JavaScript: Make lodash/underscore recognition extensible.

2026-04-29 10:45:15 +02:00 · 2018-10-30 11:46:30 -04:00
parent 1da873e819
commit 22640f891e
3 changed files with 53 additions and 5 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll
@@ -5,6 +5,33 @@ import javascript

 /** Provides a unified model of [lodash](https://lodash.com/) and [underscore](http://underscorejs.org/). */
 module LodashUnderscore {
+  /**
+   * A data flow node that accesses a given member of `lodash` or `underscore`.
+   */
+  abstract class Member extends DataFlow::SourceNode {
+    /** Gets the name of the accessed member. */
+    abstract string getName();
+  }
+
+  /**
+   * An import of `lodash` or `underscore` accessing a given member of that package.
+   */
+  private class DefaultMember extends Member {
+    string name;
+
+    DefaultMember() {
+      this = DataFlow::moduleMember("underscore", name) or
+      this = DataFlow::moduleMember("lodash", name) or
+      this = DataFlow::moduleImport("lodash/" + name) or
+      this = DataFlow::moduleImport("lodash." + name) or
+      this = DataFlow::globalVarRef("_").getAPropertyRead(name)
+    }
+
+    override string getName() {
+      result = name
+    }
+  }
+
  /**
   * Gets a data flow node that accesses the given member of `lodash` or `underscore`.
   *
@@ -12,11 +39,7 @@ module LodashUnderscore {
   * In addition, the global variable `_` is assumed to refer to `lodash` or `underscore`.
   */
  DataFlow::SourceNode member(string name) {
-    result = DataFlow::moduleMember("underscore", name) or
-    result = DataFlow::moduleMember("lodash", name) or
-    result = DataFlow::moduleImport("lodash/" + name) or
-    result = DataFlow::moduleImport("lodash." + name) or
-    result = DataFlow::globalVarRef("_").getAPropertyRead(name)
+    result.(Member).getName() = name
  }
 }

--- a/javascript/ql/src/semmle/javascript/heuristics/AdditionalFrameworks.qll
+++ b/javascript/ql/src/semmle/javascript/heuristics/AdditionalFrameworks.qll
@@ -0,0 +1,24 @@
+/**
+ * Provides classes that heuristically identify uses of common frameworks.
+ *
+ * Note: This module should not be a permanent part of the standard library imports.
+ */
+
+import javascript
+
+/**
+ * An import of a module whose name ends in `-lodash` or `-underscore`, interpreted
+ * as a likely import of the lodash or underscore library.
+ */
+private class ImpreciseLodashMember extends LodashUnderscore::Member {
+  string name;
+
+  ImpreciseLodashMember() {
+    exists (string lodash |
+      this = DataFlow::moduleMember(lodash, name) |
+      lodash.matches("%-lodash") or lodash.matches("%-underscore")
+    )
+  }
+
+  override string getName() { result = name }
+}
--- a/javascript/ql/src/semmle/javascript/heuristics/all.qll
+++ b/javascript/ql/src/semmle/javascript/heuristics/all.qll
@@ -6,6 +6,7 @@
 * Note: This module should not be a permanent part of the standard library imports.
 */

+import AdditionalFrameworks
 import AdditionalPromises
 import AdditionalRouteHandlers
 import AdditionalSources