The Wayback Machine - https://web.archive.org/web/20260531223335/https://github.com/github/codeql/pull/6472
Skip to content

JS: add a getMaybePromisified predicate to API-graphs, and use it to model child_process#6472

Merged
codeql-ci merged 1 commit into
github:mainfrom
erik-krogh:apiPromise
Aug 25, 2021
Merged

JS: add a getMaybePromisified predicate to API-graphs, and use it to model child_process#6472
codeql-ci merged 1 commit into
github:mainfrom
erik-krogh:apiPromise

Conversation

@erik-krogh
Copy link
Copy Markdown
Contributor

@erik-krogh erik-krogh commented Aug 11, 2021
edited
Loading

Recognizes the sink for CVE-2021-29300.

Recognizing the new sink just required using API-graphs.
But recognizing existing sinks using API-graphs required a promisified label in API-graphs.

So I generalized the promisified part of API-graphs a bit.

No change in alerts.
And a performance evaluation on the security suite looks fine.
@erik-krogh erik-krogh added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Aug 11, 2021
@github-actions github-actions Bot added the JS label Aug 11, 2021
@erik-krogh erik-krogh force-pushed the apiPromise branch 5 times, most recently from 5abf1fb to 4b16cc3 Compare August 17, 2021 20:59
@erik-krogh erik-krogh added JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis no-change-note-required This PR does not need a change note and removed Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Aug 17, 2021
@erik-krogh erik-krogh changed the title JS: add a maybePromisified predicate to API-graphs, and use it to model child_process Aug 17, 2021
@erik-krogh erik-krogh marked this pull request as ready for review August 17, 2021 21:01
@erik-krogh erik-krogh requested a review from a team as a code owner August 17, 2021 21:01
@asgerf
Copy link
Copy Markdown
Contributor

asgerf commented Aug 24, 2021

After grokking through this change to API graphs, I'm a little hesitant to go along with it.

The main issue is that the monomorphic API use assumption will now kick in whenever a function is promisified. So if the promisify call is wrapped in a little helper function, all promisified functions flowing there will get mixed up.

But I also think the change may have been overkill to begin with, and we need to be clear about what problem it's meant to fix.

The way I see it, the getParameter() predicate already looks through promisification transparently, without the model needing to know about it at all. But getACall() does not do this, and that's the real problem. Models that do getParameter(i) will magically just work, but if you do getACall().getParameter(i) then it won't handle promisification.

We could make getACall include promisified calls automatically, but perhaps that's a bit risky. How about adding getAPromisifiedCall? (and a "maybe" version of it for convenience). It seems like that should have been enough, and it can be added without changing the underlying API graph or its type tracking predicates.

For the library model, there isn't much difference between getPromisified().getACall() and getAPromisifiedCall(). And there is never a reason to follow getPromisified() with anything other than getACall() because it already works for getParameter().
@erik-krogh erik-krogh added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Aug 24, 2021
@erik-krogh
Copy link
Copy Markdown
Contributor Author

erik-krogh commented Aug 25, 2021

How about adding getAPromisifiedCall? (and a "maybe" version of it for convenience). It seems like that should have been enough, and it can be added without changing the underlying API graph or its type tracking predicates.

That sounds like a good idea. I've just added a getMaybePromisifiedCall.

A new evaluation looks clean.
@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Aug 25, 2021
@codeql-ci codeql-ci merged commit 1daeea5 into github:main Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

JS:changes-sources-or-sinks Changes taint sources/sinks for the JS analysis JS no-change-note-required This PR does not need a change note

3 participants

@erik-krogh @asgerf @codeql-ci