Merge pull request #19210 from Napalys/js/mkdirp

JS: Modeling of `mkdirp` functions
2026-04-28 18:25:24 +02:00 · 2025-04-09 13:43:37 +02:00
parent 9323f1aaf0 0e7bff0f81
commit f02783a9c6
5 changed files with 73 additions and 13 deletions
--- a/javascript/ql/lib/change-notes/2025-04-02-mkdirp.md
+++ b/javascript/ql/lib/change-notes/2025-04-02-mkdirp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for additional `mkdirp` methods as sinks in path-injection queries.
--- a/javascript/ql/lib/ext/mkdirp.model.yml
+++ b/javascript/ql/lib/ext/mkdirp.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["mkdirp", "Member[nativeSync,native,manual,manualSync,mkdirpNative,mkdirpManual,mkdirpManualSync,mkdirpNativeSync,mkdirpSync,sync].Argument[0]", "path-injection"]
+      - ["mkdirp", "Argument[0]", "path-injection"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
@@ -427,16 +427,3 @@ class Chokidar extends FileNameProducer, FileSystemAccess, API::CallNode {
    )
  }
 }
-
-/**
- * A call to the [`mkdirp`](https://www.npmjs.com/package/mkdirp) library.
- */
-private class Mkdirp extends FileSystemAccess, API::CallNode {
-  Mkdirp() {
-    this = API::moduleImport("mkdirp").getACall()
-    or
-    this = API::moduleImport("mkdirp").getMember("sync").getACall()
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
-}