JS: core improvements

2026-05-20 22:27:18 +02:00 · 2020-06-25 11:53:42 +02:00
parent f60a82dfc3
commit e723c6e790
2 changed files with 41 additions and 3 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -28,6 +28,7 @@ string getAStandardLoggerMethodName() {
  result = "notice" or
  result = "silly" or
  result = "trace" or
+  result = "verbose" or
  result = "warn"
 }

@@ -131,3 +132,30 @@ private module log4js {
    override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
  }
 }
+
+/**
+ * Provides classes for working with [npmlog](https://github.com/npm/npmlog)
+ */
+private module Npmlog {
+  /**
+   * A call to the console logging mechanism.
+   */
+  class Npmlog extends LoggerCall {
+    string name;
+
+    Npmlog() {
+      this = DataFlow::moduleMember("npmlog", name).getACall() and
+      name = getAStandardLoggerMethodName()
+    }
+
+    override DataFlow::Node getAMessageComponent() {
+      (
+        if name = "log"
+        then result = getArgument([1 .. getNumArgument()])
+        else result = getAnArgument()
+      )
+      or
+      result = getASpreadArgument()
+    }
+  }
+}
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -444,9 +444,11 @@ module NodeJSLib {
     * A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
     */
    DataFlow::SourceNode moduleMember(string member) {
-      result = fsModule(DataFlow::TypeTracker::end()).getAPropertyRead(member)
+      result = fsModule().getAPropertyRead(member)
    }

+    DataFlow::SourceNode fsModule() { result = fsModule(DataFlow::TypeTracker::end()) }
+
    private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
      exists(string moduleName |
        moduleName = ["mz/fs", "original-fs", "fs-extra", "graceful-fs", "fs"]
@@ -468,7 +470,15 @@ module NodeJSLib {
  private class NodeJSFileSystemAccess extends FileSystemAccess, DataFlow::CallNode {
    string methodName;

-    NodeJSFileSystemAccess() { this = maybePromisified(FS::moduleMember(methodName)).getACall() }
+    NodeJSFileSystemAccess() {
+      this = maybePromisified(FS::moduleMember(methodName)).getACall()
+      or
+      exists(DataFlow::CallNode promisifyAll |
+        promisifyAll = DataFlow::moduleMember("bluebird", "promisifyAll").getACall() and
+        FS::fsModule().flowsTo(promisifyAll.getArgument(0)) and
+        this = promisifyAll.getAMemberCall(methodName)
+      )
+    }

    /**
     * Gets the name of the called method.
@@ -604,7 +614,7 @@ module NodeJSLib {
    result = callback
    or
    exists(DataFlow::CallNode promisify |
-      promisify = DataFlow::moduleMember("util", "promisify").getACall()
+      promisify = DataFlow::moduleMember(["util", "bluebird"], "promisify").getACall()
    |
      result = promisify and promisify.getArgument(0).getALocalSource() = callback
    )