From bbbb0a2c5e0c59ccd0a01adde1c19a56f18bc5d6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 21 Aug 2020 14:14:05 +0200
Subject: [PATCH] specialize `module.createRequire` support to ES2015 modules

---
 javascript/ql/src/semmle/javascript/NodeJS.qll | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/NodeJS.qll b/javascript/ql/src/semmle/javascript/NodeJS.qll
index df21cc55822..f193959adb8 100644
--- a/javascript/ql/src/semmle/javascript/NodeJS.qll
+++ b/javascript/ql/src/semmle/javascript/NodeJS.qll
@@ -163,7 +163,16 @@ private predicate isRequire(DataFlow::Node nd) {
   or
   isRequire(nd.getAPredecessor())
   or
-  nd = DataFlow::moduleMember("module", "createRequire").getACall()
+  // `import { createRequire } from 'module';` support.
+  // specialized to ES2015 modules to avoid recursion in the `DataFlow::moduleImport()` predicate.
+  exists(ImportDeclaration imp | imp.getImportedPath().getValue() = "module" |
+    nd =
+      imp
+          .getImportedModuleNode()
+          .(DataFlow::SourceNode)
+          .getAPropertyRead("createRequire")
+          .getACall()
+  )
 }
 
 /**