hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

more source code examples in PackageExports.qll

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-05-05 11:48:41 +02:00
parent 28eef264e5
commit fc3f5adbbb
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
javascript/ql/src/semmle/javascript/PackageExports.qll
View File

@@ -20,11 +20,17 @@ DataFlow::ParameterNode getALibraryInputParameter() {
* Gets a value exported by the main module from a named `package.json` file.
*/
private DataFlow::Node getAValueExportedByPackage() {
// The base case, an export from a named `package.json` file.
result =
getAnExportFromModule(any(PackageJSON pack | exists(pack.getPackageName())).getMainModule())
or
// module.exports.bar.baz = result;
result = getAValueExportedByPackage().(DataFlow::PropWrite).getRhs()
or
// class Foo {
// bar() {} // <- result
// };
// module.exports = new Foo();
exists(DataFlow::SourceNode callee |
callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
|
@@ -35,14 +41,21 @@ private DataFlow::Node getAValueExportedByPackage() {
or
result = getAValueExportedByPackage().getALocalSource()
or
// Nested property reads.
result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference()
or
// module.exports.foo = require("./other-module.js");
exists(Module mod |
mod = getAValueExportedByPackage().getEnclosingExpr().(Import).getImportedModule()
|
result = getAnExportFromModule(mod)
)
or
// module.exports = class Foo {
// bar() {} // <- result
// static baz() {} // <- result
// constructor() {} // <- result
// };
exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
result = cla.getAnInstanceMethod() or
result = cla.getAStaticMethod() or
@@ -72,6 +85,12 @@ private DataFlow::Node getAValueExportedByPackage() {
)
or
// the exported value is a call to a unique callee
// ```JavaScript
// module.exports = foo();
// function foo() {
// return result;
// }
// ```
exists(DataFlow::CallNode call | call = getAValueExportedByPackage() |
result = unique( | | call.getCalleeNode().getAFunctionValue()).getAReturn()
)