JS: Add data flow modeling for promisified user-defined functions

Napalys · Napalys · commit 0d23ab07db3a · 2025-09-15T17:13:13.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
@@ -1912,6 +1912,7 @@ module DataFlow {
   deprecated import Configuration
   import TypeTracking
   import AdditionalFlowSteps
+  import PromisifyFlow
   import internal.FunctionWrapperSteps
   import internal.sharedlib.DataFlow
   import internal.BarrierGuards
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/PromisifyFlow.qll b/javascript/ql/lib/semmle/javascript/dataflow/PromisifyFlow.qll
@@ -0,0 +1,29 @@
+/**
+ * Provides data flow steps for promisified user-defined function calls.
+ * This ensures that when you call a promisified user-defined function,
+ * arguments flow to the original function's parameters.
+ */
+
+private import javascript
+private import semmle.javascript.dataflow.AdditionalFlowSteps
+
+/**
+ * A data flow step from arguments of promisified user-defined function calls to
+ * the parameters of the original function.
+ */
+class PromisifiedUserFunctionArgumentFlow extends AdditionalFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(
+      DataFlow::CallNode promisifiedCall, Promisify::PromisifyCall promisify,
+      DataFlow::FunctionNode originalFunc, int i
+    |
+      // The promisified call flows from a promisify result
+      promisify.flowsTo(promisifiedCall.getCalleeNode()) and
+      // The original function was promisified
+      originalFunc.flowsTo(promisify.getArgument(0)) and
+      // Argument i of the promisified call flows to parameter i of the original function
+      pred = promisifiedCall.getArgument(i) and
+      succ = originalFunc.getParameter(i)
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected
@@ -82,6 +82,7 @@
 | other.js:28:27:28:29 | cmd | other.js:5:25:5:31 | req.url | other.js:28:27:28:29 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
 | other.js:30:33:30:35 | cmd | other.js:5:25:5:31 | req.url | other.js:30:33:30:35 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
 | other.js:34:44:34:46 | cmd | other.js:5:25:5:31 | req.url | other.js:34:44:34:46 | cmd | This command line depends on a $@. | other.js:5:25:5:31 | req.url | user-provided value |
+| promisification.js:9:13:9:21 | code.code | promisification.js:15:18:15:25 | req.body | promisification.js:9:13:9:21 | code.code | This command line depends on a $@. | promisification.js:15:18:15:25 | req.body | user-provided value |
 | promisification.js:24:22:24:25 | code | promisification.js:21:18:21:25 | req.body | promisification.js:24:22:24:25 | code | This command line depends on a $@. | promisification.js:21:18:21:25 | req.body | user-provided value |
 | promisification.js:31:24:31:27 | code | promisification.js:30:18:30:25 | req.body | promisification.js:31:24:31:27 | code | This command line depends on a $@. | promisification.js:30:18:30:25 | req.body | user-provided value |
 | promisification.js:40:21:40:24 | code | promisification.js:37:18:37:25 | req.body | promisification.js:40:21:40:24 | code | This command line depends on a $@. | promisification.js:37:18:37:25 | req.body | user-provided value |
@@ -94,6 +95,7 @@
 | promisification.js:77:24:77:26 | cmd | promisification.js:61:15:61:22 | req.body | promisification.js:77:24:77:26 | cmd | This command line depends on a $@. | promisification.js:61:15:61:22 | req.body | user-provided value |
 | promisification.js:78:28:78:30 | cmd | promisification.js:61:15:61:22 | req.body | promisification.js:78:28:78:30 | cmd | This command line depends on a $@. | promisification.js:61:15:61:22 | req.body | user-provided value |
 | promisification.js:79:25:79:27 | cmd | promisification.js:61:15:61:22 | req.body | promisification.js:79:25:79:27 | cmd | This command line depends on a $@. | promisification.js:61:15:61:22 | req.body | user-provided value |
+| promisification.js:83:36:83:39 | code | promisification.js:61:15:61:22 | req.body | promisification.js:83:36:83:39 | code | This command line depends on a $@. | promisification.js:61:15:61:22 | req.body | user-provided value |
 | promisification.js:100:23:100:26 | code | promisification.js:99:18:99:25 | req.body | promisification.js:100:23:100:26 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
 | promisification.js:101:27:101:30 | code | promisification.js:99:18:99:25 | req.body | promisification.js:101:27:101:30 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
 | promisification.js:102:27:102:30 | code | promisification.js:99:18:99:25 | req.body | promisification.js:102:27:102:30 | code | This command line depends on a $@. | promisification.js:99:18:99:25 | req.body | user-provided value |
@@ -283,6 +285,11 @@ edges
 | other.js:5:9:5:11 | cmd | other.js:34:44:34:46 | cmd | provenance |  |
 | other.js:5:15:5:38 | url.par ... , true) | other.js:5:9:5:11 | cmd | provenance |  |
 | other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) | provenance |  |
+| promisification.js:8:21:8:24 | code | promisification.js:9:13:9:16 | code | provenance |  |
+| promisification.js:9:13:9:16 | code | promisification.js:9:13:9:21 | code.code | provenance |  |
+| promisification.js:15:11:15:14 | code | promisification.js:16:15:16:18 | code | provenance |  |
+| promisification.js:15:18:15:25 | req.body | promisification.js:15:11:15:14 | code | provenance |  |
+| promisification.js:16:15:16:18 | code | promisification.js:8:21:8:24 | code | provenance |  |
 | promisification.js:21:11:21:14 | code | promisification.js:24:22:24:25 | code | provenance |  |
 | promisification.js:21:18:21:25 | req.body | promisification.js:21:11:21:14 | code | provenance |  |
 | promisification.js:30:11:30:14 | code | promisification.js:31:24:31:27 | code | provenance |  |
@@ -299,7 +306,10 @@ edges
 | promisification.js:61:9:61:11 | cmd | promisification.js:77:24:77:26 | cmd | provenance |  |
 | promisification.js:61:9:61:11 | cmd | promisification.js:78:28:78:30 | cmd | provenance |  |
 | promisification.js:61:9:61:11 | cmd | promisification.js:79:25:79:27 | cmd | provenance |  |
+| promisification.js:61:9:61:11 | cmd | promisification.js:89:12:89:14 | cmd | provenance |  |
 | promisification.js:61:15:61:22 | req.body | promisification.js:61:9:61:11 | cmd | provenance |  |
+| promisification.js:81:34:81:37 | code | promisification.js:83:36:83:39 | code | provenance |  |
+| promisification.js:89:12:89:14 | cmd | promisification.js:81:34:81:37 | code | provenance |  |
 | promisification.js:99:11:99:14 | code | promisification.js:100:23:100:26 | code | provenance |  |
 | promisification.js:99:11:99:14 | code | promisification.js:101:27:101:30 | code | provenance |  |
 | promisification.js:99:11:99:14 | code | promisification.js:102:27:102:30 | code | provenance |  |
@@ -502,6 +512,12 @@ nodes
 | other.js:28:27:28:29 | cmd | semmle.label | cmd |
 | other.js:30:33:30:35 | cmd | semmle.label | cmd |
 | other.js:34:44:34:46 | cmd | semmle.label | cmd |
+| promisification.js:8:21:8:24 | code | semmle.label | code |
+| promisification.js:9:13:9:16 | code | semmle.label | code |
+| promisification.js:9:13:9:21 | code.code | semmle.label | code.code |
+| promisification.js:15:11:15:14 | code | semmle.label | code |
+| promisification.js:15:18:15:25 | req.body | semmle.label | req.body |
+| promisification.js:16:15:16:18 | code | semmle.label | code |
 | promisification.js:21:11:21:14 | code | semmle.label | code |
 | promisification.js:21:18:21:25 | req.body | semmle.label | req.body |
 | promisification.js:24:22:24:25 | code | semmle.label | code |
@@ -524,6 +540,9 @@ nodes
 | promisification.js:77:24:77:26 | cmd | semmle.label | cmd |
 | promisification.js:78:28:78:30 | cmd | semmle.label | cmd |
 | promisification.js:79:25:79:27 | cmd | semmle.label | cmd |
+| promisification.js:81:34:81:37 | code | semmle.label | code |
+| promisification.js:83:36:83:39 | code | semmle.label | code |
+| promisification.js:89:12:89:14 | cmd | semmle.label | cmd |
 | promisification.js:99:11:99:14 | code | semmle.label | code |
 | promisification.js:99:18:99:25 | req.body | semmle.label | req.body |
 | promisification.js:100:23:100:26 | code | semmle.label | code |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/promisification.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/promisification.js
@@ -6,13 +6,13 @@ const app = express();
 app.use(bodyParser.json());
 
 function legacyEval(code) {
-    cp.exec(code.code); // $ MISSING: Alert
+    cp.exec(code.code); // $ Alert
 }
 
 app.post('/eval', async (req, res) => {
     const { promisify } = require('util');
     const evalAsync = promisify(legacyEval);
-    const code = req.body; // $ MISSING: Source
+    const code = req.body; // $ Source
     evalAsync(code);
 });
 
@@ -80,7 +80,7 @@ app.post('/eval', async (req, res) => {
 
     const lambda = es6Promisify((code, callback) => {
         try {
-            const result = cp.exec(code); // $ MISSING: Alert
+            const result = cp.exec(code); // $ Alert
             callback(null, result);
         } catch (err) {
             callback(err);
