Merge pull request #4391 from max-schaefer/js/api-graph-reexport

Approved by asgerf
2026-04-28 02:05:14 +02:00 · 2020-10-12 05:26:53 -07:00
parent 6d1634ef8f 98ab38a630
commit 8eb84b2599
5 changed files with 60 additions and 16 deletions
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -419,11 +419,20 @@ module API {
        exists(DataFlow::Node def, DataFlow::SourceNode pred |
          rhs(base, def) and pred = trackDefNode(def)
        |
+          // from `x` to a definition of `x.prop`
          exists(DataFlow::PropWrite pw | pw = pred.getAPropertyWrite() |
            lbl = Label::memberFromRef(pw) and
            rhs = pw.getRhs()
          )
          or
+          // special case: from `require('m')` to an export of `prop` in `m`
+          exists(Import imp, Module m, string prop |
+            pred = imp.getImportedModuleNode() and
+            m = imp.getImportedModule() and
+            lbl = Label::member(prop) and
+            rhs = m.getAnExportedValue(prop)
+          )
+          or
          exists(DataFlow::FunctionNode fn | fn = pred |
            not fn.getFunction().isAsync() and
            lbl = Label::return() and
@@ -561,15 +570,11 @@ module API {
    cached
    predicate use(TApiNode nd, DataFlow::Node ref) {
      exists(string m, Module mod | nd = MkModuleDef(m) and mod = importableModule(m) |
-        ref = DataFlow::ssaDefinitionNode(SSA::implicitInit(mod.(NodeModule).getModuleVariable()))
-        or
-        ref = DataFlow::parameterNode(mod.(AmdModule).getDefine().getModuleParameter())
+        ref.(ModuleAsSourceNode).getModule() = mod
      )
      or
      exists(string m, Module mod | nd = MkModuleExport(m) and mod = importableModule(m) |
-        ref = DataFlow::ssaDefinitionNode(SSA::implicitInit(mod.(NodeModule).getExportsVariable()))
-        or
-        ref = DataFlow::parameterNode(mod.(AmdModule).getDefine().getExportsParameter())
+        ref.(ExportsAsSourceNode).getModule() = mod
        or
        exists(DataFlow::Node base | use(MkModuleDef(m), base) |
          ref = trackUseNode(base).getAPropertyRead("exports")
@@ -640,6 +645,16 @@ module API {
      rhs(_, nd) and
      result = nd.getALocalSource()
      or
+      // additional backwards step from `require('m')` to `exports` or `module.exports` in m
+      exists(Import imp | imp.getImportedModuleNode() = trackDefNode(nd, t.continue()) |
+        result.(ExportsAsSourceNode).getModule() = imp.getImportedModule()
+        or
+        exists(ModuleAsSourceNode mod |
+          mod.getModule() = imp.getImportedModule() and
+          result = mod.(DataFlow::SourceNode).getAPropertyRead("exports")
+        )
+      )
+      or
      exists(DataFlow::TypeBackTracker t2 | result = trackDefNode(nd, t2).backtrack(t2, t))
    }

@@ -796,13 +811,31 @@ private module Label {
 }

 /**
- * A CommonJS `module` or `exports` variable, considered as a source node.
+ * A CommonJS/AMD `module` variable, considered as a source node.
 */
-private class AdditionalSourceNode extends DataFlow::SourceNode::Range {
-  AdditionalSourceNode() {
-    exists(NodeModule m, Variable v |
-      v in [m.getModuleVariable(), m.getExportsVariable()] and
-      this = DataFlow::ssaDefinitionNode(SSA::implicitInit(v))
-    )
+private class ModuleAsSourceNode extends DataFlow::SourceNode::Range {
+  Module m;
+
+  ModuleAsSourceNode() {
+    this = DataFlow::ssaDefinitionNode(SSA::implicitInit(m.(NodeModule).getModuleVariable()))
+    or
+    this = DataFlow::parameterNode(m.(AmdModule).getDefine().getModuleParameter())
  }
+
+  Module getModule() { result = m }
+}
+
+/**
+ * A CommonJS/AMD `exports` variable, considered as a source node.
+ */
+private class ExportsAsSourceNode extends DataFlow::SourceNode::Range {
+  Module m;
+
+  ExportsAsSourceNode() {
+    this = DataFlow::ssaDefinitionNode(SSA::implicitInit(m.(NodeModule).getExportsVariable()))
+    or
+    this = DataFlow::parameterNode(m.(AmdModule).getDefine().getExportsParameter())
+  }
+
+  Module getModule() { result = m }
 }