CodeQL JavaScript - CodeQL JavaScript 数据流 - 《CodeQL 学习笔记》

类
谓词

local data flow, global data flow, taint tracking
data flow graph

数据流节点属于DataFlow:Node类以及它的子类，AST节点属于ASTNode类以及它的子类。

类

DataFlow::ValueNode
an expression, destructuring pattern, or declaration of a function, class, namespace, or enum.
匹配示例

DataFlow::PropRef 包括DataFlow::PropRead和DataFlow::PropWrite
DataFlow::PropRead类
A data flow node that reads to an object property.
匹配示例

DataFlow::PropWrite
A data flow node that writes to an object property.
匹配示例

DataFlow::ParameterNode
a function parameter.
匹配示例

x function f(x) {}; //x is a parameter of function f(x) {}

DataFlow::InvokeNode
a function invocation (with or without new).
匹配示例

Math.abs(x)
new Array(16)

DataFlow::NewNode
a function invocation (with new).

new Array(16)

DataFlow::CallNode
a function invocation (without new).
匹配示例

Math.abs(x)

DataFlow::MethodCallNode
a method call, that is, a call of form x.m(…).
匹配示例

Math.abs(x)
obj.foo()

DataFlow::GlobalVarRefNode
a direct reference to a global variable，相对于该类来说，更常用下面predicate
DataFlow::globalVarRef(name)
匹配示例

document
Math
window.document
window.Mat

DataFlow::FunctionNode
a function definition
匹配示例

function greet() {         // function declaration
  console.log("Hi");
}
var greet =
  function() {             // function expression
    console.log("Hi");
  };
var greet2 =
  () => console.log("Hi")  // arrow function expression
var o = {
  m() {                    // function expression in a method definition in an object literal
    return 0;
  },
  get x() {                // function expression in a getter method definition in an object literal
    return 1
  }
};
class C {
  m() {                    // function expression in a method definition in a class
    return 0;
  }
}

DataFlow::ClassNode
a class definition or a function definition acting as a class.
匹配示例

class C {
  method()
}
function F() {}
F.prototype.method = function() {}
F.prototype = {
  method: function() {}
}
extend(F.prototype, {
  method: function() {}
});

谓词

DataFlow::valueNode(x)
DataFlow::parameterNode(p)
DataFlow::thisNode(s)
DataFlow::globalVarRef(g)
查询示例
匹配所有引用全局变量document的节点

DataFlow::globalVarRef("document")

DataFlow::moduleMember(p, m)
查询示例
匹配所有调用fs模块readFile方法的节点

DataFlow::moduleMember("fs", "readFile")

getAPredecessor
getASuccessor
asExpr
可以将DataFlow::Node转为一个表达式