access path syntax, and require the full power of CodeQL.
- *   For example, complex overloading patterns might require more local reasoning at the call site.
- * - The input/output behavior cannot be described statically in the access path syntax, but the relevant access paths
- *   can be generated dynamically in CodeQL, based on the usages found in the codebase.
- *
- * Subclasses should bind `this` to a unique identifier for the function being modeled. There is no special
- * interpreation of the `this` value, it should just not clash with the `this`-value used by other classes.
- *
- * For example, this models flow through calls such as `require("my-library").myFunction()`:
- * ```codeql
- * class MyFunction extends SummarizedCallable {
- *   MyFunction() { this = "MyFunction" }
- *
- *   override predicate propagatesFlow(string input, string output, boolean preservesValues) {
- *     input = "Argument[0]" and
- *     output = "ReturnValue" and
- *     preservesValue = false
- *   }
- *
- *   override DataFlow::InvokeNode getACall() {
- *     result = API::moduleImport("my-library").getMember("myFunction").getACall()
- *   }
- * }
- * ```
- * This would be equivalent to the following model written as a data extension:
- * ```yaml
- * extensions:
- *  - addsTo:
- *      pack: codeql/javascript-all
- *      extensible: summaryModel
- *    data:
- *      - ["my-library", "Member[myFunction]", "Argument[0]", "ReturnValue", "taint"]
- * ```
- */
-abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable {
-  bindingset[this]
-  SummarizedCallable() { any() }
+class Provenance = Impl::Public::Provenance;
 
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
   /**
-   * Holds if data may flow from `input` to `output` through this callable.
+   * A model for a function that can propagate data flow.
    *
-   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+   * This class makes it possible to model flow through functions, using the same mechanism as
+   * `summaryModel` as described in the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript).
    *
-   * See the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript) for
-   * the syntax of the `input` and `output` parameters.
+   * Extend this class to define summary models directly in CodeQL.
+   * Data extensions and `summaryModel` are usually preferred; but there are a few cases where direct use of this class may be needed:
+   *
+   * - The relevant call sites cannot be matched by the access path syntax, and require the full power of CodeQL.
+   *   For example, complex overloading patterns might require more local reasoning at the call site.
+   * - The input/output behavior cannot be described statically in the access path syntax, but the relevant access paths
+   *   can be generated dynamically in CodeQL, based on the usages found in the codebase.
+   *
+   * Subclasses should bind `this` to a unique identifier for the function being modeled. There is no special
+   * interpreation of the `this` value, it should just not clash with the `this`-value used by other classes.
+   *
+   * For example, this models flow through calls such as `require("my-library").myFunction()`:
+   * ```codeql
+   * class MyFunction extends SummarizedCallable::Range {
+   *   MyFunction() { this = "MyFunction" }
+   *
+   *   override predicate propagatesFlow(string input, string output, boolean preservesValues) {
+   *     input = "Argument[0]" and
+   *     output = "ReturnValue" and
+   *     preservesValue = false
+   *   }
+   *
+   *   override DataFlow::InvokeNode getACall() {
+   *     result = API::moduleImport("my-library").getMember("myFunction").getACall()
+   *   }
+   * }
+   * ```
+   * This would be equivalent to the following model written as a data extension:
+   * ```yaml
+   * extensions:
+   *  - addsTo:
+   *      pack: codeql/javascript-all
+   *      extensible: summaryModel
+   *    data:
+   *      - ["my-library", "Member[myFunction]", "Argument[0]", "ReturnValue", "taint"]
+   * ```
    */
-  pragma[nomagic]
-  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
+  abstract class Range extends LibraryCallable, Impl::Public::SummarizedCallable {
+    bindingset[this]
+    Range() { any() }
 
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
-  ) {
-    this.propagatesFlow(input, output, preservesValue) and model = this
-  }
+    /**
+     * Holds if data may flow from `input` to `output` through this callable.
+     *
+     * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+     *
+     * See the [library customization docs](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript) for
+     * the syntax of the `input` and `output` parameters.
+     */
+    pragma[nomagic]
+    predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
 
-  /**
-   * Gets the synthesized parameter that results from an input specification
-   * that starts with `Argument[s]` for this library callable.
-   */
-  DataFlow::ParameterNode getParameter(string s) {
-    exists(ParameterPosition pos |
-      DataFlowImplCommon::parameterNode(result, MkLibraryCallable(this), pos) and
-      s = encodeParameterPosition(pos)
-    )
+    override predicate propagatesFlow(
+      string input, string output, boolean preservesValue, Provenance provenance, boolean isExact,
+      string model
+    ) {
+      this.propagatesFlow(input, output, preservesValue) and
+      provenance = "manual" and
+      model = this and
+      isExact = true
+    }
+
+    /**
+     * Gets the synthesized parameter that results from an input specification
+     * that starts with `Argument[s]` for this library callable.
+     */
+    DataFlow::ParameterNode getParameter(string s) {
+      exists(ParameterPosition pos |
+        DataFlowImplCommon::parameterNode(result, MkLibraryCallable(this), pos) and
+        s = encodeParameterPosition(pos)
+      )
+    }
   }
 }
+
+final private class SummarizedCallableFinal = SummarizedCallable::Range;
+
+/** A model for a function that can propagate data flow. */
+final class SummarizedCallable extends SummarizedCallableFinal,
+  Impl::Public::RelevantSummarizedCallable
+{ }

javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll

@@ -28,6 +28,9 @@ module JSFlowSummary implements FlowSummaryImpl::InputSig<Location, JSDataFlow>
   private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
   import FlowSummaryPrivate
 
+  overlay[local]
+  predicate callableFromSource(SummarizedCallableBase c) { none() }
+
   // Explicitly implement signature members that have a default
   predicate callbackSelfParameterPosition = FlowSummaryPrivate::callbackSelfParameterPosition/0;
 

javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/SummaryTypeTracker.qll

@@ -69,7 +69,7 @@ private module SummaryFlowConfig implements Input {
     predicate propagatesFlow(
       SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
     ) {
-      super.propagatesFlow(input, output, preservesValue, _)
+      super.propagatesFlow(input, output, preservesValue, _, _, _)
     }
 
     string toString() { result = super.toString() }

javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll

@@ -173,7 +173,7 @@ module AsyncPackage {
   }
 
   overlay[local?]
-  private class IterationCallFlowSummary extends DataFlow::SummarizedCallable {
+  private class IterationCallFlowSummary extends DataFlow::SummarizedCallable::Range {
     private int callbackArgIndex;
 
     IterationCallFlowSummary() {
@@ -221,7 +221,7 @@ module AsyncPackage {
    * For example: `data -> result` in `async.sortBy(data, orderingFn, (err, result) => {})`.
    */
   overlay[local?]
-  private class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable {
+  private class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable::Range {
     IterationPreserveTaintStepFlowSummary() { this = "async.sortBy" }
 
     override DataFlow::InvokeNode getACallSimple() {

javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll

@@ -186,7 +186,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashEach extends DataFlow::SummarizedCallable {
+  private class LodashEach extends DataFlow::SummarizedCallable::Range {
     LodashEach() { this = "_.each-like" }
 
     overlay[global]
@@ -202,7 +202,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashMap extends DataFlow::SummarizedCallable {
+  private class LodashMap extends DataFlow::SummarizedCallable::Range {
     LodashMap() { this = "_.map" }
 
     overlay[global]
@@ -221,7 +221,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashFlatMap extends DataFlow::SummarizedCallable {
+  private class LodashFlatMap extends DataFlow::SummarizedCallable::Range {
     LodashFlatMap() { this = "_.flatMap" }
 
     overlay[global]
@@ -243,7 +243,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashFlatMapDeep extends DataFlow::SummarizedCallable {
+  private class LodashFlatMapDeep extends DataFlow::SummarizedCallable::Range {
     LodashFlatMapDeep() { this = "_.flatMapDeep" }
 
     overlay[global]
@@ -267,7 +267,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashReduce extends DataFlow::SummarizedCallable {
+  private class LodashReduce extends DataFlow::SummarizedCallable::Range {
     LodashReduce() { this = "_.reduce-like" }
 
     overlay[global]
@@ -286,7 +286,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LoashSortBy extends DataFlow::SummarizedCallable {
+  private class LoashSortBy extends DataFlow::SummarizedCallable::Range {
     LoashSortBy() { this = "_.sortBy-like" }
 
     overlay[global]
@@ -304,7 +304,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashMinMaxBy extends DataFlow::SummarizedCallable {
+  private class LodashMinMaxBy extends DataFlow::SummarizedCallable::Range {
     LodashMinMaxBy() { this = "_.minBy / _.maxBy" }
 
     overlay[global]
@@ -318,7 +318,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashPartition extends DataFlow::SummarizedCallable {
+  private class LodashPartition extends DataFlow::SummarizedCallable::Range {
     LodashPartition() { this = "_.partition" }
 
     overlay[global]
@@ -332,7 +332,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class UnderscoreMapObject extends DataFlow::SummarizedCallable {
+  private class UnderscoreMapObject extends DataFlow::SummarizedCallable::Range {
     UnderscoreMapObject() { this = "_.mapObject" }
 
     overlay[global]
@@ -353,7 +353,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashTap extends DataFlow::SummarizedCallable {
+  private class LodashTap extends DataFlow::SummarizedCallable::Range {
     LodashTap() { this = "_.tap" }
 
     overlay[global]
@@ -367,7 +367,7 @@ module LodashUnderscore {
   }
 
   overlay[local?]
-  private class LodashGroupBy extends DataFlow::SummarizedCallable {
+  private class LodashGroupBy extends DataFlow::SummarizedCallable::Range {
     LodashGroupBy() { this = "_.groupBy" }
 
     override DataFlow::CallNode getACall() { result = member("groupBy").getACall() }

javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll

@@ -423,7 +423,7 @@ private module ClosureLibraryUri {
 }
 
 overlay[local?]
-private class QueryStringStringification extends DataFlow::SummarizedCallable {
+private class QueryStringStringification extends DataFlow::SummarizedCallable::Range {
   QueryStringStringification() { this = "query-string stringification" }
 
   overlay[global]

javascript/ql/lib/semmle/javascript/frameworks/data/ModelsAsData.qll

@@ -49,7 +49,7 @@ private class ThreatModelSourceFromDataExtension extends ThreatModelSource::Rang
 }
 
 overlay[local?]
-private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable {
+private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable::Range {
   string type;
   string path;
 
@@ -62,9 +62,14 @@ private class SummarizedCallableFromModel extends DataFlow::SummarizedCallable {
   override DataFlow::InvokeNode getACall() { ModelOutput::resolvedSummaryBase(type, path, result) }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, DataFlow::Provenance provenance,
+    boolean isExact, string model
   ) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) |
+    exists(string kind |
+      ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) and
+      provenance = "manual" and
+      isExact = true
+    |
       kind = "value" and
       preservesValue = true
       or