hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16241 from asgerf/js/re-export

Browse Source 
JS: Improve support for `export * as ...` declarations
This commit is contained in:
Asger F
2024-04-19 10:03:17 +02:00
committed by GitHub
parent 18acad516b da33c220a6
commit ac34b922ec
13 changed files with 67 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
javascript/ql/lib/semmle/javascript/ApiGraphs.qll
View File

@@ -7,6 +7,7 @@
import javascript
private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
private import semmle.javascript.dataflow.internal.PreCallGraphStep
private import internal.CachedStages
/**
@@ -782,6 +783,13 @@ module API {
rhs = m.getAnExportedValue(prop)
)
or
// In general, turn store steps into member steps for def-nodes
exists(string prop |
PreCallGraphStep::storeStep(rhs, pred, prop) and
lbl = Label::member(prop) and
not DataFlow::PseudoProperties::isPseudoProperty(prop)
)
or
exists(DataFlow::FunctionNode fn |
fn = pred and
lbl = Label::return()
@@ -947,7 +955,6 @@ module API {
(base instanceof TNonModuleDef or base instanceof TUse)
)
or
// invocations
exists(DataFlow::SourceNode src, DataFlow::SourceNode pred |
use(base, src) and pred = trackUseNode(src)
|
@@ -968,6 +975,13 @@ module API {
or
ref = cls.getAClassReference().getAnInstantiation()
)
or
exists(string prop |
PreCallGraphStep::loadStep(pred.getALocalUse(), ref, prop) and
lbl = Label::member(prop) and
// avoid generating member edges like "$arrayElement$"
not DataFlow::PseudoProperties::isPseudoProperty(prop)
)
)
or
exists(DataFlow::Node def, DataFlow::FunctionNode fn |
@@ -1535,7 +1549,9 @@ module API {
prop = any(CanonicalName c).getName() or
prop = any(DataFlow::PropRef p).getPropertyName() or
exists(Impl::MkTypeUse(_, prop)) or
exists(any(Module m).getAnExportedValue(prop))
exists(any(Module m).getAnExportedValue(prop)) or
PreCallGraphStep::loadStep(_, _, prop) or
PreCallGraphStep::storeStep(_, _, prop)
} or
MkLabelUnknownMember() or
MkLabelParameter(int i) {

16
javascript/ql/lib/semmle/javascript/ES2015Modules.qll
View File

@@ -510,6 +510,9 @@ class ExportNamedDeclaration extends ExportDeclaration, @export_named_declaratio
or
exists(ReExportDeclaration red | red = this |
result = red.getReExportedES2015Module().getAnExport().getSourceNode(spec.getLocalName())
or
spec instanceof ExportNamespaceSpecifier and
result = DataFlow::valueNode(spec)
)
)
}
@@ -524,6 +527,19 @@ class ExportNamedDeclaration extends ExportDeclaration, @export_named_declaratio
ExportSpecifier getASpecifier() { result = this.getSpecifier(_) }
}
private import semmle.javascript.dataflow.internal.PreCallGraphStep
private class ExportNamespaceStep extends PreCallGraphStep {
override predicate storeStep(DataFlow::Node pred, DataFlow::SourceNode succ, string prop) {
exists(ExportNamedDeclaration exprt, ExportNamespaceSpecifier spec |
spec = exprt.getASpecifier() and
pred =
exprt.(ReExportDeclaration).getReExportedES2015Module().getAnExport().getSourceNode(prop) and
succ = DataFlow::valueNode(spec)
)
}
}
/**
* An export declaration with the `type` modifier.
*/

4
javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
View File

@@ -704,6 +704,10 @@ module SharedFlowStep {
* For use with load/store steps in `DataFlow::SharedFlowStep` and TypeTracking.
*/
module PseudoProperties {
/** Holds if `s` is a pseudo-property. */
bindingset[s]
predicate isPseudoProperty(string s) { s.matches("$%$") }
bindingset[s]
private string pseudoProperty(string s) { result = "$" + s + "$" }

1
javascript/ql/lib/semmle/javascript/dataflow/Sources.qll
View File

@@ -322,6 +322,7 @@ module SourceNode {
astNode instanceof FunctionBindExpr or
astNode instanceof DynamicImportExpr or
astNode instanceof ImportSpecifier or
astNode instanceof ExportNamespaceSpecifier or
astNode instanceof ImportMetaExpr or
astNode instanceof TaggedTemplateExpr or
astNode instanceof Templating::PipeRefExpr or