JS: Do alias analysis is CG construction

asgerf · asgerf · commit 04fbb8c73f5c · 2025-09-22T00:05:55.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -5,20 +5,86 @@
 private import javascript
 private import semmle.javascript.dataflow.internal.StepSummary
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
+private import semmle.javascript.dataflow.internal.FlowSteps
 private import semmle.javascript.internal.NameResolution
 
 cached
 module CallGraph {
+  pragma[nomagic]
+  private predicate shouldBackTrack(DataFlow::SourceNode node) {
+    exists(DataFlow::Node rhs | rhs = node.getAPropertyWrite().getRhs().getALocalSource() |
+      track(_) = rhs
+    )
+  }
+
+  pragma[nomagic]
+  private DataFlow::SourceNode backtrackStoreTarget() {
+    shouldBackTrack(result)
+    or
+    AccessPath::step(result.getALocalUse(), backtrackStoreTarget())
+    or
+    propertyFlowStep(result.getALocalUse(), backtrackStoreTarget())
+    or
+    storeReadStep(result, backtrackStoreTarget())
+  }
+
+  pragma[nomagic]
+  private predicate shouldTrack(DataFlow::SourceNode node) {
+    node instanceof DataFlow::FunctionNode
+    or
+    node instanceof DataFlow::ClassNode
+    or
+    (
+      node instanceof DataFlow::ObjectLiteralNode or
+      node instanceof DataFlow::InvokeNode or
+      node instanceof DataFlow::ArrayLiteralNode
+    ) and
+    backtrackStoreTarget() = node
+  }
+
+  pragma[nomagic]
+  private predicate deepStore(DataFlow::SourceNode node1, string prop, DataFlow::SourceNode node2) {
+    track(node2).getAPropertyWrite(prop).getRhs().getALocalSource() = node1
+  }
+
+  pragma[nomagic]
+  private predicate deepRead(DataFlow::SourceNode node1, string prop, DataFlow::SourceNode node2) {
+    track(node1).getAPropertyRead(prop) = node2
+  }
+
+  pragma[nomagic]
+  private predicate storeReadStep(DataFlow::SourceNode node1, DataFlow::SourceNode node2) {
+    exists(DataFlow::SourceNode base, string name |
+      deepStore(node1, name, base) and
+      deepRead(base, name, node2)
+    )
+  }
+
+  pragma[nomagic]
+  private DataFlow::SourceNode track(DataFlow::SourceNode source) {
+    shouldTrack(source) and
+    (
+      result = source
+      or
+      AccessPath::step(track(source).getALocalUse(), result)
+      or
+      propertyFlowStep(track(source).getALocalUse(), result)
+      or
+      storeReadStep(track(source), result)
+    )
+  }
+
   /** Gets the function referenced by `node`, as determined by the type inference. */
   cached
   Function getAFunctionValue(AnalyzedNode node) {
-    result = node.getAValue().(AbstractCallable).getFunction()
-    or
-    node = NameResolution::trackFunctionValue(result).toDataFlowNodeOut()
+    exists(DataFlow::FunctionNode func |
+      result = func.getFunction() and
+      track(func).getALocalUse() = node
+    )
     or
-    exists(DataFlow::Node pred |
-      AccessPath::step(pred, node) and
-      result = getAFunctionValue(pred)
+    exists(DataFlow::ClassNode cls |
+      result = cls.getConstructor().getFunction() and
+      track(cls).getALocalUse() = node
     )
   }
 
