add promise aggregators

erik-krogh · erik-krogh · commit 5a6958a1cd5e · 2019-11-17T11:22:29.000+01:00
diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -67,7 +67,7 @@ predicate benignContext(Expr e) {
   any(InvokeExpr invoke).getCallee() = e
   or
   // arguments to Promise.resolve (and promise library variants) are benign. 
-  e = any(ResolvedPromiseDefinition promise).getValue().asExpr()
+  e = any(PromiseCreationCall promise).getValue().asExpr()
 }
 
 predicate oneshotClosure(InvokeExpr call) {
@@ -191,7 +191,7 @@ module Deferred {
   /**
    * A resolved promise created by a `new Deferred().resolve()` call.
    */
-  class ResolvedDeferredPromiseDefinition extends ResolvedPromiseDefinition {
+  class ResolvedDeferredPromiseDefinition extends PromiseCreationCall {
     ResolvedDeferredPromiseDefinition() {
       this = any(DeferredPromiseDefinition def).ref().getAMethodCall("resolve")
     }
diff --git a/javascript/ql/src/semmle/javascript/Promises.qll b/javascript/ql/src/semmle/javascript/Promises.qll
@@ -25,11 +25,27 @@ module Bluebird {
   /**
    * A resolved promise created by the bluebird `Promise.resolve` function.
    */
-  class ResolvedBluebidPromiseDefinition extends ResolvedPromiseDefinition {
+  class ResolvedBluebidPromiseDefinition extends PromiseCreationCall {
     ResolvedBluebidPromiseDefinition() { this = bluebird().getAMemberCall("resolve") }
 
     override DataFlow::Node getValue() { result = getArgument(0) }
   }
+  
+  /**
+   * An aggregated promise produced either by `Primise.all`, `Promise.race` or `Promise.map`. 
+   */
+  class AggregateBluebirdPromiseDefinition extends PromiseCreationCall {
+    AggregateBluebirdPromiseDefinition() {
+      exists(string m | m = "all" or m = "race" or m = "map" | 
+        this = bluebird().getAMemberCall(m)
+      )
+    }
+
+    override DataFlow::Node getValue() {
+      result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+    }
+  }
+  
 }
 
 /**
@@ -59,7 +75,7 @@ private module ClosurePromise {
   /**
    * A promise created by a call `goog.Promise.resolve(value)`.
    */
-  private class ResolvedClosurePromiseDefinition extends ResolvedPromiseDefinition {
+  private class ResolvedClosurePromiseDefinition extends PromiseCreationCall {
     ResolvedClosurePromiseDefinition() {
       this = Closure::moduleImport("goog.Promise.resolve").getACall()
     }
diff --git a/javascript/ql/src/semmle/javascript/StandardLibrary.qll b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -154,7 +154,7 @@ private class ES2015PromiseDefinition extends PromiseDefinition, DataFlow::NewNo
 /**
  * A promise that is resolved with the given value.
  */
-abstract class ResolvedPromiseDefinition extends DataFlow::CallNode {
+abstract class PromiseCreationCall extends DataFlow::CallNode {
   /**
    * Gets the value this promise is resolved with.
    */
@@ -164,14 +164,29 @@ abstract class ResolvedPromiseDefinition extends DataFlow::CallNode {
 /**
  * A resolved promise created by the standard ECMAScript 2015 `Promise.resolve` function.
  */
-class ResolvedES2015PromiseDefinition extends ResolvedPromiseDefinition {
+class ResolvedES2015PromiseDefinition extends PromiseCreationCall {
   ResolvedES2015PromiseDefinition() {
     this = DataFlow::globalVarRef("Promise").getAMemberCall("resolve")
   }
 
   override DataFlow::Node getValue() { result = getArgument(0) }
 }
 
+/**
+ * An aggregated promise produced either by `Primise.all` or `Promise.race`. 
+ */
+class AggregateES2015PromiseDefinition extends PromiseCreationCall {
+  AggregateES2015PromiseDefinition() {
+    exists(string m | m = "all" or m = "race" | 
+      this = DataFlow::globalVarRef("Promise").getAMemberCall(m)
+    )
+  }
+
+  override DataFlow::Node getValue() {
+    result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+  }
+}
+
 /**
  * A data flow edge from a promise reaction to the corresponding handler.
  */
@@ -197,7 +212,7 @@ predicate promiseTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
   pred = succ.(PromiseDefinition).getResolveParameter().getACall().getArgument(0)
   or
   // from `x` to `Promise.resolve(x)`
-  pred = succ.(ResolvedPromiseDefinition).getValue()
+  pred = succ.(PromiseCreationCall).getValue()
   or
   exists(DataFlow::MethodCallNode thn, DataFlow::FunctionNode cb |
     thn.getMethodName() = "then" and cb = thn.getCallback(0)
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -88,4 +88,6 @@
 	}
 	
 	new Deferred().resolve(onlySideEffects()); // OK
+	
+	Promise.all([onlySideEffects(), onlySideEffects()])
 })();

Original file line number	Diff line number	Diff line change
`@@ -88,4 +88,6 @@`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`new Deferred().resolve(onlySideEffects()); // OK`
	`91`	`+`
	`92`	`+ Promise.all([onlySideEffects(), onlySideEffects()])`
`91`	`93`	`})();`