How to make the output of a TaintTracking::Configuration::hasFlowPath as the input of another TaintTracking::Configuration:hasFlowPath?

[Leepay]

When I try to use codeQL to taint-track a function of JavaScript, for example:

var targetFunction = function(obj){
    // obj suppose to be {success: <a callback function with a parameter>}
};
var parentFunction = function(t){
    targetFunction({success:t});
};
parentFunction(function(res){
    console.log(res);
});

I want to track the usage of the argument of the function passed as the value of property success of the object-type parameter of the target function. That is, in my example, track the usage of res from target function targetFunction.
I tried to extend two TaintTracking::Configurations. One of them responds for tracing the actual FunctionNode t pointed to, and another one responds for tracking the usage of the argument of res. I have achieved them separately and both have passed my tests.
But when I try to combine these two TaintTracking::Configurations together, like:

class FunctionTracingConfiguration extends TaintTracking::Configuration {
    FunctionTracingConfiguration() { this = "FunctionTracingConfiguration" }

    override predicate isSource(DataFlow::Node source) {
        source instanceof DataFlow::FunctionNode
    }
  
    override predicate isSink(DataFlow::Node sink) {
        // sink is the value of `success` of targetAPI
    }
}


class DataTrackingConfiguration extends TaintTracking::Configuration {
    DataTrackingConfiguration() { this = "DataTrackingConfiguration" }

    override predicate isSource(DataFlow::Node source) {
        exists(FunctionTracingConfiguration func_cfg, DataFlow::Node func_source, DataFlow::Node func_sink |
            func_cfg.hasFlowPath(func_source, func_sink) and
            source = func_source
        )
    }
}

from  DataTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, ""

When I tried to run the query above, an error occurs in sentence func_cfg.hasFlowPath as:

Non-monotonic recursion: taintTrack::DataTrackingConfiguration::isSource --> Configuration::Configuration::hasFlow --> Configuration::SourcePathNode --> Configuration::MkSourceNode --> Configuration::isSourceNode --> Configuration::onPath --> Configuration::reachableFromSource -!-> TaintTracking::TaintTracking::Configuration::isLabeledBarrier --> Configuration::Configuration::isLabeledBarrier --> Configuration::barrierGuardBlocksNode --> Configuration::barrierGuardBlocksAccessPath --> Configuration::barrierGuardIsRelevant --> Configuration::isRelevantForward --> Configuration::isSource --> taintTrack::DataTrackingConfiguration::isSource

The error message seems to tell me that it's not permitted to invoke hasFlowPath of another configuration in a configuration.
Can anyone please tell me a way to solve this problem or another way to achieve my goal?

[MathiasVP]

Hi @Leepay,

CodeQL implements what's known in the literature as stratified negation, which means that you can't have code that looks like:

predicate p(...) {
  ...
  not p(...)
}

Looking at the non-monotonic recursion error you're getting, we can conclude that internally in the JavaScript, there's a predicate called Configuration::reachableFromSource that does something along the lines of:

predicate reachableFromSource(...) {
  ...
  not isLabeledBarrier(...)
}

and when you're using hasFlowPath in your definition of isSource it looks like this code leads to a similar situation as the predicate p case above.

Other CodeQL-supported languages have solved this by adding copies of the dataflow library so that you can use a TaintTracking::Configuration from copy 1 when defining your TaintTracking::Configuration configuration from copy 2. However, it looks like the JavaScript team has not added such copies.

I know that, historically, the JavaScript team has been able to use flow labels as an alternative to multiple copies of the dataflow library. So it may be the case that you can do something along those lines, although I don't immediately see how it could work in this case.

I will ask the JavaScript team for a more concrete suggestion, but it may take them a few days to get back to you due to the Easter holidays.

[erik-krogh]

As @MathiasVP said, you cannot chain DataFlow/TaintTracking configurations like that in JS, we do some other things instead.

In this case I think you want to use our callgraph instead of your FunctionTracingConfiguration.
The getACallee predicate on DataFlow::CallNode is useful for that.

You can try this predicate, I think it'll be useful for your situation:

DataFlow::CallNode getACall(DataFlow::FunctionNode func) {
  result.getACallee() = func.getFunction()
}

[Leepay]

Thanks! And I also solved this problem by connecting two configurations in the where part