Merge pull request github#2065 from erik-krogh/noReturn

Esben Sparre Andreasen · web-flow · commit 0e79d3db467b · 2019-10-09T13:44:39.000+02:00
JS: use of returnless function
diff --git a/change-notes/1.23/analysis-javascript.md b/change-notes/1.23/analysis-javascript.md
@@ -17,6 +17,8 @@
 | Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
 | Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are not shown on LGTM by default. |
 | Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
+| Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
+
 
 ## Changes to existing queries
 
diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.qhelp b/javascript/ql/src/Statements/UseOfReturnlessFunction.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+JavaScript functions that do not return an expression will implicitly return 
+<code>undefined</code>. Using the implicit return value from such a function  
+is not an error in itself, but it is a pattern indicating that some
+misunderstanding has occurred. 
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Do not use the return value from a function that does not return an expression.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+In the example below, the function <code>renderText</code> is used to render 
+text through side effects, and the function does not return an expression. 
+However, the programmer still uses the return value from 
+<code>renderText</code> as if the function returned an expression, which is 
+clearly an error. 
+</p>
+
+<sample src="examples/UseOfReturnlessFunction.js" />
+
+<p>
+The program can be fixed either by removing the use of the value returned by 
+<code>renderText</code>, or by changing the <code>renderText</code> function
+to return an expression.
+</p>
+
+</example>
+<references>
+<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/return">Return</a>.</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/Statements/UseOfReturnlessFunction.ql b/javascript/ql/src/Statements/UseOfReturnlessFunction.ql
@@ -0,0 +1,98 @@
+/**
+ * @name Use of returnless function
+ * @description Using the return value of a function that does not return an expression is indicative of a mistake.
+ * @kind problem
+ * @problem.severity warning
+ * @id js/use-of-returnless-function
+ * @tags maintainability,
+ *       correctness
+ * @precision high
+ */
+
+import javascript
+import Declarations.UnusedVariable
+import Expressions.ExprHasNoEffect
+import Statements.UselessConditional
+
+predicate returnsVoid(Function f) {
+  not f.isGenerator() and
+  not f.isAsync() and
+  not exists(f.getAReturnedExpr())
+}
+
+predicate isStub(Function f) {
+    f.getBody().(BlockStmt).getNumChild() = 0 
+    or
+    f instanceof ExternalDecl
+}
+
+/**
+ * Holds if `e` is in a syntactic context where it likely is fine that the value of `e` comes from a call to a returnless function.
+ */
+predicate benignContext(Expr e) {
+  inVoidContext(e) or 
+  
+  // A return statement is often used to just end the function.
+  e = any(Function f).getAReturnedExpr()
+  or 
+  exists(ConditionalExpr cond | cond.getABranch() = e and benignContext(cond)) 
+  or 
+  exists(LogicalBinaryExpr bin | bin.getAnOperand() = e and benignContext(bin)) 
+  or
+  exists(Expr parent | parent.getUnderlyingValue() = e and benignContext(parent))
+  or 
+  any(VoidExpr voidExpr).getOperand() = e
+
+  or
+  // weeds out calls inside HTML-attributes.
+  e.getParent() instanceof CodeInAttribute or  
+  // and JSX-attributes.
+  e = any(JSXAttribute attr).getValue() or 
+  
+  exists(AwaitExpr await | await.getOperand() = e and benignContext(await)) 
+  or
+  // Avoid double reporting with js/trivial-conditional
+  isExplicitConditional(_, e)
+  or 
+  // Avoid double reporting with js/comparison-between-incompatible-types
+  any(Comparison binOp).getAnOperand() = e
+  or
+  // Avoid double reporting with js/property-access-on-non-object
+  any(PropAccess ac).getBase() = e
+  or
+  // Avoid double-reporting with js/unused-local-variable
+  exists(VariableDeclarator v | v.getInit() = e and v.getBindingPattern().getVariable() instanceof UnusedLocal)
+  or
+  // Avoid double reporting with js/call-to-non-callable
+  any(InvokeExpr invoke).getCallee() = e
+  or
+  // arguments to Promise.resolve (and promise library variants) are benign. 
+  e = any(ResolvedPromiseDefinition promise).getValue().asExpr()
+}
+
+predicate oneshotClosure(InvokeExpr call) {
+  call.getCallee().getUnderlyingValue() instanceof ImmediatelyInvokedFunctionExpr
+}
+
+predicate alwaysThrows(Function f) {
+  exists(ReachableBasicBlock entry, DataFlow::Node throwNode |
+    entry = f.getEntryBB() and
+    throwNode.asExpr() = any(ThrowStmt t).getExpr() and
+    entry.dominates(throwNode.getBasicBlock())
+  )
+}
+
+from DataFlow::CallNode call
+where
+  not call.isIndefinite(_) and 
+  forex(Function f | f = call.getACallee() |
+    returnsVoid(f) and not isStub(f) and not alwaysThrows(f)
+  ) and
+  
+  not benignContext(call.asExpr()) and
+  
+  // anonymous one-shot closure. Those are used in weird ways and we ignore them.
+  not oneshotClosure(call.asExpr())
+select
+  call, "the function $@ does not return anything, yet the return value is used.", call.getACallee(), call.getCalleeName()
+  
diff --git a/javascript/ql/src/Statements/UselessConditional.ql b/javascript/ql/src/Statements/UselessConditional.ql
@@ -16,6 +16,7 @@ import javascript
 import semmle.javascript.RestrictedLocations
 import semmle.javascript.dataflow.Refinements
 import semmle.javascript.DefensiveProgramming
+import UselessConditional
 
 /**
  * Gets the unique definition of `v`.
@@ -123,22 +124,6 @@ predicate whitelist(Expr e) {
   isConstantBooleanReturnValue(e)
 }
 
-/**
- * Holds if `e` is part of a conditional node `cond` that evaluates
- * `e` and checks its value for truthiness, and the return value of `e`
- * is not used for anything other than this truthiness check.
- */
-predicate isExplicitConditional(ASTNode cond, Expr e) {
-  e = cond.(IfStmt).getCondition()
-  or
-  e = cond.(LoopStmt).getTest()
-  or
-  e = cond.(ConditionalExpr).getCondition()
-  or
-  isExplicitConditional(_, cond) and
-  e = cond.(Expr).getUnderlyingValue().(LogicalBinaryExpr).getAnOperand()
-}
-
 /**
  * Holds if `e` is part of a conditional node `cond` that evaluates
  * `e` and checks its value for truthiness.
diff --git a/javascript/ql/src/Statements/UselessConditional.qll b/javascript/ql/src/Statements/UselessConditional.qll
@@ -0,0 +1,21 @@
+/** 
+ * Provides predicates for working with useless conditionals.  
+ */ 
+
+import javascript
+
+/**
+ * Holds if `e` is part of a conditional node `cond` that evaluates
+ * `e` and checks its value for truthiness, and the return value of `e`
+ * is not used for anything other than this truthiness check.
+ */
+predicate isExplicitConditional(ASTNode cond, Expr e) {
+  e = cond.(IfStmt).getCondition()
+  or
+  e = cond.(LoopStmt).getTest()
+  or
+  e = cond.(ConditionalExpr).getCondition()
+  or
+  isExplicitConditional(_, cond) and
+  e = cond.(Expr).getUnderlyingValue().(LogicalBinaryExpr).getAnOperand()
+}
diff --git a/javascript/ql/src/Statements/examples/UseOfReturnlessFunction.js b/javascript/ql/src/Statements/examples/UseOfReturnlessFunction.js
@@ -0,0 +1,9 @@
+var stage = require("./stage")
+
+function renderText(text, id) {
+    document.getElementById(id).innerText = text;
+}
+
+var text = renderText("Two households, both alike in dignity", "scene");
+
+stage.show(text);
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.expected
@@ -0,0 +1,5 @@
+| tst.js:20:17:20:33 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n    } | onlySideEffects |
+| tst.js:24:13:24:29 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n    } | onlySideEffects |
+| tst.js:30:20:30:36 | onlySideEffects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n    } | onlySideEffects |
+| tst.js:53:10:53:34 | bothOnl ... fects() | the function $@ does not return anything, yet the return value is used. | tst.js:11:5:13:5 | functio ... )\\n    } | bothOnlyHaveSideEffects |
+| tst.js:53:10:53:34 | bothOnl ... fects() | the function $@ does not return anything, yet the return value is used. | tst.js:48:2:50:5 | functio ... )\\n    } | bothOnlyHaveSideEffects |
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/UseOfReturnlessFunction.qlref
@@ -0,0 +1 @@
+Statements/UseOfReturnlessFunction.ql
diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
@@ -0,0 +1,71 @@
+(function () {
+    function stub() {
+        throw new Error("Not implemented!");
+    }
+
+    function returnsValue() {
+        var x = 3;
+        return x * 2;
+    }
+
+    function onlySideEffects() {
+        console.log("Boo!")
+    }
+    
+    var arrow = () => onlySideEffects();
+
+    console.log(returnsValue())
+    console.log(stub())
+
+    console.log(onlySideEffects()); // Not OK!
+
+    var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK! A is never used.
+    
+    var b = onlySideEffects();
+    console.log(b);
+
+	var c = 42 + (onlySideEffects(), 42); // OK, value is thrown away. 
+	console.log(c);
+	
+	var d = 42 + (42, onlySideEffects()); // NOT OK! 
+	console.log(d);
+	
+	if (onlySideEffects()) { 
+		// nothing.
+	}
+	
+	for (i = 0; onlySideEffects(); i++) {
+		// nothing. 
+	}
+	
+	var myObj = {
+		onlySideEffects: onlySideEffects
+	}
+	
+	var e = myObj.onlySideEffects.apply(this, arguments); // NOT OK!
+	console.log(e);
+	
+	function onlySideEffects2() {
+        console.log("Boo!")
+    }
+
+	var bothOnlyHaveSideEffects = Math.random() > 0.5 ? onlySideEffects : onlySideEffects2;
+	var f = bothOnlyHaveSideEffects(); // NOT OK!
+	console.log(f);
+	
+	var oneOfEach = Math.random() > 0.5 ? onlySideEffects : returnsValue;
+	var g = oneOfEach(); // OK
+	console.log(g);
+	
+	function alwaysThrows() {
+		if (Math.random() > 0.5) {
+			console.log("Whatever!")
+		} else {
+			console.log("Boo!")
+		}
+		throw new Error("Important error!")
+	} 
+	
+	var h = returnsValue() || alwaysThrows(); // OK!
+	console.log(h);
+})();
