require that the factory function is in a main module file

2026-04-28 02:05:14 +02:00 · 2021-05-05 12:00:38 +02:00
parent fc3f5adbbb
commit e333267e69
2 changed files with 11 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -16,6 +16,8 @@ DataFlow::ParameterNode getALibraryInputParameter() {
  )
 }

+private import NodeModuleResolutionImpl as NodeModule
+
 /**
 * Gets a value exported by the main module from a named `package.json` file.
 */
@@ -77,11 +79,18 @@ private DataFlow::Node getAValueExportedByPackage() {
  //   ....
  // }));
  // ```
+  // Such files are not recognized as modules, so we manually use `NodeModule::resolveMainModule` to resolve the file against a `package.json` file.
  exists(ImmediatelyInvokedFunctionExpr func, DataFlow::ParameterNode prev, int i |
    prev.getName() = "factory" and
    func.getParameter(i) = prev.getParameter() and
    result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn() and
-    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse()
+    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse() and
+    func.getFile() =
+      min(int j, File f |
+        f = NodeModule::resolveMainModule(any(PackageJSON pack | exists(pack.getPackageName())), j)
+      |
+        f order by j
+      )
  )
  or
  // the exported value is a call to a unique callee