Merge pull request #12867 from asgerf/js/webpack-bundles

JS: Ignore more webpack modules
2025-12-16 16:53:25 +01:00 · 2023-04-28 14:35:57 +02:00
parent edfe2d7ab7 1c2fdc8df9
commit f87740ab18
2 changed files with 27 additions and 4 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Bundling.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Bundling.qll
@@ -106,10 +106,10 @@ private predicate isBrowserifyDependencyMap(ObjectExpr deps) {
 * or their name must contain the substring "webpack_require"
 * or "webpack_module_template_argument".
 */
-private predicate isWebpackModule(FunctionExpr m) {
+private predicate isWebpackModule(Function m) {
  forex(Parameter parm | parm = m.getAParameter() |
    exists(string name | name = parm.getName() |
-      name.regexpMatch("module|exports|.*webpack_require.*|.*webpack_module_template_argument.*")
+      name.regexpMatch("module|exports|.*webpack_require.*|.*webpack_module_template_argument.*|.*unused_webpack_module.*")
    )
  )
 }
@@ -161,6 +161,23 @@ predicate isWebpackBundle(ArrayExpr ae) {
  )
 }

+/**
+ * Holds if `object` looks like a Webpack bundle of form:
+ * ```javascript
+ * var __webpack_modules__ = ({
+ *   "file1": ((module, __webpack__exports__, __webpack_require__) => ...)
+ *   ...
+ * })
+ * ```
+ */
+predicate isWebpackNamedBundle(ObjectExpr object) {
+  isWebpackModule(object.getAProperty().getInit().getUnderlyingValue()) and
+  exists(VarDef def |
+    def.getSource().(Expr).getUnderlyingValue() = object and
+    def.getTarget().(VarRef).getName() = "__webpack_modules__"
+  )
+}
+
 /**
 * Holds if `tl` is a collection of concatenated files by [atpackager](https://github.com/ariatemplates/atpackager).
 */
@@ -233,7 +250,8 @@ predicate isDirectiveBundle(TopLevel tl) { exists(BundleDirective d | d.getTopLe
 predicate isBundle(TopLevel tl) {
  exists(Expr e | e.getTopLevel() = tl |
    isBrowserifyBundle(e) or
-    isWebpackBundle(e)
+    isWebpackBundle(e) or
+    isWebpackNamedBundle(e)
  )
  or
  isMultiPartBundle(tl)
--- a/javascript/ql/lib/semmle/javascript/security/regexp/RegExpTreeView.qll
+++ b/javascript/ql/lib/semmle/javascript/security/regexp/RegExpTreeView.qll
@@ -4,6 +4,7 @@

 private import codeql.regex.nfa.NfaUtils as NfaUtils
 private import codeql.regex.RegexTreeView
+private import semmle.javascript.frameworks.Bundling

 /** An implementation that parses a regular expression into a tree of `RegExpTerm`s. */
 module RegExpTreeView implements RegexTreeViewSig {
@@ -42,7 +43,11 @@ module RegExpTreeView implements RegexTreeViewSig {
   *
   * For javascript we make the pragmatic performance optimization to ignore minified files.
   */
-  predicate isExcluded(RegExpParent parent) { parent.(Expr).getTopLevel().isMinified() }
+  predicate isExcluded(RegExpParent parent) {
+    parent.(Expr).getTopLevel().isMinified()
+    or
+    isBundle(parent.(Expr).getTopLevel())
+  }

  /**
   * Holds if `root` has the `i` flag for case-insensitive matching.