Tracing data flow through Javascript class properties #177
-
| I have the following example I am having trouble tracing the data flow through. I can trace  | 
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
| I created this predicate to try and solve the problem. Not sure if it is precise enough.  | 
Beta Was this translation helpful? Give feedback.
-
| 
 I think it is fine for a quick-n-dirty query, but it is not something you want to have enabled by default, as it can result in a lot of spurious flow. A few questions: 
 You can check with something like: from DataFlow::ThisNode dis, DataFlow::CallNode call
where dis.getAPropertyRead("service").getAMethodCall("handle") = call
select call, call.getACallee()
 I think that is a bit too indirect for us to reason about, but I do see the value in supporting such a pattern OOTB. 
 | 
Beta Was this translation helpful? Give feedback.
-
| @jason-invision I think I recognize this problem, and you might be running into a limitation in how we track flow through getters. We're working on a general fix to this, but in the meantime you can try include this snippet in your query to patch up the call graph: private predicate accessorCall(DataFlow::PropRead read, DataFlow::FunctionNode callee) {
  exists(DataFlow::ClassNode cls, string name |
    read = cls.getAnInstanceReference().getAPropertyRead(name) and
    callee = cls.getADirectSuperClass*().getInstanceMember(name, DataFlow::MemberKind::getter())
  )
}
private class AccessorCallPatch extends DataFlow::MethodCallNode {
  override Function getACallee(int imprecision) {
    result = super.getACallee(imprecision)
    or
    imprecision = 0 and
    exists(DataFlow::PropRead read, DataFlow::FunctionNode callee, string methodName, DataFlow::ClassNode cls |
      accessorCall(read, callee) and
      this = read.getAMethodCall(methodName) and
      cls.getAnInstanceReference().flowsTo(callee.getReturnNode()) and
      result = cls.getInstanceMethod(methodName).getFunction()
    )
  }
}Could you try this and see if you can trace  | 
Beta Was this translation helpful? Give feedback.
@jason-invision I think I recognize this problem, and you might be running into a limitation in how we track flow through getters. We're working on a general fix to this, but in the meantime you can try include this snippet in your query to patch up the call graph: