JavaScript: Improve handling of re-exports in API graphs.

2026-05-03 12:45:27 +02:00 · 2020-09-29 19:45:11 +01:00
parent 96bf82e1ca
commit d054206004
2 changed files with 9 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -419,11 +419,20 @@ module API {
        exists(DataFlow::Node def, DataFlow::SourceNode pred |
          rhs(base, def) and pred = trackDefNode(def)
        |
+          // from `x` to a definition of `x.prop`
          exists(DataFlow::PropWrite pw | pw = pred.getAPropertyWrite() |
            lbl = Label::memberFromRef(pw) and
            rhs = pw.getRhs()
          )
          or
+          // special case: from `require('m')` to an export of `prop` in `m`
+          exists(Import imp, Module m, string prop |
+            pred = imp.getImportedModuleNode() and
+            m = imp.getImportedModule() and
+            lbl = Label::member(prop) and
+            rhs = m.getAnExportedValue(prop)
+          )
+          or
          exists(DataFlow::FunctionNode fn | fn = pred |
            not fn.getFunction().isAsync() and
            lbl = Label::return() and
--- a/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected
+++ b/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected
@@ -1,2 +1 @@
-| lib/stuff.js:1:19:1:103 | /* use  ... )))) */ | def (member other (member exports (module reexport))) has no outgoing edge labelled member bar; it has no outgoing edges at all. |
 | lib/utils.js:1:38:1:120 | /* use  ... )))) */ | def (member util (member exports (module reexport))) has no outgoing edge labelled member id; it has no outgoing edges at all. |