JS: Add overlay[global] to abstract classes with fields

asgerf · asgerf · commit 777cf5cdf49e · 2025-10-31T09:53:19.000+01:00
Some abstract classes defines fields without binding them, leaving it up to the subclasses to bind them. When combined with overlay[local?], the charpred for such an abstract class can become local, while the subclasses are global. The means the charpred needs to be materialized, even though it doesn't bind the fields, leading to a cartesian product.
diff --git a/javascript/ql/lib/semmle/javascript/DOM.qll b/javascript/ql/lib/semmle/javascript/DOM.qll
@@ -194,6 +194,7 @@ module DOM {
    * A data flow node or other program element that may refer to
    * a DOM element.
    */
+  overlay[global]
   abstract class Element extends Locatable {
     ElementDefinition defn;
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/EventEmitter.qll b/javascript/ql/lib/semmle/javascript/frameworks/EventEmitter.qll
@@ -97,6 +97,7 @@ module EventRegistration {
   /**
    * A registration of an event handler on an EventEmitter.
    */
+  overlay[global]
   abstract class Range extends DataFlow::Node {
     EventEmitter::Range emitter;
 
@@ -151,6 +152,7 @@ module EventDispatch {
   /**
    * A dispatch of an event on an EventEmitter.
    */
+  overlay[global]
   abstract class Range extends DataFlow::Node {
     EventEmitter::Range emitter;
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -260,6 +260,7 @@ module NodeJSLib {
     DataFlow::Node getRouteHandlerNode() { result = handler }
   }
 
+  overlay[global]
   abstract private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
     ResponseNode r;
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -18,6 +18,7 @@ module SQL {
    * An dataflow node that sanitizes a string to make it safe to embed into
    * a SQL command.
    */
+  overlay[global]
   abstract class SqlSanitizer extends DataFlow::Node {
     DataFlow::Node input;
     DataFlow::Node output;
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll
@@ -131,6 +131,7 @@ module SecondOrderCommandInjection {
   /**
    * A sink that invokes a command described by the `VulnerableCommand` class.
    */
+  overlay[global]
   abstract class VulnerableCommandSink extends Sink {
     VulnerableCommand cmd;
 
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -196,6 +196,7 @@ module TaintedPath {
      * There are currently four flow labels, representing the different combinations of
      * normalization and absoluteness.
      */
+    overlay[global]
     abstract class PosixPath extends DataFlow::FlowLabel {
       Normalization normalization;
       Relativeness relativeness;
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -103,6 +103,7 @@ module UnsafeHtmlConstruction {
    * A sink for `js/html-constructed-from-input` that constructs some HTML where
    * that HTML is later used in `xssSink`.
    */
+  overlay[global]
   abstract class XssSink extends Sink {
     DomBasedXss::Sink xssSink;
 

Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,7 @@ module NodeJSLib {`
`260`	`260`	`DataFlow::Node getRouteHandlerNode() { result = handler }`
`261`	`261`	`}`
`262`	`262`
	`263`	`+ overlay[global]`
`263`	`264`	`abstract private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {`
`264`	`265`	`ResponseNode r;`
`265`	`266`