JS: Add backwards-compatible predicates to SocketIO

asgerf · asgerf · commit 6668a7a546a0 · 2020-04-14T15:57:19.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll b/javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
@@ -82,6 +82,13 @@ module SocketIO {
     }
 
     override DataFlow::SourceNode ref() { result = server(DataFlow::TypeTracker::end()) }
+
+    /**
+     * DEPRECATED. Always returns `this` as a `ServerObject` now represents the origin of a server.
+     *
+     * Instead of `getOrigin()` to get a server origin from a reference, use `ServerObject.ref()` to get references to a given server.
+     */
+    deprecated DataFlow::SourceNode getOrigin() { result = this }
   }
 
   /** A data flow node that may produce (that is, create or return) a socket.io server. */
@@ -270,6 +277,21 @@ module SocketIO {
     }
 
     override string getChannel() { this.getArgument(0).mayHaveStringValue(result) }
+
+    /** Gets a parameter through which data is received from a client. */
+    DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }
+
+    /** Gets a client-side node that may be sending the data received here. */
+    SendNode getASender() { result.getAReceiver() = this }
+
+    /** Gets the acknowledgment callback, if any. */
+    DataFlow::FunctionNode getAck() {
+      result = getListener().getLastParameter() and
+      exists(result.getAnInvocation())
+    }
+
+    /** DEPRECATED. Use `getChannel()` instead. */
+    deprecated string getEventName() { result = getChannel() }
   }
 
   /** An acknowledgment callback when receiving a message. */
@@ -350,6 +372,16 @@ module SocketIO {
     override SocketIOClient::ReceiveNode getAReceiver() {
       result.getSocket().getATargetNamespace() = getNamespace()
     }
+
+    /** Gets the acknowledgment callback, if any. */
+    DataFlow::FunctionNode getAck() {
+      // acknowledgments are only available when sending through a socket
+      exists(getSocket()) and
+      result = getLastArgument().getALocalSource()
+    }
+
+    /** DEPRECATED. Use `getChannel()` instead. */
+    deprecated string getEventName() { result = getChannel() }
   }
 
   /** A socket.io namespace, identified by its server and its path. */
@@ -538,6 +570,21 @@ module SocketIOClient {
         result != cb.getLastParameter() or not exists(result.getAnInvocation())
       )
     }
+
+    /** Gets a data flow node representing data received from the server. */
+    DataFlow::SourceNode getAReceivedItem() { result = getReceivedItem(_) }
+
+    /** Gets the acknowledgment callback, if any. */
+    DataFlow::FunctionNode getAck() {
+      result = getListener().getLastParameter() and
+      exists(result.getAnInvocation())
+    }
+
+    /** Gets a server-side node that may be sending the data received here. */
+    SocketIO::SendNode getASender() {
+      result.getNamespace() = getSocket().getATargetNamespace() and
+      not result.getChannel() != getChannel()
+    }
   }
 
   /** An acknowledgment callback from a receive node. */
@@ -607,10 +654,23 @@ module SocketIOClient {
       )
     }
 
+    /** Gets a data flow node representing data sent to the client. */
+    DataFlow::Node getASentItem() { result = getSentItem(_) }
+
     /** Gets a server-side node that may be receiving the data sent here. */
     override SocketIO::ReceiveNode getAReceiver() {
       result.getSocket().getNamespace() = getSocket().getATargetNamespace()
     }
+
+    /** Gets the acknowledgment callback, if any. */
+    DataFlow::FunctionNode getAck() {
+      // acknowledgments are only available when sending through a socket
+      exists(getSocket()) and
+      result = getLastArgument().getALocalSource()
+    }
+
+    /** DEPRECATED. Use `getChannel()` instead. */
+    deprecated string getEventName() { result = getChannel() }
   }
 
   /**
