From 63a648dc4186b3b7c50df63802124b2f6e5e4633 Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esbena@github.com>
Date: Mon, 12 Oct 2020 13:43:41 +0200
Subject: [PATCH] Remove additional path-injection sinks

---
 benjamin-button.md                                       | 9 +++++++++
 .../ql/lib/semmle/javascript/frameworks/NodeJSLib.qll    | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/benjamin-button.md b/benjamin-button.md
index e964f0f1aef..3d63edddca0 100644
--- a/benjamin-button.md
+++ b/benjamin-button.md
@@ -10,6 +10,15 @@ Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by lookin
 - the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
 - the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
 
+Sinks added between 2018-08-02 and 2020-01-01 have been removed. Found by looking at:
+
+- the commit titles of https://github.com/github/codeql/commits/main/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+sink
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+pathinjection
+- the PR titles of https://github.com/github/codeql/pulls?page=2&q=is%3Apr+label%3AJS+is%3Aclosed+tainted-path
+
+Sinks from the "graceful-fs" and "fs-extra" (added before the open-sourcing squash).
+
 ## Xss.ql
 
 Sinks added between 2020-01-01 and 2020-10-06 have been removed. Found by looking at:
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
index 72fd9a640a5..56e174187bd 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -496,7 +496,7 @@ module NodeJSLib {
      * A member `member` from module `fs`.
      */
     DataFlow::SourceNode moduleMember(string member) {
-      exists(string moduleName | moduleName = ["fs-extra", "graceful-fs", "fs"] |
+      exists(string moduleName | moduleName = ["fs"] |
         result = DataFlow::moduleMember(moduleName, member)
       )
     }