Merge pull request #4097 from erik-krogh/createRequire

Approved by esbena

javascript/ql/src/semmle/javascript/NodeJS.qll

@@ -162,6 +162,17 @@ private predicate isRequire(DataFlow::Node nd) {
   not nd.getFile().getExtension() = "mjs"
   or
   isRequire(nd.getAPredecessor())
+  or
+  // `import { createRequire } from 'module';` support.
+  // specialized to ES2015 modules to avoid recursion in the `DataFlow::moduleImport()` predicate.
+  exists(ImportDeclaration imp | imp.getImportedPath().getValue() = "module" |
+    nd =
+      imp
+          .getImportedModuleNode()
+          .(DataFlow::SourceNode)
+          .getAPropertyRead("createRequire")
+          .getACall()
+  )
 }
 
 /**

javascript/ql/test/library-tests/NodeJS/Require.expected

@@ -15,6 +15,7 @@
 | g.js:1:43:1:61 | require("electron") |
 | index.js:1:12:1:26 | require('path') |
 | index.js:2:1:2:41 | require ... b.js")) |
+| mjs-files/createRequire.mjs:4:26:4:49 | require ... erver') |
 | mjs-files/require-from-js.js:1:12:1:36 | require ... on-me') |
 | mjs-files/require-from-js.js:2:12:2:39 | require ... me.js') |
 | mjs-files/require-from-js.js:3:12:3:40 | require ... e.mjs') |

javascript/ql/test/library-tests/NodeJS/mjs-files/createRequire.mjs

@@ -0,0 +1,4 @@
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const { ApolloServer } = require('apollo-server');