JS: Add store step into namespace re-export specifier

2026-04-25 08:45:14 +02:00 · 2024-04-17 14:13:39 +02:00
parent 0a7af90454
commit 55b9724f59
4 changed files with 24 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/lib/semmle/javascript/ApiGraphs.qll
@@ -7,6 +7,7 @@

 import javascript
 private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
+private import semmle.javascript.dataflow.internal.PreCallGraphStep
 private import internal.CachedStages

 /**
@@ -769,6 +770,12 @@ module API {
            rhs = m.getAnExportedValue(prop)
          )
          or
+          // In general, turn store steps into member steps for def-nodes
+          exists(string prop |
+            PreCallGraphStep::storeStep(rhs, pred, prop) and
+            lbl = Label::member(prop)
+          )
+          or
          exists(DataFlow::FunctionNode fn |
            fn = pred and
            lbl = Label::return()
--- a/javascript/ql/lib/semmle/javascript/ES2015Modules.qll
+++ b/javascript/ql/lib/semmle/javascript/ES2015Modules.qll
@@ -510,6 +510,9 @@ class ExportNamedDeclaration extends ExportDeclaration, @export_named_declaratio
      or
      exists(ReExportDeclaration red | red = this |
        result = red.getReExportedES2015Module().getAnExport().getSourceNode(spec.getLocalName())
+        or
+        spec instanceof ExportNamespaceSpecifier and
+        result = DataFlow::valueNode(spec)
      )
    )
  }
@@ -524,6 +527,19 @@ class ExportNamedDeclaration extends ExportDeclaration, @export_named_declaratio
  ExportSpecifier getASpecifier() { result = this.getSpecifier(_) }
 }

+private import semmle.javascript.dataflow.internal.PreCallGraphStep
+
+private class ExportNamespaceStep extends PreCallGraphStep {
+  override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
+    exists(ExportNamedDeclaration exprt, ExportNamespaceSpecifier spec |
+      spec = exprt.getASpecifier() and
+      pred =
+        exprt.(ReExportDeclaration).getReExportedES2015Module().getAnExport().getSourceNode(prop) and
+      succ = DataFlow::valueNode(spec)
+    )
+  }
+}
+
 /**
 * An export declaration with the `type` modifier.
 */
--- a/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll
@@ -322,6 +322,7 @@ module SourceNode {
        astNode instanceof FunctionBindExpr or
        astNode instanceof DynamicImportExpr or
        astNode instanceof ImportSpecifier or
+        astNode instanceof ExportNamespaceSpecifier or
        astNode instanceof ImportMetaExpr or
        astNode instanceof TaggedTemplateExpr or
        astNode instanceof Templating::PipeRefExpr or
--- a/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected
+++ b/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected
@@ -1 +0,0 @@
-| lib/esmodule-reexported2.js:1:26:1:137 | /* def= ... wo") */ | def moduleImport("reexport").getMember("exports").getMember("esmodule") has no outgoing edge labelled getMember("lib2"); it does have outgoing edges labelled getMember("one"). |
				`@@ -1 +0,0 @@`
				`\| lib/esmodule-reexported2.js:1:26:1:137 \| /* def= ... wo") */ \| def moduleImport("reexport").getMember("exports").getMember("esmodule") has no outgoing edge labelled getMember("lib2"); it does have outgoing edges labelled getMember("one"). \|`