JavaScript: Recognise references to the process global.

Author: Max Schaefer

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -8,19 +8,23 @@ import semmle.javascript.security.SensitiveActions
 
 module NodeJSLib {
   /**
-   * Gets a reference to the 'process' object.
+   * An access to the global `process` variable in a Node.js module, interpreted as
+   * an import of the `process` module.
    */
-  DataFlow::SourceNode process() {
-    result = DataFlow::globalVarRef("process") or
-    result = DataFlow::moduleImport("process")
+  private class ImplicitProcessImport extends DataFlow::ModuleImportNode::Range {
+    ImplicitProcessImport() {
+      this = DataFlow::globalVarRef("process") and
+      getTopLevel() instanceof NodeModule
+    }
+
+    override string getPath() { result = "process" }
   }
 
   /**
-   * Gets a reference to a member of the 'process' object.
+   * Gets a reference to the 'process' object.
    */
-  private DataFlow::SourceNode processMember(string member) {
-    result = process().getAPropertyRead(member) or
-    result = DataFlow::moduleMember("process", member)
+  DataFlow::SourceNode process() {
+    result = DataFlow::moduleImport("process")
   }
 
   /**
@@ -363,7 +367,7 @@ module NodeJSLib {
     ProcessTermination() {
       this = DataFlow::moduleImport("exit").getAnInvocation()
       or
-      this = processMember("exit").getACall()
+      this = DataFlow::moduleMember("process", "exit").getACall()
     }
   }