-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS: Fix jump steps generated by IIFEs and exception flow #18043
JS: Fix jump steps generated by IIFEs and exception flow #18043
Conversation
We generate local flow steps into and out of IIFEs, but these come jump steps automatically, resulting in FPs.
Bailing out can be more expensive as the resulting jump steps themselves cause perf issues. The limit of 100 variables per scope has also been added in the interim, which handles the cases that this needed to cover.
Previously a few Promise-related methods were special-cased, which is no longer needed.
We previously caught this flow because of a heuristic in capture flow. We'll have to fix it properly later.
The VariableCapture library consumes one component of the access path limit, which means we lose this result
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessQuery.qll
Show resolved
Hide resolved
/** | ||
* Holds if `node1 -> node2` should be removed as a jump step. | ||
* | ||
* Currently this is done as a workaround for the local steps generated from IIFEs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Currently"?
Is that hinting towards plans for a another solution in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general this predicate can populated with jump steps that should be excluded, and currently the only use-case for this is the workaround mentioned. So it was meant to imply that other things could get added to the predicate as well.
This PR fixes a few semi-related issues that caused performance and precision problems:
Immediately-invoked function expressions (IIFEs)
Removes jump steps generated by local flow into and out of immediately-invoked function expressions (IIFEs), and fixes some bugs so that the same flow is now handled by regular flow rules. IIFEs are special-cased in the local flow relation, which benefits things like type tracking and type inference, but is unhelpful for the data flow library.
Exceptions
Removes jump steps resulting from exception-propagating flow steps involving callbacks. Exceptions from callbacks passed to a library function are now handled as follows:
Argument[0..].ReturnValue[exception]
toReturnValue[exception]
.ReturnValue[exception]
, the summary is assumed to propagate the exceptions from each callback mentioned in the summary. (This isn't equivalent to adding the exception propagator as an additional target, because flow-through from a parameter to the exceptional return wouldn't work in that case).Block flow into test cases
js/insecure-randomness
now blocks flow through test cases. Perhaps more queries ought to do this, but it seems particularly problematic for this query. Also broadens our classifications of test files a bit.Evaluation:
vscode
js/insecure-randomness
Evaluation against main shows that we're down to a median 30% slowdown, with a 141% worst-case slowdown.