make globalVarRef non recursive

2025-12-17 01:03:14 +01:00 · 2021-02-22 17:30:22 +01:00
parent 06091e5312
commit 69d6df7834
3 changed files with 22 additions and 12 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -365,22 +365,38 @@ DataFlow::SourceNode globalObjectRef() {
  )
  or
  // DOM
-  result = globalVarRef("window")
+  result = globalVariable("window")
  or
  // Node.js
-  result = globalVarRef("global")
+  result = globalVariable("global")
  or
  // DOM and service workers
-  result = globalVarRef("self")
+  result = globalVariable("self")
  or
  // ECMAScript 2020
-  result = globalVarRef("globalThis")
+  result = globalVariable("globalThis")
  or
  // `require("global")`
  result = moduleImport("global")
  or
  // Closure library - based on AST to avoid recursion with Closure library model
-  result = globalVarRef("goog").getAPropertyRead("global")
+  result = globalVariable("goog").getAPropertyRead("global")
+}
+
+/**
+ * Gets a reference to a global variable `name`.
+ * For example, if `name` is "foo":
+ * ```js
+ * foo
+ * require('global/foo')
+ * ```
+ */
+private DataFlow::SourceNode globalVariable(string name) {
+  result.(GlobalVarRefNode).getName() = name
+  or
+  // `require("global/document")` or `require("global/window")`
+  (name = "document" or name = "window") and
+  result = moduleImport("global/" + name)
 }

 /**
@@ -398,13 +414,9 @@ DataFlow::SourceNode globalObjectRef() {
 */
 pragma[nomagic]
 DataFlow::SourceNode globalVarRef(string name) {
-  result.(GlobalVarRefNode).getName() = name
+  result = globalVariable(name)
  or
  result = globalObjectRef().getAPropertyReference(name)
-  or
-  // `require("global/document")` or `require("global/window")`
-  (name = "document" or name = "window") and
-  result = moduleImport("global/" + name)
 }

 /**
--- a/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected
+++ b/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected
@@ -9,6 +9,5 @@
 | tst.js:1:1:1:6 | window |
 | tst.js:3:1:3:6 | window |
 | tst.js:4:1:4:6 | window |
-| tst.js:4:1:4:13 | window.window |
 | tst.js:5:1:5:4 | self |
 | tst.js:6:1:6:10 | globalThis |
--- a/javascript/ql/test/library-tests/Nodes/globalVarRef.expected
+++ b/javascript/ql/test/library-tests/Nodes/globalVarRef.expected
@@ -2,7 +2,6 @@
 | String | tst2.js:9:1:9:11 | this.String |
 | document | tst2.js:2:1:2:26 | require ... ument") |
 | document | tst.js:3:1:3:15 | window.document |
-| document | tst.js:4:1:4:22 | window. ... ocument |
 | document | tst.js:5:1:5:13 | self.document |
 | document | tst.js:6:1:6:19 | globalThis.document |
 | foo | tst3.js:4:1:4:5 | w.foo |