Merge pull request #74 from xiemaisi/js/multi-step-export-from

semmle-qlci · web-flow · commit 0adeef73ff4d · 2018-08-20T12:36:26.000+01:00
Approved by asger-semmle
diff --git a/change-notes/1.18/analysis-javascript.md b/change-notes/1.18/analysis-javascript.md
@@ -8,6 +8,8 @@
 
 * Modelling of global variables has been improved. This may give more true-positive results and fewer false-positive results for a variety of queries.
 
+* Modelling of re-export declarations has been improved. This may result in fewer false-positive results for a variety of queries.
+
 * Modelling of taint flow through the array operations `map` and `join` has been improved. This may give additional results for the security queries.
 
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries:
diff --git a/javascript/ql/src/semmle/javascript/ES2015Modules.qll b/javascript/ql/src/semmle/javascript/ES2015Modules.qll
@@ -428,22 +428,39 @@ class ExportSpecifier extends Expr, @exportspecifier {
   string getExportedName() { result = getExported().getName() }
 }
 
-/** A named export specifier. */
+/**
+ * A named export specifier, for example `v` in `export { v }`.
+ */
 class NamedExportSpecifier extends ExportSpecifier, @namedexportspecifier {
 }
 
-/** A default export specifier. */
+/**
+ * A default export specifier, for example `default` in `export default 42`,
+ * or `v` in `export v from "mod"`.
+ */
 class ExportDefaultSpecifier extends ExportSpecifier, @exportdefaultspecifier {
-  override string getLocalName() {
-    getExportDeclaration() instanceof ReExportDeclaration and result = "default"
-  }
-
   override string getExportedName() {
     result = "default"
   }
 }
 
-/** A namespace export specifier. */
+/**
+ * A default export specifier in a re-export declaration, for example `v` in
+ * `export v from "mod"`.
+ */
+class ReExportDefaultSpecifier extends ExportDefaultSpecifier {
+  ReExportDefaultSpecifier() {
+    getExportDeclaration() instanceof ReExportDeclaration
+  }
+
+  override string getLocalName() { result = "default" }
+
+  override string getExportedName() { result = getExported().getName() }
+}
+
+/**
+ * A namespace export specifier, for example `*` in `export * from "mod"`.
+ */
 class ExportNamespaceSpecifier extends ExportSpecifier, @exportnamespacespecifier {
 }
 
diff --git a/javascript/ql/test/library-tests/Flow/AbstractValues.expected b/javascript/ql/test/library-tests/Flow/AbstractValues.expected
@@ -217,6 +217,12 @@
 | reexport-mixins.js:1:1:4:0 | module object of module reexport-mixins |
 | reexport-unknown.js:1:1:2:0 | exports object of module reexport-unknown |
 | reexport-unknown.js:1:1:2:0 | module object of module reexport-unknown |
+| reexport/client/src/index.js:1:1:3:0 | exports object of module index |
+| reexport/client/src/index.js:1:1:3:0 | module object of module index |
+| reexport/lib/index.js:1:1:4:0 | exports object of module index |
+| reexport/lib/index.js:1:1:4:0 | module object of module index |
+| reexport/lib/src/utils/util.js:1:1:3:0 | exports object of module util |
+| reexport/lib/src/utils/util.js:1:1:3:0 | module object of module util |
 | refinements.js:1:1:8:1 | function f1 |
 | refinements.js:1:1:8:1 | instance of function f1 |
 | refinements.js:10:1:24:1 | function f2 |
diff --git a/javascript/ql/test/library-tests/Flow/abseval.expected b/javascript/ql/test/library-tests/Flow/abseval.expected
@@ -221,6 +221,7 @@
 | objlit.js:38:11:38:12 | x6 | objlit.js:38:16:38:21 | this.h | file://:0:0:0:0 | indefinite value (heap) |
 | objlit.js:38:11:38:12 | x6 | objlit.js:38:16:38:21 | this.h | objlit.js:41:10:41:22 | anonymous function |
 | objlit.js:43:7:43:8 | o3 | objlit.js:43:12:45:3 | {\\n    _ ...  o2\\n  } | objlit.js:43:12:45:3 | object literal |
+| reexport/client/src/index.js:2:5:2:8 | test | reexport/client/src/index.js:2:12:2:15 | data | file://:0:0:0:0 | non-empty, non-numeric string |
 | refinements.js:3:7:3:8 | x1 | refinements.js:3:12:3:12 | g | file://:0:0:0:0 | undefined |
 | refinements.js:7:7:7:8 | x3 | refinements.js:7:12:7:12 | g | file://:0:0:0:0 | undefined |
 | refinements.js:11:7:11:7 | a | refinements.js:11:11:11:72 | Math.ra ... ' : 42) | file://:0:0:0:0 | non-empty, non-numeric string |
diff --git a/javascript/ql/test/library-tests/Flow/reexport/client/src/index.js b/javascript/ql/test/library-tests/Flow/reexport/client/src/index.js
@@ -0,0 +1,2 @@
+import { data } from '../../lib';
+var test = data;
diff --git a/javascript/ql/test/library-tests/Flow/reexport/lib/index.js b/javascript/ql/test/library-tests/Flow/reexport/lib/index.js
@@ -0,0 +1,3 @@
+export data from './src/utils/util'
+
+// semmle-extractor-options: --experimental
diff --git a/javascript/ql/test/library-tests/Flow/reexport/lib/src/utils/util.js b/javascript/ql/test/library-tests/Flow/reexport/lib/src/utils/util.js
@@ -0,0 +1,2 @@
+export default "data";
+
diff --git a/javascript/ql/test/library-tests/Flow/types.expected b/javascript/ql/test/library-tests/Flow/types.expected
@@ -121,6 +121,7 @@
 | objlit.js:37:11:37:12 | x5 | objlit.js:37:16:37:21 | this.f | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | objlit.js:38:11:38:12 | x6 | objlit.js:38:16:38:21 | this.h | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | objlit.js:43:7:43:8 | o3 | objlit.js:43:12:45:3 | {\\n    _ ...  o2\\n  } | object |
+| reexport/client/src/index.js:2:5:2:8 | test | reexport/client/src/index.js:2:12:2:15 | data | string |
 | refinements.js:3:7:3:8 | x1 | refinements.js:3:12:3:12 | g | undefined |
 | refinements.js:5:9:5:10 | x2 | refinements.js:5:14:5:14 | g |  |
 | refinements.js:7:7:7:8 | x3 | refinements.js:7:12:7:12 | g | undefined |
diff --git a/javascript/ql/test/library-tests/Modules/ExportDeclarations.expected b/javascript/ql/test/library-tests/Modules/ExportDeclarations.expected
@@ -1,10 +1,12 @@
 | a.js:1:1:3:1 | export  ... n 23;\\n} |
 | a.js:5:1:5:32 | export  ...  } = o; |
 | b.js:5:1:5:18 | export { f as g }; |
+| b.js:7:1:7:21 | export  ...  './a'; |
 | d.js:4:1:4:20 | export * from 'm/c'; |
 | e.js:2:1:2:16 | export { x, y }; |
 | e.js:3:1:3:35 | export  ...  './a'; |
 | es2015_require.js:3:1:3:25 | export  ... ss C {} |
 | export-in-mjs.mjs:1:1:1:34 | export  ... s = 42; |
 | f.ts:5:1:5:24 | export  ... oo() {} |
+| m/c.js:5:1:5:30 | export  ... '../b'; |
 | tst.html:7:3:7:22 | export const y = 42; |
diff --git a/javascript/ql/test/library-tests/Modules/ExportSpecifiers.expected b/javascript/ql/test/library-tests/Modules/ExportSpecifiers.expected
@@ -2,3 +2,4 @@
 | e.js:2:10:2:10 | x | e.js:2:10:2:10 | x | e.js:2:10:2:10 | x |
 | e.js:2:13:2:13 | y | e.js:2:13:2:13 | y | e.js:2:13:2:13 | y |
 | e.js:3:10:3:21 | default as g | e.js:3:10:3:16 | default | e.js:3:21:3:21 | g |
+| m/c.js:5:10:5:15 | g as h | m/c.js:5:10:5:10 | g | m/c.js:5:15:5:15 | h |
diff --git a/javascript/ql/test/library-tests/Modules/Module_exports.expected b/javascript/ql/test/library-tests/Modules/Module_exports.expected
@@ -1,11 +1,13 @@
 | a.js:1:1:5:32 | <toplevel> | default | a.js:1:1:3:1 | export  ... n 23;\\n} |
 | a.js:1:1:5:32 | <toplevel> | x | a.js:5:1:5:32 | export  ...  } = o; |
 | a.js:1:1:5:32 | <toplevel> | y | a.js:5:1:5:32 | export  ...  } = o; |
-| b.js:1:1:6:0 | <toplevel> | g | b.js:5:1:5:18 | export { f as g }; |
+| b.js:1:1:10:0 | <toplevel> | f2 | b.js:7:1:7:21 | export  ...  './a'; |
+| b.js:1:1:10:0 | <toplevel> | g | b.js:5:1:5:18 | export { f as g }; |
 | e.js:1:1:4:0 | <toplevel> | g | e.js:3:1:3:35 | export  ...  './a'; |
 | e.js:1:1:4:0 | <toplevel> | x | e.js:2:1:2:16 | export { x, y }; |
 | e.js:1:1:4:0 | <toplevel> | y | e.js:2:1:2:16 | export { x, y }; |
 | es2015_require.js:1:1:3:25 | <toplevel> | default | es2015_require.js:3:1:3:25 | export  ... ss C {} |
 | export-in-mjs.mjs:1:1:1:34 | <toplevel> | exported_from_mjs | export-in-mjs.mjs:1:1:1:34 | export  ... s = 42; |
 | f.ts:1:1:6:0 | <toplevel> | foo | f.ts:5:1:5:24 | export  ... oo() {} |
+| m/c.js:1:1:8:0 | <toplevel> | h | m/c.js:5:1:5:30 | export  ... '../b'; |
 | tst.html:4:23:8:0 | <toplevel> | y | tst.html:7:3:7:22 | export const y = 42; |
diff --git a/javascript/ql/test/library-tests/Modules/ReExportDeclarations.expected b/javascript/ql/test/library-tests/Modules/ReExportDeclarations.expected
@@ -1,2 +1,4 @@
+| b.js:7:1:7:21 | export  ...  './a'; | b.js:7:16:7:20 | './a' |
 | d.js:4:1:4:20 | export * from 'm/c'; | d.js:4:15:4:19 | 'm/c' |
 | e.js:3:1:3:35 | export  ...  './a'; | e.js:3:30:3:34 | './a' |
+| m/c.js:5:1:5:30 | export  ... '../b'; | m/c.js:5:24:5:29 | '../b' |
diff --git a/javascript/ql/test/library-tests/Modules/b.js b/javascript/ql/test/library-tests/Modules/b.js
@@ -3,3 +3,7 @@ import f from './a';
 f();
 
 export { f as g };
+
+export f2 from './a';
+
+// semmle-extractor-options: --experimental
diff --git a/javascript/ql/test/library-tests/Modules/getExportedName.expected b/javascript/ql/test/library-tests/Modules/getExportedName.expected
@@ -0,0 +1,6 @@
+| b.js:5:10:5:15 | f as g | f |
+| b.js:7:8:7:9 | f2 | default |
+| e.js:2:10:2:10 | x | x |
+| e.js:2:13:2:13 | y | y |
+| e.js:3:10:3:21 | default as g | default |
+| m/c.js:5:10:5:15 | g as h | g |
diff --git a/javascript/ql/test/library-tests/Modules/getExportedName.ql b/javascript/ql/test/library-tests/Modules/getExportedName.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from ExportSpecifier es
+select es, es.getLocalName()
diff --git a/javascript/ql/test/library-tests/Modules/getLocalName.expected b/javascript/ql/test/library-tests/Modules/getLocalName.expected
@@ -0,0 +1,6 @@
+| b.js:5:10:5:15 | f as g | f |
+| b.js:7:8:7:9 | f2 | default |
+| e.js:2:10:2:10 | x | x |
+| e.js:2:13:2:13 | y | y |
+| e.js:3:10:3:21 | default as g | default |
+| m/c.js:5:10:5:15 | g as h | g |
diff --git a/javascript/ql/test/library-tests/Modules/getLocalName.ql b/javascript/ql/test/library-tests/Modules/getLocalName.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from ExportSpecifier es
+select es, es.getLocalName()
diff --git a/javascript/ql/test/library-tests/Modules/getSourceNode.expected b/javascript/ql/test/library-tests/Modules/getSourceNode.expected
@@ -1,10 +1,12 @@
 | a.js:1:1:3:1 | export  ... n 23;\\n} | default | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | a.js:5:1:5:32 | export  ...  } = o; | x | a.js:5:18:5:20 | f() |
 | b.js:5:1:5:18 | export { f as g }; | g | b.js:5:10:5:10 | f |
+| b.js:7:1:7:21 | export  ...  './a'; | f2 | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | e.js:2:1:2:16 | export { x, y }; | x | e.js:2:10:2:10 | x |
 | e.js:2:1:2:16 | export { x, y }; | y | e.js:2:13:2:13 | y |
 | e.js:3:1:3:35 | export  ...  './a'; | g | a.js:1:16:3:1 | functio ... n 23;\\n} |
 | es2015_require.js:3:1:3:25 | export  ... ss C {} | default | es2015_require.js:3:16:3:25 | class C {} |
 | export-in-mjs.mjs:1:1:1:34 | export  ... s = 42; | exported_from_mjs | export-in-mjs.mjs:1:32:1:33 | 42 |
 | f.ts:5:1:5:24 | export  ... oo() {} | foo | f.ts:5:8:5:24 | function foo() {} |
+| m/c.js:5:1:5:30 | export  ... '../b'; | h | b.js:5:10:5:10 | f |
 | tst.html:7:3:7:22 | export const y = 42; | y | tst.html:7:20:7:21 | 42 |
diff --git a/javascript/ql/test/library-tests/Modules/m/c.js b/javascript/ql/test/library-tests/Modules/m/c.js
@@ -1,3 +1,7 @@
 import * as b from '../b';
 
 b.g();
+
+export { g as h } from '../b';
+
+// semmle-extractor-options: --experimental

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+import { data } from '../../lib';`
	`2`	`+var test = data;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+export data from './src/utils/util'`
	`2`	`+`
	`3`	`+// semmle-extractor-options: --experimental`