Merge pull request #15380 from asgerf/js/endpoint-naming

JS: Add library for naming endpoints
2026-04-26 09:15:12 +02:00 · 2024-02-14 10:48:13 +01:00
parent 393251dde6 6598a669a1
commit 2172c4863f
35 changed files with 730 additions and 14 deletions
--- a/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.expected
+++ b/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.expected
@@ -0,0 +1,7 @@
+testFailures
+ambiguousPreferredPredecessor
+ambiguousSinkName
+ambiguousClassObjectName
+ambiguousClassInstanceName
+ambiguousFunctionName
+failures
--- a/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.ql
+++ b/javascript/ql/test/library-tests/EndpointNaming/EndpointNaming.ql
@@ -0,0 +1,47 @@
+import javascript
+import semmle.javascript.RestrictedLocations
+import semmle.javascript.Lines
+import semmle.javascript.endpoints.EndpointNaming as EndpointNaming
+import testUtilities.InlineExpectationsTest
+import EndpointNaming::Debug
+
+module TestConfig implements TestSig {
+  string getARelevantTag() { result = ["instance", "class", "method", "alias"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(string package, string name |
+      element = "" and
+      value = EndpointNaming::renderName(package, name)
+    |
+      exists(DataFlow::ClassNode cls | location = cls.getAstNode().getLocation() |
+        tag = "class" and
+        EndpointNaming::classObjectHasPrimaryName(cls, package, name)
+        or
+        tag = "instance" and
+        EndpointNaming::classInstanceHasPrimaryName(cls, package, name)
+      )
+      or
+      exists(DataFlow::FunctionNode function |
+        not function.getFunction() = any(ConstructorDeclaration decl | decl.isSynthetic()).getBody() and
+        location = function.getFunction().getLocation() and
+        tag = "method" and
+        EndpointNaming::functionHasPrimaryName(function, package, name)
+      )
+    )
+    or
+    element = "" and
+    tag = "alias" and
+    exists(
+      API::Node aliasDef, string primaryPackage, string primaryName, string aliasPackage,
+      string aliasName
+    |
+      EndpointNaming::aliasDefinition(primaryPackage, primaryName, aliasPackage, aliasName, aliasDef) and
+      value =
+        EndpointNaming::renderName(aliasPackage, aliasName) + "==" +
+          EndpointNaming::renderName(primaryPackage, primaryName) and
+      location = aliasDef.asSink().asExpr().getLocation()
+    )
+  }
+}
+
+import MakeTest<TestConfig>
--- a/javascript/ql/test/library-tests/EndpointNaming/pack1/main.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack1/main.js
@@ -0,0 +1,13 @@
+export class PublicClass {} // $ class=(pack1).PublicClass instance=(pack1).PublicClass.prototype
+
+class PrivateClass {}
+
+export const ExportedConst = class ExportedConstClass {} // $ class=(pack1).ExportedConst instance=(pack1).ExportedConst.prototype
+
+class ClassWithEscapingInstance {} // $ instance=(pack1).ClassWithEscapingInstance.prototype
+
+export function getEscapingInstance() {
+    return new ClassWithEscapingInstance();
+} // $ method=(pack1).getEscapingInstance
+
+export function publicFunction() {} // $ method=(pack1).publicFunction
--- a/javascript/ql/test/library-tests/EndpointNaming/pack1/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack1/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack1",
+    "main": "./main.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack10/foo.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack10/foo.js
@@ -0,0 +1 @@
+export default class FooClass {} // $ class=(pack10).Foo instance=(pack10).Foo.prototype
--- a/javascript/ql/test/library-tests/EndpointNaming/pack10/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack10/index.js
@@ -0,0 +1,3 @@
+import { default as Foo } from "./foo";
+
+export { Foo }
--- a/javascript/ql/test/library-tests/EndpointNaming/pack10/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack10/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack10",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack2/lib.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack2/lib.js
@@ -0,0 +1,6 @@
+class AmbiguousClass {
+    instanceMethod(foo) {} // $ method=(pack2).lib.LibClass.prototype.instanceMethod
+} // $ class=(pack2).lib.LibClass instance=(pack2).lib.LibClass.prototype
+
+export default AmbiguousClass; // $ alias=(pack2).lib.default==(pack2).lib.LibClass
+export { AmbiguousClass as LibClass }
--- a/javascript/ql/test/library-tests/EndpointNaming/pack2/main.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack2/main.js
@@ -0,0 +1,9 @@
+class AmbiguousClass {
+    instanceMethod() {} // $ method=(pack2).MainClass.prototype.instanceMethod
+} // $ class=(pack2).MainClass instance=(pack2).MainClass.prototype
+
+export default AmbiguousClass; // $ alias=(pack2).default==(pack2).MainClass
+export { AmbiguousClass as MainClass }
+
+import * as lib from "./lib";
+export { lib }
--- a/javascript/ql/test/library-tests/EndpointNaming/pack2/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack2/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack2",
+    "main": "./main.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack3/lib.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack3/lib.js
@@ -0,0 +1 @@
+export default function(x,y,z) {} // $ method=(pack3).libFunction alias=(pack3).libFunction.default==(pack3).libFunction
--- a/javascript/ql/test/library-tests/EndpointNaming/pack3/main.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack3/main.js
@@ -0,0 +1,7 @@
+function ambiguousFunction(x, y, z) {} // $ method=(pack3).namedFunction
+
+export default ambiguousFunction; // $ alias=(pack3).default==(pack3).namedFunction
+export { ambiguousFunction as namedFunction };
+
+import libFunction from "./lib";
+export { libFunction };
--- a/javascript/ql/test/library-tests/EndpointNaming/pack3/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack3/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack3",
+    "main": "./main.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack4/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack4/index.js
@@ -0,0 +1 @@
+export default class C {} // $ class=(pack4) instance=(pack4).prototype
--- a/javascript/ql/test/library-tests/EndpointNaming/pack4/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack4/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack4",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack5/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack5/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack5",
+    "main": "./dist/index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack5/src/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack5/src/index.js
@@ -0,0 +1 @@
+export default class C {} // $ class=(pack5) instance=(pack5).prototype
--- a/javascript/ql/test/library-tests/EndpointNaming/pack6/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack6/index.js
@@ -0,0 +1,6 @@
+class C {
+    instanceMethod() {} // $ method=(pack6).instanceMethod
+    static staticMethod() {} // not accessible
+} // $ instance=(pack6)
+
+export default new C();
--- a/javascript/ql/test/library-tests/EndpointNaming/pack6/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack6/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack6",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack7/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack7/index.js
@@ -0,0 +1,6 @@
+export class D {} // $ class=(pack7).D instance=(pack7).D.prototype
+
+// In this case we are forced to include ".default" to avoid ambiguity with class D above.
+export default {
+    D: class {} // $ class=(pack7).default.D instance=(pack7).default.D.prototype
+};
--- a/javascript/ql/test/library-tests/EndpointNaming/pack7/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack7/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack7",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack8/foo.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack8/foo.js
@@ -0,0 +1,5 @@
+class Foo {} // $ class=(pack8).Foo instance=(pack8).Foo.prototype
+
+module.exports = Foo;
+module.exports.default = Foo; // $ alias=(pack8).Foo.default==(pack8).Foo
+module.exports.Foo = Foo; // $ alias=(pack8).Foo.Foo==(pack8).Foo
--- a/javascript/ql/test/library-tests/EndpointNaming/pack8/index.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack8/index.js
@@ -0,0 +1,5 @@
+class Main {} // $ class=(pack8) instance=(pack8).prototype
+
+Main.Foo = require('./foo');
+
+module.exports = Main;
--- a/javascript/ql/test/library-tests/EndpointNaming/pack8/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack8/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack8",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/library-tests/EndpointNaming/pack9/foo.js
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack9/foo.js
@@ -0,0 +1 @@
+export class Foo {} // $ instance=(pack9/foo).Foo.prototype
--- a/javascript/ql/test/library-tests/EndpointNaming/pack9/index.ts
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack9/index.ts
@@ -0,0 +1,9 @@
+// Only the type is exposed. For the time being we do not consider type-only declarations or .d.ts files
+// when naming classes.
+export type { Foo } from "./foo";
+
+import * as foo from "./foo";
+
+export function expose() {
+    return new foo.Foo(); // expose an instance of Foo but not the class
+} // $ method=(pack9).expose
--- a/javascript/ql/test/library-tests/EndpointNaming/pack9/package.json
+++ b/javascript/ql/test/library-tests/EndpointNaming/pack9/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "pack9",
+    "main": "./index.js"
+}
--- a/javascript/ql/test/qlpack.yml
+++ b/javascript/ql/test/qlpack.yml
@@ -3,6 +3,7 @@ groups: [javascript, test]
 dependencies:
  codeql/javascript-all: ${workspace}
  codeql/javascript-queries: ${workspace}
+  codeql/util: ${workspace}
 extractor: javascript
 tests: .
 warnOnImplicitThis: true
--- a/javascript/ql/test/testUtilities/InlineExpectationsTest.qll
+++ b/javascript/ql/test/testUtilities/InlineExpectationsTest.qll
@@ -0,0 +1,8 @@
+/**
+ * Inline expectation tests for JS.
+ * See `shared/util/codeql/util/test/InlineExpectationsTest.qll`
+ */
+
+private import codeql.util.test.InlineExpectationsTest
+private import internal.InlineExpectationsTestImpl
+import Make<Impl>
--- a/javascript/ql/test/testUtilities/internal/InlineExpectationsTestImpl.qll
+++ b/javascript/ql/test/testUtilities/internal/InlineExpectationsTestImpl.qll
@@ -0,0 +1,12 @@
+private import javascript as JS
+private import codeql.util.test.InlineExpectationsTest
+
+module Impl implements InlineExpectationsTestSig {
+  private import javascript
+
+  class ExpectationComment extends LineComment {
+    string getContents() { result = this.getText() }
+  }
+
+  class Location = JS::Location;
+}
				`@@ -0,0 +1 @@`
				`export default class FooClass {} // $ class=(pack10).Foo instance=(pack10).Foo.prototype`
				`@@ -0,0 +1 @@`
				`export default function(x,y,z) {} // $ method=(pack3).libFunction alias=(pack3).libFunction.default==(pack3).libFunction`
				`@@ -0,0 +1 @@`
				`export default class C {} // $ class=(pack4) instance=(pack4).prototype`
				`@@ -0,0 +1 @@`
				`export class Foo {} // $ instance=(pack9/foo).Foo.prototype`