JS: Restrict what property names that are considered public exports

2026-05-01 03:35:13 +02:00 · 2021-10-01 11:42:03 +02:00
parent 4a16be2cba
commit af1b04de9c
1 changed files with 23 additions and 8 deletions
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -30,7 +30,11 @@ private DataFlow::Node getAValueExportedByPackage() {
    getAnExportFromModule(any(PackageJSON pack | exists(pack.getPackageName())).getMainModule())
  or
  // module.exports.bar.baz = result;
-  result = getAValueExportedByPackage().(DataFlow::PropWrite).getRhs()
+  exists(DataFlow::PropWrite write |
+    write = getAValueExportedByPackage() and
+    write.getPropertyName() = publicPropertyName() and
+    result = write.getRhs()
+  )
  or
  // class Foo {
  //   bar() {} // <- result
@@ -39,15 +43,15 @@ private DataFlow::Node getAValueExportedByPackage() {
  exists(DataFlow::SourceNode callee |
    callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
  |
-    result = callee.getAPropertyRead("prototype").getAPropertyWrite().getRhs()
+    result = callee.getAPropertyRead("prototype").getAPropertyWrite(publicPropertyName()).getRhs()
    or
-    result = callee.(DataFlow::ClassNode).getAnInstanceMethod()
+    result = callee.(DataFlow::ClassNode).getInstanceMethod(publicPropertyName())
  )
  or
  result = getAValueExportedByPackage().getALocalSource()
  or
  // Nested property reads.
-  result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference()
+  result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference(publicPropertyName())
  or
  // module.exports.foo = require("./other-module.js");
  exists(Module mod |
@@ -62,8 +66,8 @@ private DataFlow::Node getAValueExportedByPackage() {
  //   constructor() {} // <- result
  // };
  exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
-    result = cla.getAnInstanceMethod() or
-    result = cla.getAStaticMethod() or
+    result = cla.getInstanceMethod(publicPropertyName()) or
+    result = cla.getStaticMethod(publicPropertyName()) or
    result = cla.getConstructor()
  )
  or
@@ -120,7 +124,8 @@ private DataFlow::Node getAValueExportedByPackage() {
  or
  // Object.defineProperty
  exists(CallToObjectDefineProperty call |
-    [call, call.getBaseObject()] = getAValueExportedByPackage()
+    [call, call.getBaseObject()] = getAValueExportedByPackage() and
+    call.getPropertyName() = publicPropertyName()
  |
    result = call.getPropertyDescriptor().getALocalSource().getAPropertyReference("value")
    or
@@ -164,9 +169,19 @@ private DataFlow::Node getAValueExportedByPackage() {
 * Gets an exported node from the module `mod`.
 */
 private DataFlow::Node getAnExportFromModule(Module mod) {
-  result = mod.getAnExportedValue(_)
+  result = mod.getAnExportedValue(publicPropertyName())
  or
  result = mod.getABulkExportedNode()
  or
  result.analyze().getAValue() = TAbstractModuleObject(mod)
 }
+
+/**
+ * Gets a property name that we consider to be public.
+ *
+ * This only allows properties whose first character is a letter or number.
+ */
+bindingset[result]
+private string publicPropertyName() {
+  result.regexpMatch("[a-zA-Z0-9].*")
+}