only include named topmost package.json files for js/shell-command-constructed-from-input

2025-12-17 01:03:14 +01:00 · 2020-07-06 11:10:56 +02:00
parent 993506d781
commit 00e900f1b1
2 changed files with 3 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -13,7 +13,7 @@ bindingset[path]
 private int countSlashes(string path) { result = count(path.splitAt("/")) - 1 }

 /**
- * Gets the topmost package.json that appears in the project.
+ * Gets the topmost named package.json that appears in the project.
 *
 * There can be multiple results if the there exists multiple package.json that are equally deeply nested in the folder structure.
 * Results are limited to package.json files that are at most nested 2 directories deep.
@@ -21,7 +21,8 @@ private int countSlashes(string path) { result = count(path.splitAt("/")) - 1 }
 PackageJSON getTopmostPackageJSON() {
  result =
    min(PackageJSON j |
-      countSlashes(j.getFile().getRelativePath()) <= 3
+      countSlashes(j.getFile().getRelativePath()) <= 3 and
+      exists(j.getPackageName())
    |
      j order by countSlashes(j.getFile().getRelativePath())
    )
--- a/javascript/ql/test/library-tests/PackageExports/tests.expected
+++ b/javascript/ql/test/library-tests/PackageExports/tests.expected
@@ -1,7 +1,4 @@
 getTopmostPackageJSON
-| absent_main/package.json:1:1:3:1 | {\\n    " ... t.js"\\n} |
-| esmodules/package.json:1:1:3:1 | {\\n    " ... n.js"\\n} |
-| lib1/package.json:1:1:3:1 | {\\n    " ... n.js"\\n} |
 getAValueExportedBy
 | absent_main/package.json:1:1:3:1 | {\\n    " ... t.js"\\n} | absent_main/index.js:1:1:1:0 | this |
 | absent_main/package.json:1:1:3:1 | {\\n    " ... t.js"\\n} | absent_main/index.js:1:1:1:14 | module.exports |