jsutil
diff --git a/‎javascript/change-notes/2021-03-29-misc-steps.md
Lines changed: 6 additions & 0 deletions b/‎javascript/change-notes/2021-03-29-misc-steps.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/Base64.qll
Lines changed: 4 additions & 2 deletions b/‎javascript/ql/src/semmle/javascript/Base64.qll
Lines changed: 4 additions & 2 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
Lines changed: 12 additions & 8 deletions b/‎javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
Lines changed: 12 additions & 8 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/Babel.qll
Lines changed: 16 additions & 0 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/Babel.qll
Lines changed: 16 additions & 0 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll
Lines changed: 2 additions & 4 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll
Lines changed: 2 additions & 4 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll
Lines changed: 13 additions & 4 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll
Lines changed: 13 additions & 4 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/React.qll
Lines changed: 25 additions & 7 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/React.qll
Lines changed: 25 additions & 7 deletions
diff --git a/‎javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
Lines changed: 1 addition & 0 deletions b/‎javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/test/library-tests/TaintTracking/array-mutation.js
Lines changed: 4 additions & 0 deletions b/‎javascript/ql/test/library-tests/TaintTracking/array-mutation.js
Lines changed: 4 additions & 0 deletions
diff --git a/‎javascript/ql/test/library-tests/frameworks/ReactJS/importedComponent.jsx
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/test/library-tests/frameworks/ReactJS/importedComponent.jsx
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,6 @@
+lgtm,codescanning
+* The `lodash-es` package is now recognized as a variant of `lodash`.
+* Taint is now propagated through the `babel.transform` function.
+* Improved data flow through React applications using `redux-form` or `react-router`.
+* Base64 decoding using the `react-native-base64` package is now recognized.
+* An expression of form `o[o.length] = y` is now recognized as appending to an array.
@@ -150,7 +150,8 @@ private class NpmBase64Encode extends Base64::Encode::Range, DataFlow::CallNode
       enc = DataFlow::moduleMember("base64url", "toBase64") or
       enc = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("encode") or
       enc = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("encodeURI") or
-      enc = DataFlow::moduleMember("urlsafe-base64", "encode")
+      enc = DataFlow::moduleMember("urlsafe-base64", "encode") or
+      enc = DataFlow::moduleMember("react-native-base64", ["encode", "encodeFromByteArray"])
     |
       this = enc.getACall()
     )
@@ -186,7 +187,8 @@ private class NpmBase64Decode extends Base64::Decode::Range, DataFlow::CallNode
       dec = DataFlow::moduleMember("base64url", "decode") or
       dec = DataFlow::moduleMember("base64url", "fromBase64") or
       dec = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("decode") or
-      dec = DataFlow::moduleMember("urlsafe-base64", "decode")
+      dec = DataFlow::moduleMember("urlsafe-base64", "decode") or
+      dec = DataFlow::moduleMember("react-native-base64", "decode")
     |
       this = dec.getACall()
     )
 
@@ -584,22 +584,26 @@ module TaintTracking {
 
   /**
    * A taint propagating data flow edge for assignments of the form `o[k] = v`, where
-   * `k` is not a constant and `o` refers to some object literal; in this case, we consider
-   * taint to flow from `v` to that object literal.
+   * one of the following holds:
    *
-   * The rationale for this heuristic is that if properties of `o` are accessed by
-   * computed (that is, non-constant) names, then `o` is most likely being treated as
-   * a map, not as a real object. In this case, it makes sense to consider the entire
-   * map to be tainted as soon as one of its entries is.
+   * - `k` is not a constant and `o` refers to some object literal. The rationale
+   *   here is that `o` is most likely being used like a dictionary object.
+   *
+   * - `k` refers to `o.length`, that is, the assignment is of form `o[o.length] = v`.
+   *   In this case, the assignment behaves like `o.push(v)`.
    */
-  private class DictionaryTaintStep extends SharedTaintStep {
+  private class ComputedPropWriteTaintStep extends SharedTaintStep {
     override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(AssignExpr assgn, IndexExpr idx, DataFlow::ObjectLiteralNode obj |
+      exists(AssignExpr assgn, IndexExpr idx, DataFlow::SourceNode obj |
         assgn.getTarget() = idx and
         obj.flowsToExpr(idx.getBase()) and
         not exists(idx.getPropertyName()) and
         pred = DataFlow::valueNode(assgn.getRhs()) and
         succ = obj
+      |
+        obj instanceof DataFlow::ObjectLiteralNode
+        or
+        obj.getAPropertyRead("length").flowsToExpr(idx.getPropertyNameExpr())
       )
     }
   }
 
@@ -188,4 +188,20 @@ module Babel {
     /** Gets the name of the variable used to create JSX elements. */
     string getJsxFactoryVariableName() { result = getOption("pragma").(JSONString).getValue() }
   }
+
+  /**
+   * A taint step through a call to the Babel `transform` function.
+   */
+  private class TransformTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call |
+        call =
+          API::moduleImport(["@babel/standalone", "@babel/core"])
+              .getMember(["transform", "transformSync", "transformAsync"])
+              .getACall() and
+        pred = call.getArgument(0) and
+        succ = [call, call.getParameter(2).getParameter(0).getAnImmediateUse()]
+      )
+    }
+  }
 }
@@ -21,11 +21,9 @@ module LodashUnderscore {
     string name;
 
     DefaultMember() {
-      this = DataFlow::moduleMember("underscore", name)
+      this = DataFlow::moduleMember(["underscore", "lodash", "lodash-es"], name)
       or
-      this = DataFlow::moduleMember("lodash", name)
-      or
-      this = DataFlow::moduleImport("lodash/" + name)
+      this = DataFlow::moduleImport(["lodash/", "lodash-es/"] + name)
       or
       this = DataFlow::moduleImport("lodash." + name.toLowerCase()) and isLodashMember(name)
       or
 
@@ -75,10 +75,6 @@ private DataFlow::SourceNode getASimplePropertyProjectionCallee(
 ) {
   singleton = false and
   (
-    result = LodashUnderscore::member("pick") and
-    objectIndex = 0 and
-    selectorIndex = [1 .. max(result.getACall().getNumArgument())]
-    or
     result = LodashUnderscore::member("pickBy") and
     objectIndex = 0 and
     selectorIndex = 1
@@ -131,6 +127,19 @@ private class SimplePropertyProjection extends PropertyProjection::Range {
   override predicate isSingletonProjection() { singleton = true }
 }
 
+/**
+ * A property projection with a variable number of selector indices.
+ */
+private class VarArgsPropertyProjection extends PropertyProjection::Range {
+  VarArgsPropertyProjection() { this = LodashUnderscore::member("pick").getACall() }
+
+  override DataFlow::Node getObject() { result = getArgument(0) }
+
+  override DataFlow::Node getASelector() { result = getArgument(any(int i | i > 0)) }
+
+  override predicate isSingletonProjection() { none() }
 }
+
 /**
  * A taint step for a property projection.
  */
 
@@ -691,15 +691,22 @@ private DataFlow::SourceNode reactRouterDom() {
   result = DataFlow::moduleImport("react-router-dom")
 }
 
+private DataFlow::SourceNode reactRouterMatchObject() {
+  result = reactRouterDom().getAMemberCall(["useRouteMatch", "matchPath"])
+  or
+  exists(ReactComponent c |
+    dependedOnByReactRouterClient(c.getTopLevel()) and
+    result = c.getAPropRead("match")
+  )
+}
+
 private class ReactRouterSource extends ClientSideRemoteFlowSource {
   ClientSideRemoteFlowKind kind;
 
   ReactRouterSource() {
     this = reactRouterDom().getAMemberCall("useParams") and kind.isPath()
     or
-    exists(string prop |
-      this = reactRouterDom().getAMemberCall("useRouteMatch").getAPropertyRead(prop)
-    |
+    exists(string prop | this = reactRouterMatchObject().getAPropertyRead(prop) |
       prop = "params" and kind.isPath()
       or
       prop = "url" and kind.isUrl()
@@ -713,16 +720,25 @@ private class ReactRouterSource extends ClientSideRemoteFlowSource {
 
 /**
  * Holds if `mod` transitively depends on `react-router-dom`.
- *
- * We assume any React component in such a file may be used in a context where react-router
- * injects the `location` property in its `props` object.
  */
 private predicate dependsOnReactRouter(Module mod) {
   mod.getAnImport().getImportedPath().getValue() = "react-router-dom"
   or
   dependsOnReactRouter(mod.getAnImportedModule()
F438
)
 }
 
+/**
+ * Holds if `mod` is imported from a module that transitively depends on `react-router-dom`.
+ *
+ * We assume any React component in such a file may be used in a context where react-router
+ * injects the `location` and `match` properties in its `props` object.
+ */
+private predicate dependedOnByReactRouterClient(Module mod) {
+  dependsOnReactRouter(mod)
+  or
+  dependedOnByReactRouterClient(any(Module m | m.getAnImportedModule() = mod))
+}
+
 /**
  * A reference to the DOM location obtained through `react-router-dom`
  *
@@ -740,7 +756,7 @@ private class ReactRouterLocationSource extends DOM::LocationSource::Range {
     this = reactRouterDom().getAMemberCall("useLocation")
     or
     exists(ReactComponent component |
-      dependsOnReactRouter(component.getTopLevel()) and
+      dependedOnByReactRouterClient(component.getTopLevel()) and
       this = component.getAPropRead("location")
     )
   }
@@ -759,6 +775,8 @@ private DataFlow::SourceNode higherOrderComponentBuilder() {
   or
   result = DataFlow::moduleMember(["react-hot-loader", "react-hot-loader/root"], "hot").getACall()
   or
+  result = DataFlow::moduleMember("redux-form", "reduxForm").getACall()
+  or
   result = reactRouterDom().getAPropertyRead("withRouter")
   or
   exists(FunctionCompositionCall compose |
 
@@ -11,6 +11,7 @@ typeInferenceMismatch
 | array-mutation.js:27:16:27:23 | source() | array-mutation.js:28:8:28:8 | g |
 | array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
 | array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
+| array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
 
@@ -34,4 +34,8 @@ function test(x, y) {
   let i = [];
   Array.prototype.unshift.apply(i, source());
   sink(i); // NOT OK
+
+  let j = [];
+  j[j.length] = source();
+  sink(j); // NOT OK
 }
@@ -1,5 +1,5 @@
 import { MyComponent } from "./exportedComponent";
 
-export function render(color) {
+export function render({color, location}) {
     return <MyComponent color={color}/>
 }
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,8 @@ private class NpmBase64Encode extends Base64::Encode::Range, DataFlow::CallNode`
`150`	`150`	`enc = DataFlow::moduleMember("base64url", "toBase64") or`
`151`	`151`	`enc = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("encode") or`
`152`	`152`	`enc = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("encodeURI") or`
`153`		`- enc = DataFlow::moduleMember("urlsafe-base64", "encode")`
	`153`	`+ enc = DataFlow::moduleMember("urlsafe-base64", "encode") or`
	`154`	`+ enc = DataFlow::moduleMember("react-native-base64", ["encode", "encodeFromByteArray"])`
`154`	`155`	`\|`
`155`	`156`	`this = enc.getACall()`
`156`	`157`	`)`
`@@ -186,7 +187,8 @@ private class NpmBase64Decode extends Base64::Decode::Range, DataFlow::CallNode`
`186`	`187`	`dec = DataFlow::moduleMember("base64url", "decode") or`
`187`	`188`	`dec = DataFlow::moduleMember("base64url", "fromBase64") or`
`188`	`189`	`dec = DataFlow::moduleMember("js-base64", "Base64").getAPropertyRead("decode") or`
`189`		`- dec = DataFlow::moduleMember("urlsafe-base64", "decode")`
	`190`	`+ dec = DataFlow::moduleMember("urlsafe-base64", "decode") or`
	`191`	`+ dec = DataFlow::moduleMember("react-native-base64", "decode")`
`190`	`192`	`\|`
`191`	`193`	`this = dec.getACall()`
`192`	`194`	`)`
Original file line number	Diff line number	Diff line change
`@@ -34,4 +34,8 @@ function test(x, y) {`
`34`	`34`	`let i = [];`
`35`	`35`	`Array.prototype.unshift.apply(i, source());`
`36`	`36`	`sink(i); // NOT OK`
	`37`	`+`
	`38`	`+ let j = [];`
	`39`	`+ j[j.length] = source();`
	`40`	`+ sink(j); // NOT OK`
`37`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import { MyComponent } from "./exportedComponent";`
`2`	`2`
`3`		`-export function render(color) {`
	`3`	`+export function render({color, location}) {`
`4`	`4`	`return <MyComponent color={color}/>`
`5`	`5`	`}`