JavaScript: Remove dependency of module import on globalVarRef.

2026-04-30 19:26:02 +02:00 · 2019-06-20 12:01:30 +01:00
parent 99c32f08fb
commit 4370f25b32
4 changed files with 14 additions and 6 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -13,7 +13,10 @@ module NodeJSLib {
   */
  private class ImplicitProcessImport extends DataFlow::ModuleImportNode::Range {
    ImplicitProcessImport() {
-      this = DataFlow::globalVarRef("process") and
+      exists(GlobalVariable process |
+        process.getName() = "process" and
+        this = DataFlow::exprNode(process.getAnAccess())
+      ) and
      getTopLevel() instanceof NodeModule
    }

@@ -24,9 +27,17 @@ module NodeJSLib {
   * Gets a reference to the 'process' object.
   */
  DataFlow::SourceNode process() {
+    result = DataFlow::globalVarRef("process") or
    result = DataFlow::moduleImport("process")
  }

+  /**
+   * Gets a reference to a member of the 'process' object.
+   */
+  private DataFlow::SourceNode processMember(string member) {
+    result = process().getAPropertyRead(member)
+  }
+
  /**
   * Holds if `call` is an invocation of `http.createServer` or `https.createServer`.
   */
@@ -365,7 +376,7 @@ module NodeJSLib {
    ProcessTermination() {
      this = DataFlow::moduleImport("exit").getAnInvocation()
      or
-      this = DataFlow::moduleMember("process", "exit").getACall()
+      this = processMember("exit").getACall()
    }
  }

--- a/javascript/ql/test/library-tests/ModuleImportNodes/TSGlobalImport.expected
+++ b/javascript/ql/test/library-tests/ModuleImportNodes/TSGlobalImport.expected
@@ -16,4 +16,3 @@
 | process2.js:1:1:1:13 | require('fs') | fs |
 | process2.js:2:10:2:16 | process | process |
 | process.js:1:10:1:27 | require('process') | process |
-| process.js:2:10:2:23 | global.process | process |
--- a/javascript/ql/test/library-tests/ModuleImportNodes/process.js
+++ b/javascript/ql/test/library-tests/ModuleImportNodes/process.js
@@ -1,2 +1,2 @@
 var p1 = require('process');
-var p2 = global.process;
+var p2 = global.process; // not detected yet
--- a/javascript/ql/test/library-tests/ModuleImportNodes/tests.expected
+++ b/javascript/ql/test/library-tests/ModuleImportNodes/tests.expected
@@ -44,7 +44,6 @@ test_moduleImport
 | net | client1.ts:6:9:6:11 | net |
 | process | process2.js:2:10:2:16 | process |
 | process | process.js:1:10:1:27 | require('process') |
-| process | process.js:2:10:2:23 | global.process |
 test_moduleMember
 | electron | BrowserWindow | destructuringES6.js:1:10:1:22 | BrowserWindow |
 | electron | BrowserWindow | destructuringRequire.js:1:9:1:21 | BrowserWindow |
@@ -78,7 +77,6 @@ test_ModuleImportNode_getPath
 | process2.js:1:1:1:13 | require('fs') | fs |
 | process2.js:2:10:2:16 | process | process |
 | process.js:1:10:1:27 | require('process') | process |
-| process.js:2:10:2:23 | global.process | process |
 test_ModuleImportNode_getAMethodCall
 | amd1.js:1:25:1:26 | fs | amd1.js:2:3:2:29 | fs.read ... a.txt") |
 | amd2.js:2:12:2:24 | require('fs') | amd2.js:3:3:3:29 | fs.read ... a.txt") |