fix second round of code review. improve documents, fix better-sqlite3 method

2026-04-25 16:55:19 +02:00 · 2023-11-23 14:01:38 +01:00
parent eb552b7c93
commit 60b422a35c
3 changed files with 16 additions and 21 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -123,9 +123,8 @@ private module Postgres {
  }

  /**
-   * Gets a Postgres Query class.
-   *
-   * Please note that according to [this documentation](https://node-postgres.com/apis/client) this is an advance feature
+   * Gets the Postgres Query class.
+   * This class can be used to create reusable query objects (see https://node-postgres.com/apis/client).
   */
  API::Node query() { result = API::moduleImport("pg").getMember("Query") }

@@ -309,20 +308,16 @@ private module Sqlite {
 */
 private module BetterSqlite3 {
  /**
-   * Gets an expression that constructs or returns a `better-sqlite3` database instance.
+   * Gets a `better-sqlite3` database instance.
   */
  API::Node database() {
-    // initialDatabaseInstance is an instance of Database that constructed and instantiated in the first step of Database initialization,
-    // not from a return value of the other library functions
-    exists(API::Node initialDatabaseInstance |
-      initialDatabaseInstance =
-        [
-          API::moduleImport("better-sqlite3").getInstance(),
-          API::moduleImport("better-sqlite3").getReturn()
-        ]
-    |
-      result = [initialDatabaseInstance, initialDatabaseInstance.getMember("exec").getReturn()]
-    )
+    result =
+      [
+        API::moduleImport("better-sqlite3").getInstance(),
+        API::moduleImport("better-sqlite3").getReturn()
+      ]
+    or
+    result = database().getMember("exec").getReturn()
  }

  /** A call to a better-sqlite3 query method. */
--- a/javascript/ql/src/experimental/semmle/javascript/SQL.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/SQL.qll
@@ -4,7 +4,7 @@

 import javascript

-module ExperimentalSQL {
+module ExperimentalSql {
  /**
   * Provides SQL injection Sinks for the [TypeORM](https://www.npmjs.com/package/typeorm) package
   */
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -82,9 +82,9 @@
 | sqlite3.js:7:8:7:45 | "UPDATE ... id = ?" |
 | sqlite3.js:8:8:8:45 | "UPDATE ... id = ?" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
-| sqlite.js:9:10:9:65 | 'SELECT ... id = 1" |
-| sqlite.js:12:10:12:65 | 'SELECT ... id = 1" |
-| sqlite.js:15:10:15:74 | 'INSERT ... ',100)' |
-| sqlite.js:18:14:19:18 | 'SELECT ... id = 1" |
-| sqlite.js:25:19:25:74 | 'SELECT ... id = 1" |
+| sqlite.js:8:10:8:65 | 'SELECT ... id = 1" |
+| sqlite.js:11:10:11:65 | 'SELECT ... id = 1" |
+| sqlite.js:14:10:14:50 | 'SELECT ... id > 5' |
+| sqlite.js:17:14:18:18 | 'SELECT ... id = 1" |
+| sqlite.js:24:19:24:74 | 'SELECT ... id = 1" |
 | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |