Partial address comments - refactor qll lib files and add testcase

knewbury01 · knewbury01 · commit 9d02e7ebedaa · 2025-08-12T15:36:57.000-04:00
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPPathInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPPathInjectionQuery.qll
@@ -5,169 +5,7 @@
  */
 
 import javascript
-import advanced_security.javascript.frameworks.cap.CDS
-
-/**
- * An access to the `utils` module on a CDS facade.
- */
-class CdsUtilsModuleAccess extends API::Node {
-  CdsUtilsModuleAccess() { exists(CdsFacade cds | this = cds.getMember("utils")) }
-}
-
-class PathConverters extends DataFlow::Node {
-  PathConverters() {
-    exists(CdsUtilsModuleAccess utils |
-      utils.getMember(["decodeURI", "decodeURIComponent", "local"]).getACall() = this
-    )
-  }
-
-  SourceNode pathConvertersUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = pathConvertersUtils(t2).track(t2, t))
-  }
-
-  SourceNode pathConvertersUtils() { result = pathConvertersUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() { pathConvertersUtils().(DataFlow::CallNode).getAnArgument() = result }
-}
-
-class PathPredicates extends DataFlow::Node {
-  PathPredicates() {
-    exists(CdsUtilsModuleAccess utils | utils.getMember(["isdir", "isfile"]).getACall() = this)
-  }
-
-  SourceNode pathPredicateUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = pathPredicateUtils(t2).track(t2, t))
-  }
-
-  SourceNode pathPredicateUtils() { result = pathPredicateUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() { pathPredicateUtils().(DataFlow::CallNode).getAnArgument() = result }
-}
-
-class DirectoryReaders extends DataFlow::Node {
-  DirectoryReaders() {
-    exists(CdsUtilsModuleAccess utils |
-      utils.getMember(["find", "stat", "readdir"]).getACall() = this
-    )
-  }
-
-  SourceNode directoryReaderUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = directoryReaderUtils(t2).track(t2, t))
-  }
-
-  SourceNode directoryReaderUtils() { result = directoryReaderUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() { directoryReaderUtils().(DataFlow::CallNode).getAnArgument() = result }
-}
-
-class DirectoryWriters extends DataFlow::Node {
-  DirectoryWriters() {
-    exists(CdsUtilsModuleAccess utils |
-      utils.getMember(["mkdirp", "rmdir", "rimraf", "rm"]).getACall() = this
-    )
-  }
-
-  SourceNode directoryWriterUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = directoryWriterUtils(t2).track(t2, t))
-  }
-
-  SourceNode directoryWriterUtils() { result = directoryWriterUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() { directoryWriterUtils().(DataFlow::CallNode).getAnArgument() = result }
-}
-
-class FileReaders extends DataFlow::Node {
-  FileReaders() { exists(CdsUtilsModuleAccess utils | utils.getMember(["read"]).getACall() = this) }
-
-  SourceNode fileReaderUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = fileReaderUtils(t2).track(t2, t))
-  }
-
-  SourceNode fileReaderUtils() { result = fileReaderUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() { fileReaderUtils().(DataFlow::CallNode).getArgument(0) = result }
-}
-
-class FileWriters extends DataFlow::Node {
-  FileWriters() {
-    exists(CdsUtilsModuleAccess utils | utils.getMember(["append", "write"]).getACall() = this)
-  }
-
-  SourceNode fileWriterUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = fileWriterUtils(t2).track(t2, t))
-  }
-
-  SourceNode fileWriterUtils() { result = fileWriterUtils(TypeTracker::end()) }
-
-  DataFlow::Node getData() {
-    exists(DataFlow::CallNode write |
-      write = fileWriterUtils() and
-      (
-        write.getNumArgument() = 1 and
-        write.getArgument(0) = result
-        or
-        write.getNumArgument() = 2 and
-        write.getArgument(1) = result
-      )
-    )
-  }
-
-  DataFlow::Node getPath() {
-    exists(DataFlow::CallNode write |
-      write = fileWriterUtils() and
-      (
-        write.getAMemberCall("to").getAnArgument() = result
-        or
-        write.getNumArgument() = 2 and
-        write.getArgument(0) = result
-      )
-    )
-  }
-}
-
-class FileReaderWriters extends DataFlow::Node {
-  FileReaderWriters() {
-    exists(CdsUtilsModuleAccess utils | utils.getMember(["copy"]).getACall() = this)
-  }
-
-  SourceNode fileReaderWriterUtils(TypeTracker t) {
-    t.start() and
-    result = this
-    or
-    exists(TypeTracker t2 | result = fileReaderWriterUtils(t2).track(t2, t))
-  }
-
-  SourceNode fileReaderWriterUtils() { result = fileReaderWriterUtils(TypeTracker::end()) }
-
-  DataFlow::Node getPath() {
-    exists(DataFlow::CallNode copy |
-      copy = fileReaderWriterUtils() and
-      (
-        copy.getAMemberCall("to").getArgument(_) = result
-        or
-        copy.getArgument(_) = result
-      )
-    )
-  }
-}
+import advanced_security.javascript.frameworks.cap.CDSUtils
 
 abstract class UtilsSink extends DataFlow::Node { }
 
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDSUtils.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDSUtils.qll
@@ -0,0 +1,104 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+
+/**
+ * An access to the `utils` module on a CDS facade.
+ */
+class CdsUtilsModuleAccess extends API::Node {
+  CdsUtilsModuleAccess() { exists(CdsFacade cds | this = cds.getMember("utils")) }
+}
+
+class PathConverters extends DataFlow::CallNode {
+  PathConverters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["decodeURI", "decodeURIComponent", "local"]).getACall() = this
+    )
+  }
+
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+class PathPredicates extends DataFlow::CallNode {
+  PathPredicates() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["isdir", "isfile"]).getACall() = this)
+  }
+
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+class DirectoryReaders extends DataFlow::CallNode {
+  DirectoryReaders() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["find", "stat", "readdir"]).getACall() = this
+    )
+  }
+
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+class DirectoryWriters extends DataFlow::CallNode {
+  DirectoryWriters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["mkdirp", "rmdir", "rimraf", "rm"]).getACall() = this
+    )
+  }
+
+  DataFlow::Node getPath() { this.getAnArgument() = result }
+}
+
+class FileReaders extends DataFlow::CallNode {
+  FileReaders() { exists(CdsUtilsModuleAccess utils | utils.getMember(["read"]).getACall() = this) }
+
+  DataFlow::Node getPath() { this.getArgument(0) = result }
+}
+
+class FileWriters extends DataFlow::CallNode {
+  FileWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["append", "write"]).getACall() = this)
+  }
+
+  SourceNode fileReaderWriterUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = fileReaderWriterUtils(t2).track(t2, t))
+  }
+
+  SourceNode fileReaderWriterUtils() { result = fileReaderWriterUtils(TypeTracker::end()) }
+
+  DataFlow::Node getData() {
+    this.getNumArgument() = 1 and
+    this.getArgument(0) = result
+    or
+    this.getNumArgument() = 2 and
+    this.getArgument(1) = result
+  }
+
+  DataFlow::Node getPath() {
+    fileReaderWriterUtils().getAMemberCall("to").getAnArgument() = result
+    or
+    this.getNumArgument() = 2 and
+    this.getArgument(0) = result
+  }
+}
+
+class FileReaderWriters extends DataFlow::CallNode {
+  FileReaderWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["copy"]).getACall() = this)
+  }
+
+  SourceNode fileReaderWriterUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = fileReaderWriterUtils(t2).track(t2, t))
+  }
+
+  SourceNode fileReaderWriterUtils() { result = fileReaderWriterUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() {
+    fileReaderWriterUtils().getAMemberCall("to").getArgument(_) = result
+    or
+    this.getAnArgument() = result
+  }
+}
diff --git a/javascript/frameworks/cap/test/models/cds/utils/utils.expected b/javascript/frameworks/cap/test/models/cds/utils/utils.expected
@@ -35,3 +35,5 @@
 | utils.js:43:18:43:21 | 'db' | 'db': sink |
 | utils.js:43:24:43:29 | 'data' | 'data': sink |
 | utils.js:44:10:44:23 | 'dist/db/data' | 'dist/db/data': sink |
+| utils.js:52:20:52:28 | 'db/data' | 'db/data': sink |
+| utils.js:57:10:57:23 | 'dist/db/data' | 'dist/db/data': sink |
diff --git a/javascript/frameworks/cap/test/models/cds/utils/utils.js b/javascript/frameworks/cap/test/models/cds/utils/utils.js
@@ -41,4 +41,18 @@ await rimraf('dist', 'db', 'data') // sink
 await rimraf('dist/db/data') // sink
 
 await rm('dist', 'db', 'data') // sink
-await rm('dist/db/data') // sink
+await rm('dist/db/data') // sink
+
+function wrapperouter() {
+    const temp = append
+    wrapperinnermid(temp)
+}
+
+function wrapperinnermid(temp) {
+    const a = temp('db/data') // sink
+    wrapperinner(a)
+}
+
+function wrapperinner(a) {
+    a.to('dist/db/data')  // sink
+}
