github-learning-lab[bot]
commented
4 years ago :book: Local data flow analysis
Data flow analysis helps us answer questions like: does this expression ever hold a value that originates from a particular other place in the program?
We have already encountered data flow nodes, described by the DataFlow::Node CodeQL class. They are places in the program that have a value. They are returned by useful predicates like jquery() in the library.
These nodes are separate and distinct from the AST (Abstract Syntax Tree, which represents the basic structure of the program) nodes, to allow for flexibility in how data flow is modeled.
We can visualize the data flow analysis problem as one of finding paths through a directed graph, where the nodes of the graph are data flow nodes, and the edges represent the flow of data between those elements. If a path exists, then the data flows between those two nodes.
The CodeQL JavaScript data flow library is very expressive. It has several classes that describe different places in the program that can have a value. We have seen SourceNodes; there are many other forms such as ValueNodes, FunctionNodes, ParameterNodes, and CallNodes. You can find out more in the documentation.
When we are looking for the flow of information to or from these nodes within a single function or scope, this is called local data flow analysis. The CodeQL library has several predicates available on different types of data flow node that reason about local data flow, such as getAPropertyRead() that we used in the previous step.
Step 7: Finding the jQuery plugins
In this step we want to detect the jQuery plugin assigned to our property, so basically the right hand side of the assignment in our previous example:
But there might be some variation in how this code is written. For example, we might see intermediate assignments to local variables:
The use of intermediate variables and nested expressions are typical source code examples that require use of local data flow analysis to detect our pattern.