Merge pull request #7715 from kaeluka/recognize-fs-extra-path-args

JS: add a predicate to recognize path arguments in calls to the fs-extra lib
2026-04-30 11:15:13 +02:00 · 2022-01-25 09:36:59 +01:00
parent 06776d19ee 02db472209
commit 35cc5ff0e2
1 changed files with 45 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -408,11 +408,13 @@ module NodeJSLib {

  /**
   * Holds if the `i`th parameter of method `methodName` of the Node.js
-   * `fs` module might represent a file path.
+   * `fs` module or the `fs-extra` module might represent a file path.
   *
-   * We determine this by looking for an externs declaration for
+   * For `fs`, we determine this by looking for an externs declaration for
   * `fs.methodName` where the `i`th parameter's name is `filename` or
   * `path` or a variation thereof.
+   *
+   * For `fs-extra`, we use a manually maintained list.
   */
  private predicate fsFileParam(string methodName, int i) {
    exists(ExternalMemberDecl decl, Function f, JSDocParamTag p, string n |
@@ -423,6 +425,47 @@ module NodeJSLib {
    |
      n = "filename" or n.regexpMatch("(old|new|src|dst|)path")
    )
+    or
+    fsExtraExtensionFileParam(methodName, i)
+  }
+
+  /**
+   * Holds if `methodName` is a function defined in the `fs-extra` library
+   * as an extension to node.js' `fs` module and parameter `i` of of the
+   * method might represent a file path.
+   */
+  private predicate fsExtraExtensionFileParam(string methodName, int i) {
+    methodName = ["copy", "copySync", "copyFile"] and i = [0, 1]
+    or
+    methodName = ["move", "moveSync"] and i = [0, 1]
+    or
+    methodName = ["createFile", "createFileSync"] and i = 0
+    or
+    methodName = ["createSymLink", "createSymlinkSync"] and i = [0, 1]
+    or
+    methodName = ["ensureDir", "ensureDirSync"] and i = 0
+    or
+    methodName = ["mkdirs", "mkdirp", "mkdirsSync", "mkdirpSync"] and i = 0
+    or
+    methodName = ["outputFile", "outputFileSync"] and i = 0
+    or
+    methodName = ["readJson", "readJSON", "readJsonSync", "readJSONSync"] and i = 0
+    or
+    methodName = ["remove", "removeSync"] and i = 0
+    or
+    methodName =
+      ["outputJSON", "outputJson", "writeJSON", "writeJson", "writeJSONSync", "writeJsonSync"] and
+    i = 0
+    or
+    methodName = ["ensureFile", "ensureFileSync"] and i = 0
+    or
+    methodName = ["ensureLink", "createLink", "ensureLinkSync", "createLinkSync"] and i = [0, 1]
+    or
+    methodName = ["ensureSymlink", "ensureSymlinkSync"] and i = [0, 1]
+    or
+    methodName = ["emptyDir", "emptyDirSync"] and i = 0
+    or
+    methodName = ["pathExists", "pathExistsSync"] and i = 0
  }

  /**