Merge pull request #7912 from erik-krogh/moarApi

JS: convert more type-trackers to API-graphs

Author: erik-krogh

javascript/ql/lib/semmle/javascript/frameworks/Cheerio.qll

@@ -6,27 +6,15 @@ import javascript
 private import semmle.javascript.security.dataflow.Xss as Xss
 
 module Cheerio {
-  /**
-   * A reference to the `cheerio` function, possibly with a loaded DOM.
-   */
-  private DataFlow::SourceNode cheerioRef(DataFlow::TypeTracker t) {
-    t.start() and
-    (
-      result = DataFlow::moduleImport("cheerio")
-      or
-      exists(string name | result = cheerioRef().getAMemberCall(name) |
-        name = "load" or
-        name = "parseHTML"
-      )
-    )
+  /** A reference to the `cheerio` function, possibly with a loaded DOM. */
+  private API::Node cheerioApi() {
+    result = API::moduleImport("cheerio")
     or
-    exists(DataFlow::TypeTracker t2 | result = cheerioRef(t2).track(t2, t))
+    result = cheerioApi().getMember(["load", "parseHTML"]).getReturn()
   }
 
-  /**
-   * A reference to the `cheerio` function, possibly with a loaded DOM.
-   */
-  DataFlow::SourceNode cheerioRef() { result = cheerioRef(DataFlow::TypeTracker::end()) }
+  /** A reference to the `cheerio` function, possibly with a loaded DOM. */
+  DataFlow::SourceNode cheerioRef() { result = cheerioApi().getAUse() }
 
   /**
    * A creation of `cheerio` object, a collection of virtual DOM elements
@@ -43,9 +31,9 @@ module Cheerio {
 
     private class DefaultRange extends Range {
       DefaultRange() {
-        this = cheerioRef().getACall()
+        this = cheerioApi().getACall()
         or
-        this = cheerioRef().getAMethodCall()
+        this = cheerioApi().getAMember().getACall()
       }
     }
   }

javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll

@@ -463,16 +463,11 @@ module ClientRequest {
   }
 
   /**
-   * Gets an instantiation `socket` of `require("net").Socket` type tracked using `t`.
+   * Gets an instantiation `socket` of `require("net").Socket`.
    */
-  private DataFlow::SourceNode netSocketInstantiation(
-    DataFlow::TypeTracker t, DataFlow::NewNode socket
-  ) {
-    t.start() and
-    socket = DataFlow::moduleMember("net", "Socket").getAnInstantiation() and
-    result = socket
-    or
-    exists(DataFlow::TypeTracker t2 | result = netSocketInstantiation(t2, socket).track(t2, t))
+  private API::Node netSocketInstantiation(DataFlow::NewNode socket) {
+    result = API::moduleImport("net").getMember("Socket").getInstance() and
+    socket = result.getAnImmediateUse()
   }
 
   /**
@@ -481,9 +476,7 @@ module ClientRequest {
   class NetSocketRequest extends ClientRequest::Range {
     DataFlow::NewNode socket;
 
-    NetSocketRequest() {
-      this = netSocketInstantiation(DataFlow::TypeTracker::end(), socket).getAMethodCall("connect")
-    }
+    NetSocketRequest() { this = netSocketInstantiation(socket).getMember("connect").getACall() }
 
     override DataFlow::Node getUrl() {
       result = this.getArgument([0, 1]) // there are multiple overrides of `connect`, and the URL can be in the first or second argument.
@@ -495,15 +488,15 @@ module ClientRequest {
       responseType = "text" and
       promise = false and
       exists(DataFlow::CallNode call |
-        call = netSocketInstantiation(DataFlow::TypeTracker::end(), socket).getAMemberCall("on") and
+        call = netSocketInstantiation(socket).getMember("on").getACall() and
         call.getArgument(0).mayHaveStringValue("data") and
         result = call.getABoundCallbackParameter(1, 0)
       )
     }
 
     override DataFlow::Node getADataNode() {
       exists(DataFlow::CallNode call |
-        call = netSocketInstantiation(DataFlow::TypeTracker::end(), socket).getAMemberCall("write") and
+        call = netSocketInstantiation(socket).getMember("write").getACall() and
         result = call.getArgument(0)
       )
     }
@@ -713,22 +706,15 @@ module ClientRequest {
    * Gets a reference to an instance of `chrome-remote-interface`.
    *
    * An instantiation of `chrome-remote-interface` either accepts a callback or returns a promise.
-   *
-   * The `isPromise` parameter reflects whether the reference is a promise containing
-   * an instance of `chrome-remote-interface`, or an instance of `chrome-remote-interface`.
    */
-  private DataFlow::SourceNode chromeRemoteInterface(DataFlow::TypeTracker t) {
-    exists(DataFlow::CallNode call |
-      call = DataFlow::moduleImport("chrome-remote-interface").getAnInvocation()
-    |
+  private API::Node chromeRemoteInterface() {
+    exists(API::CallNode call | call = API::moduleImport("chrome-remote-interface").getACall() |
       // the client is inside in a promise.
-      t.startInPromise() and result = call
+      result = call.getReturn().getPromised()
       or
       // the client is accessed directly using a callback.
-      t.start() and result = call.getCallback([0 .. 1]).getParameter(0)
+      result = call.getParameter([0 .. 1]).getParameter(0)
     )
-    or
-    exists(DataFlow::TypeTracker t2 | result = chromeRemoteInterface(t2).track(t2, t))
   }
 
   /**
@@ -738,14 +724,12 @@ module ClientRequest {
     int optionsArg;
 
     ChromeRemoteInterfaceRequest() {
-      exists(DataFlow::SourceNode instance |
-        instance = chromeRemoteInterface(DataFlow::TypeTracker::end())
-      |
+      exists(API::Node instance | instance = chromeRemoteInterface() |
         optionsArg = 0 and
-        this = instance.getAPropertyRead("Page").getAMemberCall("navigate")
+        this = instance.getMember("Page").getMember("navigate").getACall()
         or
         optionsArg = 1 and
-        this = instance.getAMemberCall("send") and
+        this = instance.getMember("send").getACall() and
         this.getArgument(0).mayHaveStringValue("Page.navigate")
       )
     }

javascript/ql/lib/semmle/javascript/frameworks/Electron.qll

@@ -56,18 +56,13 @@ module Electron {
     }
   }
 
-  private DataFlow::SourceNode browserObject(DataFlow::TypeTracker t) {
-    t.start() and
-    result instanceof NewBrowserObject
-    or
-    exists(DataFlow::TypeTracker t2 | result = browserObject(t2).track(t2, t))
-  }
+  private API::Node browserObject() { result.getAnImmediateUse() instanceof NewBrowserObject }
 
   /**
    * A data flow node whose value may originate from a browser object instantiation.
    */
   private class BrowserObjectByFlow extends BrowserObject {
-    BrowserObjectByFlow() { browserObject(DataFlow::TypeTracker::end()).flowsTo(this) }
+    BrowserObjectByFlow() { browserObject().getAUse() = this }
   }
 
   /**