[ AngularJS ] CodeQL for JS -- All classes seem to be based on angular.module calls but references to the returned instance are ignored

[testgita]

All classes seem to be based on angular.module calls but ignores references to the returned instance stored in a variable.

Example of perfectly valid code:

var t;

(t = angular.module('myModule', []))
    .controller('MyController', ['$scope', 'depA', 'depB', function($scope, depA) {
        var yolo = 7+2
}]);
var example, example2 = (
    (t.controller('MyController2', ['$scope', 'depA', 'depB', function($scope, depA) {var test = 1+3;}])),
    (t.controller('MyController3', ['$scope', 'depA', 'depB', function($scope, depA) {var test = 1+3;}])),
     1+5);

Example queries:

• I want all the controller definitions' factory functions (last argument of angular.controller or angular.factory AngularJS calls for example -- could be either an array with a function as the last element or just a plain function):

import javascript

from AngularJS::ControllerDefinition controllerDef
select controllerDef.getAFactoryFunction()

I should be getting all the definitions but everything seems to be based on angular.* "direct" references instead of general classes that i could then rebase on whatever I need to.

Am I missing something?

The way I am trying to solve this(except trying to read all the AngularJS CodeQL library 🤯 ), is manually matching expressions and then attempting to "lift"(dunno if its the correct context) into whatever AngularJS construct I want to, for example DependencyInjection or AngularJS::InjectableFunction

import javascript
from DataFlow::CallNode callnode
,DataFlow::Node possibleInjArr

where
DataFlow::globalVarRef("FishBowlAdminApp").getAMethodCall() = callnode
and callnode.getLastArgument() = possibleInjArr
// and possibleInjArr instanceof AngularJS::InjectableFunction

select

possibleInjArr//.(AngularJS::DependencyInjection).getAnInjectableFunction()
,possibleInjArr//.(AngularJS::InjectableFunction)//.getDependencyParameter()

Then I started copying code out of the relevant parts of the AngularJS CodeQL libraries for figuring how to use those classes from the references I want to. Which hurt my brain. Which made me think I must be doing something wrong 🤷

I'm thinking I have to either extend the classes to match the structures defined in the code with the module reference I want to, which I cant really wrap my head around, ANY hints would be lovely ( 💋 )

OR

I am missing something terrible, so please relieve me from my misery

OR

That's a bug in the logic of the library

KINDLY HELP

[testgita]

Dont know how to put labels :/

[jketema]

Hi @testgita,

Thanks for your question. I've asked our CodeQL JS experts to take a look.

[wplusiw]

@adityasharad any chance you can help with this?

[testgita]

So after looking this a bit more, and from my potentially inadequate perspective, it looks like most of the classes I have looked at, for example InjectableFunction (could be ControllerDefinition or anything actually) are not considered valid if they are not connected to an angular module call at their "base"(possibly correct term but not sure), which makes the library classes uncustomizable/rigid for alternative, valid and perfectly legal usage of AngularJS, which loses the meaning of modularizing logic and shipping it in a library

--

I verified by modifying my source code examples appropriately (if anyone is interested I can provide examples):

• whenever I manually match a DataFlow Node that I know corresponds to the code part that is an injectable function without a connection to a "direct" angular.module chain/call, i.e. the t variable from the example in the original post , and then cast/lift to an AngularJS::InjectableFunction class, I get no results

• while when there is a "direct" angular.module chain, the same manually matched part of an injectable function from before gives the expected result when lifted/cast

NOTE: AngularJS is an old framework, but there are a TON of web apps out there using it, just noting :)

[Napalys]

Hello @testgita

I have tried your example and yes, indeed only direct references were captured. The CodeQL library for JavaScript has limitations when analyzing the global scope because JavaScript's global context can be unpredictable. In global contexts, variables and references can be loosely defined, making it harder for CodeQL's analysis engine to capture them accurately. The global scope is shared between all the files, which makes the analysis of global variables extremely challenging.

By placing your code within a function scope, you define a more predictable, structured environment, which allows CodeQL to track variables and references more effectively. You can try this modified version:

function name(){
  var t;
  
  (t = angular.module('myModule', []))
      .controller('MyController', ['$scope', 'depA', 'depB', function($scope, depA) {
          var yolo = 7+2
  }]);
  var example, example2 = (
      (t.controller('MyController2', ['$scope', 'depA', 'depB', function($scope, depA) {var test = 1+3;}])),
      (t.controller('MyController3', ['$scope', 'depA', 'depB', function($scope, depA) {var test = 1+3;}])),
       1+5);
}

[testgita]

Are you god?

Can I read more about this somewhere?

[testgita]

Also, I am doing a global taintracking analysis, using:

module AngularJSDataFlow = TaintTracking::Global<AngularJSDataFlowConfig>;
import AngularJSDataFlow::PathGraph

from AngularJSDataFlow::PathNode source, AngularJSDataFlow::PathNode sink

does the issue you describe affect any of these if I put the whole project (1 file) inside a function, like you suggested??

Thank you so much btw, I've been avoiding using the library's classes for a couple weeks now, this is an absolute time/life saver. Thank you again