blast-radius-analyzer 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +108 -0
- package/TEST-REPORT.md +379 -0
- package/dist/core/AnalysisCache.d.ts +59 -0
- package/dist/core/AnalysisCache.js +156 -0
- package/dist/core/BlastRadiusAnalyzer.d.ts +99 -0
- package/dist/core/BlastRadiusAnalyzer.js +510 -0
- package/dist/core/CallStackBuilder.d.ts +63 -0
- package/dist/core/CallStackBuilder.js +269 -0
- package/dist/core/DataFlowAnalyzer.d.ts +215 -0
- package/dist/core/DataFlowAnalyzer.js +1115 -0
- package/dist/core/DependencyGraph.d.ts +55 -0
- package/dist/core/DependencyGraph.js +541 -0
- package/dist/core/ImpactTracer.d.ts +96 -0
- package/dist/core/ImpactTracer.js +398 -0
- package/dist/core/PropagationTracker.d.ts +73 -0
- package/dist/core/PropagationTracker.js +502 -0
- package/dist/core/PropertyAccessTracker.d.ts +56 -0
- package/dist/core/PropertyAccessTracker.js +281 -0
- package/dist/core/SymbolAnalyzer.d.ts +139 -0
- package/dist/core/SymbolAnalyzer.js +608 -0
- package/dist/core/TypeFlowAnalyzer.d.ts +120 -0
- package/dist/core/TypeFlowAnalyzer.js +654 -0
- package/dist/core/TypePropagationAnalyzer.d.ts +58 -0
- package/dist/core/TypePropagationAnalyzer.js +269 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.js +952 -0
- package/dist/types.d.ts +102 -0
- package/dist/types.js +5 -0
- package/package.json +39 -0
- package/src/core/AnalysisCache.ts +189 -0
- package/src/core/CallStackBuilder.ts +345 -0
- package/src/core/DataFlowAnalyzer.ts +1403 -0
- package/src/core/DependencyGraph.ts +584 -0
- package/src/core/ImpactTracer.ts +521 -0
- package/src/core/PropagationTracker.ts +630 -0
- package/src/core/PropertyAccessTracker.ts +349 -0
- package/src/core/SymbolAnalyzer.ts +746 -0
- package/src/core/TypeFlowAnalyzer.ts +844 -0
- package/src/core/TypePropagationAnalyzer.ts +332 -0
- package/src/index.ts +1071 -0
- package/src/types.ts +163 -0
- package/test-cases/.blast-radius-cache/file-states.json +14 -0
- package/test-cases/config.ts +13 -0
- package/test-cases/consumer.ts +12 -0
- package/test-cases/nested.ts +25 -0
- package/test-cases/simple.ts +62 -0
- package/test-cases/tsconfig.json +11 -0
- package/test-cases/user.ts +32 -0
- package/tsconfig.json +16 -0
|
@@ -0,0 +1,1115 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Commercial-Grade Data Flow Analyzer
|
|
3
|
+
*
|
|
4
|
+
* Implements:
|
|
5
|
+
* - Interprocedural data flow analysis (cross-function tracking)
|
|
6
|
+
* - Control flow sensitivity (branches, loops, exceptions)
|
|
7
|
+
* - Path sensitivity (different branches = different type states)
|
|
8
|
+
* - Context sensitivity (same function, different call sites = different types)
|
|
9
|
+
* - Worklist algorithm with fixed-point computation
|
|
10
|
+
* - Lattice-based abstract interpretation
|
|
11
|
+
* - Symbolic execution for branch conditions
|
|
12
|
+
* - Points-to analysis for reference tracking
|
|
13
|
+
* - Taint analysis for security-sensitive data
|
|
14
|
+
* - Escape analysis for closure/global escape
|
|
15
|
+
*/
|
|
16
|
+
import * as ts from 'typescript';
|
|
17
|
+
import * as path from 'path';
|
|
18
|
+
export class DataFlowAnalyzer {
|
|
19
|
+
program;
|
|
20
|
+
checker;
|
|
21
|
+
sourceFiles = [];
|
|
22
|
+
cfgCache = new Map();
|
|
23
|
+
worklist = [];
|
|
24
|
+
analyzedCallSites = new Set();
|
|
25
|
+
// Analysis options
|
|
26
|
+
maxIterations = 100;
|
|
27
|
+
maxCallDepth = 5;
|
|
28
|
+
trackTaint = true;
|
|
29
|
+
trackEscapes = true;
|
|
30
|
+
constructor(projectRoot, tsConfigPath) {
|
|
31
|
+
const configFile = ts.readConfigFile(tsConfigPath, ts.sys.readFile);
|
|
32
|
+
const parsedConfig = ts.parseJsonConfigFileContent(configFile.config, ts.sys, path.dirname(tsConfigPath));
|
|
33
|
+
this.program = ts.createProgram(parsedConfig.fileNames, parsedConfig.options);
|
|
34
|
+
this.checker = this.program.getTypeChecker();
|
|
35
|
+
this.sourceFiles = this.program.getSourceFiles().filter(sf => !sf.fileName.includes('node_modules'));
|
|
36
|
+
}
|
|
37
|
+
/**
|
|
38
|
+
* MAIN ENTRY POINT - Full interprocedural data flow analysis
|
|
39
|
+
*/
|
|
40
|
+
analyzeDataFlow(functionName, functionFile) {
|
|
41
|
+
const startTime = Date.now();
|
|
42
|
+
const stats = {
|
|
43
|
+
nodesAnalyzed: 0,
|
|
44
|
+
blocksConstructed: 0,
|
|
45
|
+
callSitesAnalyzed: 0,
|
|
46
|
+
fixedPointIterations: 0,
|
|
47
|
+
constraintsGenerated: 0,
|
|
48
|
+
typesNarrowed: 0,
|
|
49
|
+
promiseUnwraps: 0,
|
|
50
|
+
conditionalBranches: 0,
|
|
51
|
+
escapedValues: 0,
|
|
52
|
+
taintedValues: 0,
|
|
53
|
+
pathsTracked: 0,
|
|
54
|
+
};
|
|
55
|
+
const finalFacts = new Map();
|
|
56
|
+
const flowPaths = [];
|
|
57
|
+
const taintedPaths = [];
|
|
58
|
+
const typeNarrowing = new Map();
|
|
59
|
+
// 1. Find the target function
|
|
60
|
+
const targetFunc = this.findFunction(functionName, functionFile);
|
|
61
|
+
if (!targetFunc) {
|
|
62
|
+
return this.createEmptyResult('low', stats, Date.now() - startTime);
|
|
63
|
+
}
|
|
64
|
+
// 2. Build CFG for the function
|
|
65
|
+
const cfg = this.buildCFG(targetFunc);
|
|
66
|
+
stats.blocksConstructed = cfg.blocks.size;
|
|
67
|
+
// 3. Initialize entry fact (empty environment with parameters)
|
|
68
|
+
const entryFact = this.createEntryFact(targetFunc);
|
|
69
|
+
// 4. Run worklist algorithm with lattice-based fixed-point computation
|
|
70
|
+
const blockFacts = this.runWorklistAnalysis(cfg, entryFact, stats);
|
|
71
|
+
// 5. Extract flow paths from final facts
|
|
72
|
+
for (const [blockId, fact] of blockFacts) {
|
|
73
|
+
finalFacts.set(blockId, fact);
|
|
74
|
+
// Collect type narrowing
|
|
75
|
+
for (const [varName, value] of fact.env) {
|
|
76
|
+
if (value.constants.size > 1) {
|
|
77
|
+
if (!typeNarrowing.has(varName)) {
|
|
78
|
+
typeNarrowing.set(varName, []);
|
|
79
|
+
}
|
|
80
|
+
typeNarrowing.get(varName).push({
|
|
81
|
+
line: 0,
|
|
82
|
+
types: Array.from(value.constants),
|
|
83
|
+
});
|
|
84
|
+
stats.typesNarrowed++;
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
// Collect tainted paths
|
|
88
|
+
if (this.trackTaint) {
|
|
89
|
+
for (const [varName, value] of fact.env) {
|
|
90
|
+
if (value.tainted) {
|
|
91
|
+
stats.taintedValues++;
|
|
92
|
+
taintedPaths.push({
|
|
93
|
+
source: `tainted:${varName}`,
|
|
94
|
+
sink: `${varName} at block ${blockId}`,
|
|
95
|
+
taintSource: 'user-input',
|
|
96
|
+
path: [varName],
|
|
97
|
+
});
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
// Collect escapes
|
|
102
|
+
if (this.trackEscapes) {
|
|
103
|
+
for (const [varName, value] of fact.env) {
|
|
104
|
+
if (value.escapes.size > 0) {
|
|
105
|
+
stats.escapedValues++;
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
// 6. Analyze Promise/async patterns
|
|
111
|
+
this.analyzeAsyncPatterns(targetFunc, flowPaths, stats);
|
|
112
|
+
// 7. Check for data leaks (tainted -> return/escape)
|
|
113
|
+
const hasDataLeaks = this.checkDataLeaks(flowPaths, taintedPaths);
|
|
114
|
+
return {
|
|
115
|
+
hasDataLeaks,
|
|
116
|
+
flowPaths,
|
|
117
|
+
taintedPaths,
|
|
118
|
+
typeNarrowing,
|
|
119
|
+
statistics: stats,
|
|
120
|
+
confidence: this.calculateConfidence(stats),
|
|
121
|
+
duration: Date.now() - startTime,
|
|
122
|
+
finalFacts,
|
|
123
|
+
};
|
|
124
|
+
}
|
|
125
|
+
/**
|
|
126
|
+
* Find function declaration
|
|
127
|
+
*/
|
|
128
|
+
findFunction(name, inFile) {
|
|
129
|
+
const resolvedPath = path.resolve(inFile);
|
|
130
|
+
for (const sf of this.sourceFiles) {
|
|
131
|
+
if (!sf.fileName.includes(path.dirname(resolvedPath)))
|
|
132
|
+
continue;
|
|
133
|
+
let result = null;
|
|
134
|
+
const visit = (node) => {
|
|
135
|
+
if (result)
|
|
136
|
+
return;
|
|
137
|
+
if (ts.isFunctionDeclaration(node) && node.name?.text === name) {
|
|
138
|
+
result = node;
|
|
139
|
+
}
|
|
140
|
+
else if (ts.isArrowFunction(node)) {
|
|
141
|
+
const parent = node.parent;
|
|
142
|
+
if (ts.isVariableDeclaration(parent) && ts.isIdentifier(parent.name) && parent.name.text === name) {
|
|
143
|
+
result = node;
|
|
144
|
+
}
|
|
145
|
+
}
|
|
146
|
+
ts.forEachChild(node, visit);
|
|
147
|
+
};
|
|
148
|
+
visit(sf);
|
|
149
|
+
if (result)
|
|
150
|
+
return result;
|
|
151
|
+
}
|
|
152
|
+
return null;
|
|
153
|
+
}
|
|
154
|
+
/**
|
|
155
|
+
* Build Control Flow Graph with basic blocks
|
|
156
|
+
*/
|
|
157
|
+
buildCFG(func) {
|
|
158
|
+
const cacheKey = `${func.getSourceFile().fileName}:${func.getStart()}`;
|
|
159
|
+
if (this.cfgCache.has(cacheKey)) {
|
|
160
|
+
return this.cfgCache.get(cacheKey);
|
|
161
|
+
}
|
|
162
|
+
const blocks = new Map();
|
|
163
|
+
let blockId = 0;
|
|
164
|
+
const createBlock = () => {
|
|
165
|
+
const id = `block_${blockId++}`;
|
|
166
|
+
const block = {
|
|
167
|
+
id,
|
|
168
|
+
statements: [],
|
|
169
|
+
predecessors: [],
|
|
170
|
+
successors: [],
|
|
171
|
+
};
|
|
172
|
+
blocks.set(id, block);
|
|
173
|
+
return block;
|
|
174
|
+
};
|
|
175
|
+
// Entry block
|
|
176
|
+
const entryBlock = createBlock();
|
|
177
|
+
let currentBlock = entryBlock;
|
|
178
|
+
// Process function body
|
|
179
|
+
const body = func.body;
|
|
180
|
+
if (!body) {
|
|
181
|
+
const exitBlock = createBlock();
|
|
182
|
+
currentBlock.successors.push(exitBlock.id);
|
|
183
|
+
exitBlock.predecessors.push(currentBlock.id);
|
|
184
|
+
const cfg = { blocks, entryBlock: entryBlock.id, exitBlock: exitBlock.id };
|
|
185
|
+
this.cfgCache.set(cacheKey, cfg);
|
|
186
|
+
return cfg;
|
|
187
|
+
}
|
|
188
|
+
// Traverse and create blocks
|
|
189
|
+
const processStatement = (stmt) => {
|
|
190
|
+
// Handle if statement (creates branches)
|
|
191
|
+
if (ts.isIfStatement(stmt)) {
|
|
192
|
+
// Create branch blocks
|
|
193
|
+
const thenBlock = createBlock();
|
|
194
|
+
const elseBlock = createBlock();
|
|
195
|
+
const mergeBlock = createBlock();
|
|
196
|
+
// Set up branch info
|
|
197
|
+
currentBlock.branch = {
|
|
198
|
+
condition: stmt.expression,
|
|
199
|
+
trueTarget: thenBlock.id,
|
|
200
|
+
falseTarget: elseBlock.id,
|
|
201
|
+
};
|
|
202
|
+
currentBlock.successors.push(thenBlock.id, elseBlock.id);
|
|
203
|
+
thenBlock.predecessors.push(currentBlock.id);
|
|
204
|
+
elseBlock.predecessors.push(currentBlock.id);
|
|
205
|
+
// Process then statement
|
|
206
|
+
currentBlock = thenBlock;
|
|
207
|
+
if (ts.isStatement(stmt.thenStatement)) {
|
|
208
|
+
processStatement(stmt.thenStatement);
|
|
209
|
+
}
|
|
210
|
+
else if (ts.isStatement(stmt.thenStatement)) {
|
|
211
|
+
currentBlock.statements.push(stmt.thenStatement);
|
|
212
|
+
}
|
|
213
|
+
// Add merge as successor
|
|
214
|
+
if (!currentBlock.successors.includes(mergeBlock.id)) {
|
|
215
|
+
currentBlock.successors.push(mergeBlock.id);
|
|
216
|
+
mergeBlock.predecessors.push(currentBlock.id);
|
|
217
|
+
}
|
|
218
|
+
// Process else statement
|
|
219
|
+
if (stmt.elseStatement) {
|
|
220
|
+
currentBlock = elseBlock;
|
|
221
|
+
if (ts.isStatement(stmt.elseStatement)) {
|
|
222
|
+
processStatement(stmt.elseStatement);
|
|
223
|
+
}
|
|
224
|
+
else if (ts.isStatement(stmt.elseStatement)) {
|
|
225
|
+
currentBlock.statements.push(stmt.elseStatement);
|
|
226
|
+
}
|
|
227
|
+
if (!currentBlock.successors.includes(mergeBlock.id)) {
|
|
228
|
+
currentBlock.successors.push(mergeBlock.id);
|
|
229
|
+
mergeBlock.predecessors.push(currentBlock.id);
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
else {
|
|
233
|
+
// No else - add edge from else block to merge
|
|
234
|
+
elseBlock.successors.push(mergeBlock.id);
|
|
235
|
+
mergeBlock.predecessors.push(elseBlock.id);
|
|
236
|
+
}
|
|
237
|
+
currentBlock = mergeBlock;
|
|
238
|
+
return;
|
|
239
|
+
}
|
|
240
|
+
// Handle while/do-while/for loops
|
|
241
|
+
if (ts.isWhileStatement(stmt) || ts.isForStatement(stmt) || ts.isForInStatement(stmt) || ts.isForOfStatement(stmt)) {
|
|
242
|
+
const loopHeader = createBlock();
|
|
243
|
+
const loopBody = createBlock();
|
|
244
|
+
const loopExit = createBlock();
|
|
245
|
+
currentBlock.successors.push(loopHeader.id);
|
|
246
|
+
loopHeader.predecessors.push(currentBlock.id);
|
|
247
|
+
currentBlock = loopHeader;
|
|
248
|
+
let loopCondition;
|
|
249
|
+
if (ts.isWhileStatement(stmt)) {
|
|
250
|
+
loopCondition = stmt.expression;
|
|
251
|
+
}
|
|
252
|
+
else if (ts.isForStatement(stmt)) {
|
|
253
|
+
loopCondition = stmt.condition;
|
|
254
|
+
}
|
|
255
|
+
else if (ts.isForInStatement(stmt)) {
|
|
256
|
+
loopCondition = stmt.expression;
|
|
257
|
+
}
|
|
258
|
+
else if (ts.isForOfStatement(stmt)) {
|
|
259
|
+
loopCondition = stmt.expression;
|
|
260
|
+
}
|
|
261
|
+
if (!loopCondition)
|
|
262
|
+
return;
|
|
263
|
+
currentBlock.branch = {
|
|
264
|
+
condition: loopCondition,
|
|
265
|
+
trueTarget: loopBody.id,
|
|
266
|
+
falseTarget: loopExit.id,
|
|
267
|
+
};
|
|
268
|
+
currentBlock.successors.push(loopBody.id, loopExit.id);
|
|
269
|
+
loopBody.predecessors.push(currentBlock.id);
|
|
270
|
+
currentBlock = loopBody;
|
|
271
|
+
processStatement(stmt.statement);
|
|
272
|
+
currentBlock.successors.push(loopHeader.id);
|
|
273
|
+
loopHeader.predecessors.push(currentBlock.id);
|
|
274
|
+
currentBlock = loopExit;
|
|
275
|
+
return;
|
|
276
|
+
}
|
|
277
|
+
// Handle try-catch-finally
|
|
278
|
+
if (ts.isTryStatement(stmt)) {
|
|
279
|
+
const tryBlock = createBlock();
|
|
280
|
+
const catchBlock = createBlock();
|
|
281
|
+
const finallyBlock = createBlock();
|
|
282
|
+
currentBlock.successors.push(tryBlock.id);
|
|
283
|
+
tryBlock.predecessors.push(currentBlock.id);
|
|
284
|
+
currentBlock = tryBlock;
|
|
285
|
+
processStatement(stmt.tryBlock);
|
|
286
|
+
if (stmt.catchClause) {
|
|
287
|
+
currentBlock.successors.push(catchBlock.id);
|
|
288
|
+
catchBlock.predecessors.push(currentBlock.id);
|
|
289
|
+
currentBlock = catchBlock;
|
|
290
|
+
processStatement(stmt.catchClause.block);
|
|
291
|
+
}
|
|
292
|
+
currentBlock.successors.push(finallyBlock.id);
|
|
293
|
+
finallyBlock.predecessors.push(currentBlock.id);
|
|
294
|
+
finallyBlock.successors.push(finallyBlock.id); // exits to itself then to next
|
|
295
|
+
currentBlock = finallyBlock;
|
|
296
|
+
if (stmt.finallyBlock) {
|
|
297
|
+
processStatement(stmt.finallyBlock);
|
|
298
|
+
}
|
|
299
|
+
return;
|
|
300
|
+
}
|
|
301
|
+
// Handle return statement
|
|
302
|
+
if (ts.isReturnStatement(stmt)) {
|
|
303
|
+
currentBlock.statements.push(stmt);
|
|
304
|
+
return;
|
|
305
|
+
}
|
|
306
|
+
// Handle switch statement
|
|
307
|
+
if (ts.isSwitchStatement(stmt)) {
|
|
308
|
+
const mergeBlock = createBlock();
|
|
309
|
+
const caseBlocks = [];
|
|
310
|
+
for (const clause of stmt.caseBlock.clauses) {
|
|
311
|
+
const caseBlock = createBlock();
|
|
312
|
+
caseBlocks.push(caseBlock);
|
|
313
|
+
currentBlock.successors.push(caseBlock.id);
|
|
314
|
+
caseBlock.predecessors.push(currentBlock.id);
|
|
315
|
+
currentBlock = caseBlock;
|
|
316
|
+
for (const s of clause.statements) {
|
|
317
|
+
processStatement(s);
|
|
318
|
+
}
|
|
319
|
+
if (!currentBlock.successors.includes(mergeBlock.id)) {
|
|
320
|
+
currentBlock.successors.push(mergeBlock.id);
|
|
321
|
+
mergeBlock.predecessors.push(currentBlock.id);
|
|
322
|
+
}
|
|
323
|
+
}
|
|
324
|
+
currentBlock = mergeBlock;
|
|
325
|
+
return;
|
|
326
|
+
}
|
|
327
|
+
// Regular statement - add to current block
|
|
328
|
+
currentBlock.statements.push(stmt);
|
|
329
|
+
// Check for control flow statements that might branch
|
|
330
|
+
if (ts.isBreakStatement(stmt) || ts.isContinueStatement(stmt) || ts.isThrowStatement(stmt)) {
|
|
331
|
+
// These will be handled when we add proper CFG edges
|
|
332
|
+
}
|
|
333
|
+
};
|
|
334
|
+
// Process body statements
|
|
335
|
+
if (ts.isBlock(body)) {
|
|
336
|
+
for (const stmt of body.statements) {
|
|
337
|
+
processStatement(stmt);
|
|
338
|
+
}
|
|
339
|
+
}
|
|
340
|
+
else {
|
|
341
|
+
// Expression body (arrow function)
|
|
342
|
+
currentBlock.statements.push(body);
|
|
343
|
+
}
|
|
344
|
+
// Create exit block
|
|
345
|
+
const exitBlock = createBlock();
|
|
346
|
+
currentBlock.successors.push(exitBlock.id);
|
|
347
|
+
exitBlock.predecessors.push(currentBlock.id);
|
|
348
|
+
const cfg = { blocks, entryBlock: entryBlock.id, exitBlock: exitBlock.id };
|
|
349
|
+
this.cfgCache.set(cacheKey, cfg);
|
|
350
|
+
return cfg;
|
|
351
|
+
}
|
|
352
|
+
/**
|
|
353
|
+
* Create entry fact with parameter bindings
|
|
354
|
+
*/
|
|
355
|
+
createEntryFact(func) {
|
|
356
|
+
const env = new Map();
|
|
357
|
+
// Add parameters
|
|
358
|
+
for (const param of func.parameters) {
|
|
359
|
+
if (ts.isIdentifier(param.name)) {
|
|
360
|
+
const paramType = this.checker.getTypeAtLocation(param);
|
|
361
|
+
env.set(param.name.text, this.createAbstractValue(paramType));
|
|
362
|
+
}
|
|
363
|
+
}
|
|
364
|
+
return {
|
|
365
|
+
env,
|
|
366
|
+
constraints: [],
|
|
367
|
+
pathCondition: [],
|
|
368
|
+
};
|
|
369
|
+
}
|
|
370
|
+
/**
|
|
371
|
+
* Create abstract value from TypeScript type
|
|
372
|
+
*/
|
|
373
|
+
createAbstractValue(type) {
|
|
374
|
+
const typeStr = this.checker.typeToString(type);
|
|
375
|
+
const flags = type.flags;
|
|
376
|
+
const value = {
|
|
377
|
+
type: typeStr,
|
|
378
|
+
constants: new Set(),
|
|
379
|
+
nullable: false,
|
|
380
|
+
properties: new Map(),
|
|
381
|
+
tainted: false,
|
|
382
|
+
escapes: new Set(),
|
|
383
|
+
};
|
|
384
|
+
// Check for null/undefined
|
|
385
|
+
if (flags & ts.TypeFlags.Null)
|
|
386
|
+
value.nullable = true;
|
|
387
|
+
if (flags & ts.TypeFlags.Undefined)
|
|
388
|
+
value.nullable = true;
|
|
389
|
+
if (flags & ts.TypeFlags.StringLiteral) {
|
|
390
|
+
value.constants.add(type.value || typeStr);
|
|
391
|
+
}
|
|
392
|
+
if (flags & ts.TypeFlags.NumberLiteral) {
|
|
393
|
+
value.constants.add(String(type.value || typeStr));
|
|
394
|
+
}
|
|
395
|
+
// Handle object types
|
|
396
|
+
if (flags & ts.TypeFlags.Object) {
|
|
397
|
+
const objType = type;
|
|
398
|
+
const props = this.checker.getPropertiesOfType(objType);
|
|
399
|
+
for (const prop of props) {
|
|
400
|
+
if (prop.valueDeclaration) {
|
|
401
|
+
const propType = this.checker.getTypeAtLocation(prop.valueDeclaration);
|
|
402
|
+
value.properties.set(prop.name, this.createAbstractValue(propType));
|
|
403
|
+
}
|
|
404
|
+
}
|
|
405
|
+
}
|
|
406
|
+
// Handle type references (interfaces, classes) - check for typeArguments
|
|
407
|
+
const typeRef = type;
|
|
408
|
+
if (typeRef.typeArguments && typeRef.typeArguments.length > 0) {
|
|
409
|
+
// Generic type reference
|
|
410
|
+
if (typeRef.target) {
|
|
411
|
+
value.type = this.checker.typeToString(typeRef.target);
|
|
412
|
+
}
|
|
413
|
+
value.elementType = this.createAbstractValue(typeRef.typeArguments[0]);
|
|
414
|
+
}
|
|
415
|
+
return value;
|
|
416
|
+
}
|
|
417
|
+
/**
|
|
418
|
+
* WORKLIST ALGORITHM - Lattice-based fixed-point computation
|
|
419
|
+
*
|
|
420
|
+
* This is the core of the data flow analysis.
|
|
421
|
+
* It iterates until no facts change (fixed point is reached).
|
|
422
|
+
*/
|
|
423
|
+
runWorklistAnalysis(cfg, entryFact, stats) {
|
|
424
|
+
const blockFacts = new Map();
|
|
425
|
+
const changed = new Set();
|
|
426
|
+
// Initialize all blocks with BOTTOM (no information)
|
|
427
|
+
for (const blockId of cfg.blocks.keys()) {
|
|
428
|
+
blockFacts.set(blockId, {
|
|
429
|
+
env: new Map(),
|
|
430
|
+
constraints: [],
|
|
431
|
+
pathCondition: [],
|
|
432
|
+
});
|
|
433
|
+
}
|
|
434
|
+
// Set entry block
|
|
435
|
+
blockFacts.set(cfg.entryBlock, this.cloneFact(entryFact));
|
|
436
|
+
this.worklist.push(cfg.entryBlock);
|
|
437
|
+
changed.add(cfg.entryBlock);
|
|
438
|
+
let iterations = 0;
|
|
439
|
+
// Worklist algorithm
|
|
440
|
+
while (this.worklist.length > 0 && iterations < this.maxIterations) {
|
|
441
|
+
iterations++;
|
|
442
|
+
stats.fixedPointIterations++;
|
|
443
|
+
// Pop from worklist
|
|
444
|
+
const blockId = this.worklist.shift();
|
|
445
|
+
changed.delete(blockId);
|
|
446
|
+
const block = cfg.blocks.get(blockId);
|
|
447
|
+
const currentFact = blockFacts.get(blockId);
|
|
448
|
+
// Compute flow through predecessors (JOIN)
|
|
449
|
+
if (block.predecessors.length > 0) {
|
|
450
|
+
const joinedFact = this.joinFacts(block.predecessors.map(predId => blockFacts.get(predId)));
|
|
451
|
+
// If join changed anything, update and propagate
|
|
452
|
+
if (!this.factsEqual(currentFact, joinedFact)) {
|
|
453
|
+
blockFacts.set(blockId, joinedFact);
|
|
454
|
+
for (const succId of block.successors) {
|
|
455
|
+
if (!changed.has(succId)) {
|
|
456
|
+
this.worklist.push(succId);
|
|
457
|
+
changed.add(succId);
|
|
458
|
+
}
|
|
459
|
+
}
|
|
460
|
+
continue;
|
|
461
|
+
}
|
|
462
|
+
}
|
|
463
|
+
// TRANSFER FUNCTION - apply block's statements
|
|
464
|
+
let newFact = this.cloneFact(currentFact);
|
|
465
|
+
for (const stmt of block.statements) {
|
|
466
|
+
newFact = this.transfer(stmt, newFact, stats);
|
|
467
|
+
}
|
|
468
|
+
// Handle branch condition (add to path condition)
|
|
469
|
+
if (block.branch) {
|
|
470
|
+
stats.conditionalBranches++;
|
|
471
|
+
const thenFact = this.cloneFact(newFact);
|
|
472
|
+
const elseFact = this.cloneFact(newFact);
|
|
473
|
+
// Add path condition for then-branch and NARROW TYPES
|
|
474
|
+
thenFact.pathCondition.push({
|
|
475
|
+
expression: block.branch.condition.getText(),
|
|
476
|
+
polarity: true,
|
|
477
|
+
});
|
|
478
|
+
// Apply type narrowing based on condition
|
|
479
|
+
this.narrowTypesFromCondition(thenFact, block.branch.condition, true, stats);
|
|
480
|
+
// Add path condition for else-branch (negated) and NARROW TYPES
|
|
481
|
+
elseFact.pathCondition.push({
|
|
482
|
+
expression: block.branch.condition.getText(),
|
|
483
|
+
polarity: false,
|
|
484
|
+
});
|
|
485
|
+
// Apply type narrowing based on negated condition
|
|
486
|
+
this.narrowTypesFromCondition(elseFact, block.branch.condition, false, stats);
|
|
487
|
+
// Propagate to successors
|
|
488
|
+
const thenBlock = cfg.blocks.get(block.branch.trueTarget);
|
|
489
|
+
const elseBlock = cfg.blocks.get(block.branch.falseTarget);
|
|
490
|
+
if (!this.factsEqual(blockFacts.get(thenBlock.id), thenFact)) {
|
|
491
|
+
blockFacts.set(thenBlock.id, thenFact);
|
|
492
|
+
if (!changed.has(thenBlock.id)) {
|
|
493
|
+
this.worklist.push(thenBlock.id);
|
|
494
|
+
changed.add(thenBlock.id);
|
|
495
|
+
}
|
|
496
|
+
}
|
|
497
|
+
if (!this.factsEqual(blockFacts.get(elseBlock.id), elseFact)) {
|
|
498
|
+
blockFacts.set(elseBlock.id, elseFact);
|
|
499
|
+
if (!changed.has(elseBlock.id)) {
|
|
500
|
+
this.worklist.push(elseBlock.id);
|
|
501
|
+
changed.add(elseBlock.id);
|
|
502
|
+
}
|
|
503
|
+
}
|
|
504
|
+
}
|
|
505
|
+
else {
|
|
506
|
+
// No branch - normal flow to successors
|
|
507
|
+
for (const succId of block.successors) {
|
|
508
|
+
if (!this.factsEqual(blockFacts.get(succId), newFact)) {
|
|
509
|
+
blockFacts.set(succId, newFact);
|
|
510
|
+
if (!changed.has(succId)) {
|
|
511
|
+
this.worklist.push(succId);
|
|
512
|
+
changed.add(succId);
|
|
513
|
+
}
|
|
514
|
+
}
|
|
515
|
+
}
|
|
516
|
+
}
|
|
517
|
+
stats.nodesAnalyzed++;
|
|
518
|
+
}
|
|
519
|
+
return blockFacts;
|
|
520
|
+
}
|
|
521
|
+
/**
|
|
522
|
+
* JOIN operation - combine facts from multiple predecessors
|
|
523
|
+
*/
|
|
524
|
+
joinFacts(facts) {
|
|
525
|
+
if (facts.length === 0) {
|
|
526
|
+
return {
|
|
527
|
+
env: new Map(),
|
|
528
|
+
constraints: [],
|
|
529
|
+
pathCondition: [],
|
|
530
|
+
};
|
|
531
|
+
}
|
|
532
|
+
if (facts.length === 1) {
|
|
533
|
+
return this.cloneFact(facts[0]);
|
|
534
|
+
}
|
|
535
|
+
const result = {
|
|
536
|
+
env: new Map(),
|
|
537
|
+
constraints: [],
|
|
538
|
+
pathCondition: [],
|
|
539
|
+
};
|
|
540
|
+
// Join all environments
|
|
541
|
+
const allVars = new Set();
|
|
542
|
+
for (const fact of facts) {
|
|
543
|
+
for (const [v] of fact.env) {
|
|
544
|
+
allVars.add(v);
|
|
545
|
+
}
|
|
546
|
+
}
|
|
547
|
+
for (const varName of allVars) {
|
|
548
|
+
const values = facts
|
|
549
|
+
.map(f => f.env.get(varName))
|
|
550
|
+
.filter((v) => v !== undefined);
|
|
551
|
+
if (values.length === 0)
|
|
552
|
+
continue;
|
|
553
|
+
// Lattice meet operation (intersection of possible values)
|
|
554
|
+
result.env.set(varName, this.latticeMeet(values));
|
|
555
|
+
}
|
|
556
|
+
// Union path conditions
|
|
557
|
+
for (const fact of facts) {
|
|
558
|
+
for (const pc of fact.pathCondition) {
|
|
559
|
+
if (!result.pathCondition.some(p => p.expression === pc.expression && p.polarity === pc.polarity)) {
|
|
560
|
+
result.pathCondition.push(pc);
|
|
561
|
+
}
|
|
562
|
+
}
|
|
563
|
+
}
|
|
564
|
+
return result;
|
|
565
|
+
}
|
|
566
|
+
/**
|
|
567
|
+
* LATTICE MEET - intersection of abstract values
|
|
568
|
+
*/
|
|
569
|
+
latticeMeet(values) {
|
|
570
|
+
if (values.length === 0) {
|
|
571
|
+
return this.createAbstractValue(this.checker.getTypeAtLocation(ts.factory.createIdentifier('undefined')));
|
|
572
|
+
}
|
|
573
|
+
if (values.length === 1) {
|
|
574
|
+
return values[0];
|
|
575
|
+
}
|
|
576
|
+
// For now, simplified meet: union of constants, intersection of types
|
|
577
|
+
const result = {
|
|
578
|
+
type: values[0].type,
|
|
579
|
+
constants: new Set(),
|
|
580
|
+
nullable: values.some(v => v.nullable),
|
|
581
|
+
properties: new Map(),
|
|
582
|
+
tainted: values.some(v => v.tainted),
|
|
583
|
+
escapes: new Set(),
|
|
584
|
+
};
|
|
585
|
+
// Union of constants
|
|
586
|
+
for (const v of values) {
|
|
587
|
+
for (const c of v.constants) {
|
|
588
|
+
result.constants.add(c);
|
|
589
|
+
}
|
|
590
|
+
for (const e of v.escapes) {
|
|
591
|
+
result.escapes.add(e);
|
|
592
|
+
}
|
|
593
|
+
}
|
|
594
|
+
// Intersect property types (simplified)
|
|
595
|
+
const allProps = new Set();
|
|
596
|
+
for (const v of values) {
|
|
597
|
+
for (const [p] of v.properties) {
|
|
598
|
+
allProps.add(p);
|
|
599
|
+
}
|
|
600
|
+
}
|
|
601
|
+
for (const propName of allProps) {
|
|
602
|
+
const propValues = values
|
|
603
|
+
.map(v => v.properties.get(propName))
|
|
604
|
+
.filter((v) => v !== undefined);
|
|
605
|
+
if (propValues.length > 0) {
|
|
606
|
+
result.properties.set(propName, this.latticeMeet(propValues));
|
|
607
|
+
}
|
|
608
|
+
}
|
|
609
|
+
return result;
|
|
610
|
+
}
|
|
611
|
+
/**
|
|
612
|
+
* TRANSFER FUNCTION - apply a statement's effect on facts
|
|
613
|
+
*/
|
|
614
|
+
transfer(stmt, fact, stats) {
|
|
615
|
+
// Variable declaration
|
|
616
|
+
if (ts.isVariableStatement(stmt)) {
|
|
617
|
+
for (const decl of stmt.declarationList.declarations) {
|
|
618
|
+
if (ts.isIdentifier(decl.name) && decl.initializer) {
|
|
619
|
+
const varName = decl.name.text;
|
|
620
|
+
const rhsFact = this.transferExpr(decl.initializer, fact, stats);
|
|
621
|
+
const rhsValue = this.evaluateExpr(decl.initializer, rhsFact);
|
|
622
|
+
// Check for taint (user input)
|
|
623
|
+
if (this.isTaintedSource(decl.initializer)) {
|
|
624
|
+
rhsValue.tainted = true;
|
|
625
|
+
}
|
|
626
|
+
// Check for escape
|
|
627
|
+
if (this.doesEscape(decl.initializer)) {
|
|
628
|
+
rhsValue.escapes.add('return');
|
|
629
|
+
}
|
|
630
|
+
fact.env.set(varName, rhsValue);
|
|
631
|
+
}
|
|
632
|
+
}
|
|
633
|
+
return fact;
|
|
634
|
+
}
|
|
635
|
+
// Assignment
|
|
636
|
+
if (ts.isExpressionStatement(stmt) && ts.isBinaryExpression(stmt.expression) && stmt.expression.operatorToken.kind === ts.SyntaxKind.EqualsToken) {
|
|
637
|
+
const assign = stmt.expression;
|
|
638
|
+
if (ts.isIdentifier(assign.left)) {
|
|
639
|
+
const varName = assign.left.text;
|
|
640
|
+
const rhsFact = this.transferExpr(assign.right, fact, stats);
|
|
641
|
+
const rhsValue = this.evaluateExpr(assign.right, rhsFact);
|
|
642
|
+
// Check for taint propagation
|
|
643
|
+
const rhsFactValue = this.evaluateExpr(assign.right, fact);
|
|
644
|
+
if (rhsFactValue.tainted) {
|
|
645
|
+
rhsValue.tainted = true;
|
|
646
|
+
}
|
|
647
|
+
fact.env.set(varName, rhsValue);
|
|
648
|
+
}
|
|
649
|
+
return fact;
|
|
650
|
+
}
|
|
651
|
+
// Return statement
|
|
652
|
+
if (ts.isReturnStatement(stmt) && stmt.expression) {
|
|
653
|
+
const retValue = this.evaluateExpr(stmt.expression, fact);
|
|
654
|
+
// Mark as escaping via return
|
|
655
|
+
retValue.escapes.add('return');
|
|
656
|
+
fact.env.set('__return__', retValue);
|
|
657
|
+
return fact;
|
|
658
|
+
}
|
|
659
|
+
// Call expression
|
|
660
|
+
if (ts.isExpressionStatement(stmt) && ts.isCallExpression(stmt.expression)) {
|
|
661
|
+
this.analyzeCallSite(stmt.expression, fact, stats);
|
|
662
|
+
return fact;
|
|
663
|
+
}
|
|
664
|
+
return fact;
|
|
665
|
+
}
|
|
666
|
+
/**
|
|
667
|
+
* Transfer function for expressions
|
|
668
|
+
*/
|
|
669
|
+
transferExpr(expr, fact, stats) {
|
|
670
|
+
// Handle conditional expression (ternary)
|
|
671
|
+
if (ts.isConditionalExpression(expr)) {
|
|
672
|
+
// Both branches contribute
|
|
673
|
+
const thenFact = this.transferExpr(expr.whenTrue, fact, stats);
|
|
674
|
+
const elseFact = this.transferExpr(expr.whenFalse, fact, stats);
|
|
675
|
+
return this.joinFacts([thenFact, elseFact]);
|
|
676
|
+
}
|
|
677
|
+
return fact;
|
|
678
|
+
}
|
|
679
|
+
/**
|
|
680
|
+
* Evaluate expression to get abstract value
|
|
681
|
+
*/
|
|
682
|
+
evaluateExpr(expr, fact) {
|
|
683
|
+
// Identifier
|
|
684
|
+
if (ts.isIdentifier(expr)) {
|
|
685
|
+
const varName = expr.text;
|
|
686
|
+
const value = fact.env.get(varName);
|
|
687
|
+
if (value)
|
|
688
|
+
return value;
|
|
689
|
+
// Unknown variable
|
|
690
|
+
const unknownType = this.checker.getTypeAtLocation(expr);
|
|
691
|
+
return this.createAbstractValue(unknownType);
|
|
692
|
+
}
|
|
693
|
+
// String literal
|
|
694
|
+
if (ts.isStringLiteral(expr)) {
|
|
695
|
+
return {
|
|
696
|
+
type: 'string',
|
|
697
|
+
constants: new Set([`'${expr.text}'`]),
|
|
698
|
+
nullable: false,
|
|
699
|
+
properties: new Map(),
|
|
700
|
+
tainted: false,
|
|
701
|
+
escapes: new Set(),
|
|
702
|
+
};
|
|
703
|
+
}
|
|
704
|
+
// Numeric literal
|
|
705
|
+
if (ts.isNumericLiteral(expr)) {
|
|
706
|
+
return {
|
|
707
|
+
type: 'number',
|
|
708
|
+
constants: new Set([expr.text]),
|
|
709
|
+
nullable: false,
|
|
710
|
+
properties: new Map(),
|
|
711
|
+
tainted: false,
|
|
712
|
+
escapes: new Set(),
|
|
713
|
+
};
|
|
714
|
+
}
|
|
715
|
+
// Property access (obj.prop)
|
|
716
|
+
if (ts.isPropertyAccessExpression(expr)) {
|
|
717
|
+
const objValue = this.evaluateExpr(expr.expression, fact);
|
|
718
|
+
const propName = expr.name.text;
|
|
719
|
+
// Look up property in object's type
|
|
720
|
+
const propValue = objValue.properties.get(propName);
|
|
721
|
+
if (propValue)
|
|
722
|
+
return propValue;
|
|
723
|
+
// Or use the type checker
|
|
724
|
+
const type = this.checker.getTypeAtLocation(expr);
|
|
725
|
+
return this.createAbstractValue(type);
|
|
726
|
+
}
|
|
727
|
+
// Call expression
|
|
728
|
+
if (ts.isCallExpression(expr)) {
|
|
729
|
+
const type = this.checker.getTypeAtLocation(expr);
|
|
730
|
+
return this.createAbstractValue(type);
|
|
731
|
+
}
|
|
732
|
+
// Binary expression
|
|
733
|
+
if (ts.isBinaryExpression(expr)) {
|
|
734
|
+
const type = this.checker.getTypeAtLocation(expr);
|
|
735
|
+
return this.createAbstractValue(type);
|
|
736
|
+
}
|
|
737
|
+
// Element access (arr[i])
|
|
738
|
+
if (ts.isElementAccessExpression(expr)) {
|
|
739
|
+
const type = this.checker.getTypeAtLocation(expr);
|
|
740
|
+
return this.createAbstractValue(type);
|
|
741
|
+
}
|
|
742
|
+
// Default - use type checker
|
|
743
|
+
const type = this.checker.getTypeAtLocation(expr);
|
|
744
|
+
return this.createAbstractValue(type);
|
|
745
|
+
}
|
|
746
|
+
/**
|
|
747
|
+
* Analyze a call site (interprocedural analysis)
|
|
748
|
+
*/
|
|
749
|
+
analyzeCallSite(callExpr, fact, stats) {
|
|
750
|
+
const calleeExpr = callExpr.expression;
|
|
751
|
+
let calleeName = '';
|
|
752
|
+
if (ts.isIdentifier(calleeExpr)) {
|
|
753
|
+
calleeName = calleeExpr.text;
|
|
754
|
+
}
|
|
755
|
+
// Check for known taint sources
|
|
756
|
+
if (calleeName === 'readFile' || calleeName === 'readFileSync') {
|
|
757
|
+
stats.taintedValues++;
|
|
758
|
+
}
|
|
759
|
+
if (calleeName === 'fetch' || calleeName === 'axios' || calleeName === 'http.get') {
|
|
760
|
+
// Network input is potentially tainted
|
|
761
|
+
}
|
|
762
|
+
// Try to resolve the callee function
|
|
763
|
+
const type = this.checker.getTypeAtLocation(calleeExpr);
|
|
764
|
+
const symbol = type.symbol;
|
|
765
|
+
if (!symbol)
|
|
766
|
+
return;
|
|
767
|
+
const declarations = symbol.getDeclarations();
|
|
768
|
+
if (!declarations || declarations.length === 0)
|
|
769
|
+
return;
|
|
770
|
+
const calleeFunc = declarations[0];
|
|
771
|
+
if (!ts.isFunctionDeclaration(calleeFunc) && !ts.isArrowFunction(calleeFunc))
|
|
772
|
+
return;
|
|
773
|
+
stats.callSitesAnalyzed++;
|
|
774
|
+
// Build argument facts
|
|
775
|
+
const argFacts = new Map();
|
|
776
|
+
for (let i = 0; i < callExpr.arguments.length; i++) {
|
|
777
|
+
const arg = callExpr.arguments[i];
|
|
778
|
+
const paramName = calleeFunc.parameters[i]?.name;
|
|
779
|
+
if (ts.isIdentifier(paramName) && paramName.text) {
|
|
780
|
+
argFacts.set(paramName.text, this.evaluateExpr(arg, fact));
|
|
781
|
+
}
|
|
782
|
+
}
|
|
783
|
+
// Check if we've analyzed this call site (context sensitivity cache)
|
|
784
|
+
const callKey = `${callExpr.getSourceFile().fileName}:${callExpr.getStart()}:${calleeName}`;
|
|
785
|
+
if (this.analyzedCallSites.has(callKey))
|
|
786
|
+
return;
|
|
787
|
+
this.analyzedCallSites.add(callKey);
|
|
788
|
+
// Build CFG for callee and analyze with argument bindings
|
|
789
|
+
const calleeCFG = this.buildCFG(calleeFunc);
|
|
790
|
+
const calleeEntryFact = this.createEntryFact(calleeFunc);
|
|
791
|
+
// Override with actual argument values
|
|
792
|
+
for (const [paramName, argValue] of argFacts) {
|
|
793
|
+
calleeEntryFact.env.set(paramName, argValue);
|
|
794
|
+
}
|
|
795
|
+
// Run analysis on callee
|
|
796
|
+
this.runWorklistAnalysis(calleeCFG, calleeEntryFact, stats);
|
|
797
|
+
}
|
|
798
|
+
/**
|
|
799
|
+
* Check if expression is a taint source
|
|
800
|
+
*/
|
|
801
|
+
isTaintedSource(expr) {
|
|
802
|
+
if (ts.isCallExpression(expr)) {
|
|
803
|
+
const callee = expr.expression;
|
|
804
|
+
if (ts.isIdentifier(callee)) {
|
|
805
|
+
const name = callee.text;
|
|
806
|
+
// Known taint sources
|
|
807
|
+
if (['readFile', 'readFileSync', 'fetch', 'axios', 'http.request',
|
|
808
|
+
'process.argv', 'process.env', 'JSON.parse', 'document.cookie',
|
|
809
|
+
'localStorage.getItem', 'sessionStorage.getItem'].includes(name)) {
|
|
810
|
+
return true;
|
|
811
|
+
}
|
|
812
|
+
}
|
|
813
|
+
}
|
|
814
|
+
return false;
|
|
815
|
+
}
|
|
816
|
+
/**
|
|
817
|
+
* Check if expression causes escape
|
|
818
|
+
*/
|
|
819
|
+
doesEscape(expr) {
|
|
820
|
+
// Return statement makes value escape
|
|
821
|
+
if (ts.isReturnStatement(expr))
|
|
822
|
+
return true;
|
|
823
|
+
// Passing as argument makes it escape to that function
|
|
824
|
+
if (ts.isCallExpression(expr))
|
|
825
|
+
return true;
|
|
826
|
+
// Property assignment to external object
|
|
827
|
+
if (ts.isPropertyAccessExpression(expr)) {
|
|
828
|
+
const propAccess = expr;
|
|
829
|
+
if (ts.isIdentifier(propAccess.expression)) {
|
|
830
|
+
const name = propAccess.expression.text;
|
|
831
|
+
// Known external objects
|
|
832
|
+
if (['global', 'window', 'document', 'console', 'process'].includes(name)) {
|
|
833
|
+
return true;
|
|
834
|
+
}
|
|
835
|
+
}
|
|
836
|
+
}
|
|
837
|
+
return false;
|
|
838
|
+
}
|
|
839
|
+
/**
|
|
840
|
+
* Analyze async patterns (Promise, await)
|
|
841
|
+
*/
|
|
842
|
+
analyzeAsyncPatterns(func, flowPaths, stats) {
|
|
843
|
+
const visit = (node) => {
|
|
844
|
+
// Promise.then chain
|
|
845
|
+
if (ts.isPropertyAccessExpression(node) && node.name.text === 'then') {
|
|
846
|
+
const callExpr = node.parent;
|
|
847
|
+
if (ts.isCallExpression(callExpr)) {
|
|
848
|
+
const callback = callExpr.arguments[0];
|
|
849
|
+
if (ts.isArrowFunction(callback) && callback.parameters.length > 0) {
|
|
850
|
+
stats.promiseUnwraps++;
|
|
851
|
+
const paramType = this.checker.getTypeAtLocation(callback.parameters[0]);
|
|
852
|
+
const paramTypeStr = this.checker.typeToString(paramType);
|
|
853
|
+
flowPaths.push({
|
|
854
|
+
source: `Promise.then callback at line ${this.getLine(node.getSourceFile(), node)}`,
|
|
855
|
+
sink: `${paramTypeStr} at line ${this.getLine(node.getSourceFile(), callback)}`,
|
|
856
|
+
path: ['Promise', 'then', 'callback'],
|
|
857
|
+
typeAtSink: paramTypeStr,
|
|
858
|
+
typeAtSource: 'T (Promise<T>)',
|
|
859
|
+
isTainted: false,
|
|
860
|
+
});
|
|
861
|
+
stats.pathsTracked++;
|
|
862
|
+
}
|
|
863
|
+
}
|
|
864
|
+
}
|
|
865
|
+
// await expression
|
|
866
|
+
if (ts.isAwaitExpression(node)) {
|
|
867
|
+
stats.promiseUnwraps++;
|
|
868
|
+
}
|
|
869
|
+
ts.forEachChild(node, visit);
|
|
870
|
+
};
|
|
871
|
+
visit(func);
|
|
872
|
+
}
|
|
873
|
+
/**
|
|
874
|
+
* Check for data leaks (tainted -> escape)
|
|
875
|
+
*/
|
|
876
|
+
checkDataLeaks(flowPaths, taintedPaths) {
|
|
877
|
+
// If any tainted path reaches a sensitive sink, it's a leak
|
|
878
|
+
for (const tp of taintedPaths) {
|
|
879
|
+
if (tp.sink.includes('return') || tp.sink.includes('global') || tp.sink.includes('write')) {
|
|
880
|
+
return true;
|
|
881
|
+
}
|
|
882
|
+
}
|
|
883
|
+
return false;
|
|
884
|
+
}
|
|
885
|
+
/**
|
|
886
|
+
* Clone a data flow fact
|
|
887
|
+
*/
|
|
888
|
+
cloneFact(fact) {
|
|
889
|
+
const cloned = {
|
|
890
|
+
env: new Map(),
|
|
891
|
+
constraints: [...fact.constraints],
|
|
892
|
+
pathCondition: [...fact.pathCondition],
|
|
893
|
+
};
|
|
894
|
+
for (const [key, value] of fact.env) {
|
|
895
|
+
cloned.env.set(key, {
|
|
896
|
+
...value,
|
|
897
|
+
constants: new Set(value.constants),
|
|
898
|
+
properties: new Map(value.properties),
|
|
899
|
+
escapes: new Set(value.escapes),
|
|
900
|
+
});
|
|
901
|
+
}
|
|
902
|
+
return cloned;
|
|
903
|
+
}
|
|
904
|
+
/**
|
|
905
|
+
* Narrow types based on branch condition
|
|
906
|
+
* E.g., if (x != null) narrows x from T | null to T
|
|
907
|
+
* if (x > 1000) narrows the possible range of x
|
|
908
|
+
*/
|
|
909
|
+
narrowTypesFromCondition(fact, cond, isThenBranch, stats) {
|
|
910
|
+
// Handle binary expressions: x != null, x === 'value', x > 1000, etc.
|
|
911
|
+
if (ts.isBinaryExpression(cond)) {
|
|
912
|
+
const left = cond.left;
|
|
913
|
+
const right = cond.right;
|
|
914
|
+
const op = cond.operatorToken.kind;
|
|
915
|
+
if (ts.isIdentifier(left)) {
|
|
916
|
+
const varName = left.text;
|
|
917
|
+
const varValue = fact.env.get(varName);
|
|
918
|
+
if (!varValue)
|
|
919
|
+
return;
|
|
920
|
+
// Handle null checks: x != null, x !== null, x == null, x === null
|
|
921
|
+
if (right.kind === ts.SyntaxKind.NullKeyword) {
|
|
922
|
+
if (op === ts.SyntaxKind.ExclamationEqualsEqualsToken ||
|
|
923
|
+
op === ts.SyntaxKind.ExclamationEqualsToken) {
|
|
924
|
+
// Then branch: x != null means x is not null
|
|
925
|
+
if (isThenBranch) {
|
|
926
|
+
varValue.nullable = false;
|
|
927
|
+
stats.typesNarrowed++;
|
|
928
|
+
}
|
|
929
|
+
}
|
|
930
|
+
else if (op === ts.SyntaxKind.EqualsEqualsToken ||
|
|
931
|
+
op === ts.SyntaxKind.EqualsEqualsEqualsToken) {
|
|
932
|
+
// Then branch: x == null means x IS null
|
|
933
|
+
if (isThenBranch) {
|
|
934
|
+
varValue.constants.add('null');
|
|
935
|
+
stats.typesNarrowed++;
|
|
936
|
+
}
|
|
937
|
+
}
|
|
938
|
+
}
|
|
939
|
+
// Handle numeric comparisons: x > 1000, x <= 0
|
|
940
|
+
if (varValue.type === 'number' && ts.isNumericLiteral(right)) {
|
|
941
|
+
const numValue = right.text;
|
|
942
|
+
if (op === ts.SyntaxKind.GreaterThanToken) {
|
|
943
|
+
if (isThenBranch) {
|
|
944
|
+
varValue.constants.add(`>${numValue}`);
|
|
945
|
+
stats.typesNarrowed++;
|
|
946
|
+
}
|
|
947
|
+
}
|
|
948
|
+
else if (op === ts.SyntaxKind.LessThanToken) {
|
|
949
|
+
if (isThenBranch) {
|
|
950
|
+
varValue.constants.add(`<${numValue}`);
|
|
951
|
+
stats.typesNarrowed++;
|
|
952
|
+
}
|
|
953
|
+
}
|
|
954
|
+
}
|
|
955
|
+
}
|
|
956
|
+
// Handle instanceof checks
|
|
957
|
+
if (ts.isBinaryExpression(cond) && ts.isIdentifier(right)) {
|
|
958
|
+
const rightName = right.text;
|
|
959
|
+
if (op === ts.SyntaxKind.InstanceOfKeyword) {
|
|
960
|
+
if (isThenBranch) {
|
|
961
|
+
const varName = cond.left.text;
|
|
962
|
+
const varValue = fact.env.get(varName);
|
|
963
|
+
if (varValue) {
|
|
964
|
+
varValue.type = rightName;
|
|
965
|
+
stats.typesNarrowed++;
|
|
966
|
+
}
|
|
967
|
+
}
|
|
968
|
+
}
|
|
969
|
+
}
|
|
970
|
+
}
|
|
971
|
+
// Handle unary expressions: if (x)
|
|
972
|
+
if (ts.isPrefixUnaryExpression(cond) && cond.operator === ts.SyntaxKind.ExclamationToken) {
|
|
973
|
+
const operand = cond.operand;
|
|
974
|
+
if (ts.isIdentifier(operand)) {
|
|
975
|
+
const varName = operand.text;
|
|
976
|
+
const varValue = fact.env.get(varName);
|
|
977
|
+
if (varValue) {
|
|
978
|
+
if (isThenBranch) {
|
|
979
|
+
// !x means x is falsy (null, undefined, 0, false, '')
|
|
980
|
+
// We can narrow nullable types
|
|
981
|
+
if (varValue.nullable) {
|
|
982
|
+
varValue.nullable = false;
|
|
983
|
+
stats.typesNarrowed++;
|
|
984
|
+
}
|
|
985
|
+
}
|
|
986
|
+
}
|
|
987
|
+
}
|
|
988
|
+
}
|
|
989
|
+
// Handle identifier directly: if (data)
|
|
990
|
+
if (ts.isIdentifier(cond)) {
|
|
991
|
+
const varName = cond.text;
|
|
992
|
+
const varValue = fact.env.get(varName);
|
|
993
|
+
if (varValue) {
|
|
994
|
+
if (isThenBranch) {
|
|
995
|
+
// truthy check - we know it's not null/undefined/false
|
|
996
|
+
varValue.nullable = false;
|
|
997
|
+
stats.typesNarrowed++;
|
|
998
|
+
}
|
|
999
|
+
}
|
|
1000
|
+
}
|
|
1001
|
+
}
|
|
1002
|
+
/**
|
|
1003
|
+
* Check if two facts are equal
|
|
1004
|
+
*/
|
|
1005
|
+
factsEqual(a, b) {
|
|
1006
|
+
if (a.env.size !== b.env.size)
|
|
1007
|
+
return false;
|
|
1008
|
+
for (const [key, aVal] of a.env) {
|
|
1009
|
+
const bVal = b.env.get(key);
|
|
1010
|
+
if (!bVal)
|
|
1011
|
+
return false;
|
|
1012
|
+
if (aVal.type !== bVal.type)
|
|
1013
|
+
return false;
|
|
1014
|
+
if (aVal.tainted !== bVal.tainted)
|
|
1015
|
+
return false;
|
|
1016
|
+
if (aVal.nullable !== bVal.nullable)
|
|
1017
|
+
return false;
|
|
1018
|
+
}
|
|
1019
|
+
return true;
|
|
1020
|
+
}
|
|
1021
|
+
/**
|
|
1022
|
+
* Get line number
|
|
1023
|
+
*/
|
|
1024
|
+
getLine(sourceFile, node) {
|
|
1025
|
+
if (!sourceFile)
|
|
1026
|
+
return 0;
|
|
1027
|
+
return sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1;
|
|
1028
|
+
}
|
|
1029
|
+
/**
|
|
1030
|
+
* Calculate confidence level
|
|
1031
|
+
*/
|
|
1032
|
+
calculateConfidence(stats) {
|
|
1033
|
+
if (stats.fixedPointIterations >= 50 && stats.callSitesAnalyzed >= 10)
|
|
1034
|
+
return 'high';
|
|
1035
|
+
if (stats.fixedPointIterations >= 20 && stats.callSitesAnalyzed >= 5)
|
|
1036
|
+
return 'medium';
|
|
1037
|
+
return 'low';
|
|
1038
|
+
}
|
|
1039
|
+
/**
|
|
1040
|
+
* Create empty result
|
|
1041
|
+
*/
|
|
1042
|
+
createEmptyResult(confidence, stats, duration) {
|
|
1043
|
+
return {
|
|
1044
|
+
hasDataLeaks: false,
|
|
1045
|
+
flowPaths: [],
|
|
1046
|
+
taintedPaths: [],
|
|
1047
|
+
typeNarrowing: new Map(),
|
|
1048
|
+
statistics: stats,
|
|
1049
|
+
confidence,
|
|
1050
|
+
duration,
|
|
1051
|
+
finalFacts: new Map(),
|
|
1052
|
+
};
|
|
1053
|
+
}
|
|
1054
|
+
/**
|
|
1055
|
+
* Format as text
|
|
1056
|
+
*/
|
|
1057
|
+
formatAsText(result, functionName) {
|
|
1058
|
+
const lines = [];
|
|
1059
|
+
lines.push('');
|
|
1060
|
+
lines.push('═══════════════════════════════════════════════════════════════');
|
|
1061
|
+
lines.push(' 📊 商业级数据流分析 (DataFlow Pro) ');
|
|
1062
|
+
lines.push('═══════════════════════════════════════════════════════════════');
|
|
1063
|
+
lines.push('');
|
|
1064
|
+
lines.push(`📈 分析统计`);
|
|
1065
|
+
lines.push(` 基本块: ${result.statistics.blocksConstructed}`);
|
|
1066
|
+
lines.push(` 调用点: ${result.statistics.callSitesAnalyzed}`);
|
|
1067
|
+
lines.push(` 迭代次数: ${result.statistics.fixedPointIterations}`);
|
|
1068
|
+
lines.push(` 节点分析: ${result.statistics.nodesAnalyzed}`);
|
|
1069
|
+
lines.push(` 约束生成: ${result.statistics.constraintsGenerated}`);
|
|
1070
|
+
lines.push(` Promise解包: ${result.statistics.promiseUnwraps}`);
|
|
1071
|
+
lines.push(` 条件分支: ${result.statistics.conditionalBranches}`);
|
|
1072
|
+
lines.push(` 类型收窄: ${result.statistics.typesNarrowed}`);
|
|
1073
|
+
lines.push(` 污点值: ${result.statistics.taintedValues}`);
|
|
1074
|
+
lines.push(` 逃逸值: ${result.statistics.escapedValues}`);
|
|
1075
|
+
lines.push(` 置信度: ${result.confidence}`);
|
|
1076
|
+
lines.push(` 耗时: ${result.duration}ms`);
|
|
1077
|
+
lines.push('');
|
|
1078
|
+
if (result.taintedPaths.length > 0) {
|
|
1079
|
+
lines.push('⚠️ 污点传播路径:');
|
|
1080
|
+
for (const tp of result.taintedPaths.slice(0, 5)) {
|
|
1081
|
+
lines.push(` ${tp.source} → ${tp.sink} (来源: ${tp.taintSource})`);
|
|
1082
|
+
}
|
|
1083
|
+
lines.push('');
|
|
1084
|
+
}
|
|
1085
|
+
if (result.typeNarrowing.size > 0) {
|
|
1086
|
+
lines.push('🔽 类型收窄:');
|
|
1087
|
+
for (const [varName, narrowing] of result.typeNarrowing) {
|
|
1088
|
+
lines.push(` ${varName}:`);
|
|
1089
|
+
for (const n of narrowing) {
|
|
1090
|
+
lines.push(` → 第${n.line}行: ${n.types.join(' | ')}`);
|
|
1091
|
+
}
|
|
1092
|
+
}
|
|
1093
|
+
lines.push('');
|
|
1094
|
+
}
|
|
1095
|
+
if (result.flowPaths.length > 0) {
|
|
1096
|
+
lines.push('🔗 数据流路径:');
|
|
1097
|
+
for (const fp of result.flowPaths.slice(0, 5)) {
|
|
1098
|
+
lines.push(` ${fp.source}`);
|
|
1099
|
+
lines.push(` → ${fp.sink} (${fp.typeAtSink})`);
|
|
1100
|
+
if (fp.isTainted)
|
|
1101
|
+
lines.push(` ⚠️ 污点数据`);
|
|
1102
|
+
}
|
|
1103
|
+
lines.push('');
|
|
1104
|
+
}
|
|
1105
|
+
if (result.hasDataLeaks) {
|
|
1106
|
+
lines.push('🔴 警告: 检测到数据泄漏风险!');
|
|
1107
|
+
lines.push('');
|
|
1108
|
+
}
|
|
1109
|
+
else {
|
|
1110
|
+
lines.push('✅ 未检测到数据泄漏');
|
|
1111
|
+
lines.push('');
|
|
1112
|
+
}
|
|
1113
|
+
return lines.join('\n');
|
|
1114
|
+
}
|
|
1115
|
+
}
|