Merge pull request #1479 from xiemaisi/js/remove-circularity

semmle-qlci · web-flow · commit 4d779026d2fd · 2019-06-21T09:03:13.000+01:00
Approved by asger-semmle
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -13,7 +13,10 @@ module NodeJSLib {
    */
   private class ImplicitProcessImport extends DataFlow::ModuleImportNode::Range {
     ImplicitProcessImport() {
-      this = DataFlow::globalVarRef("process") and
+      exists(GlobalVariable process |
+        process.getName() = "process" and
+        this = DataFlow::exprNode(process.getAnAccess())
+      ) and
       getTopLevel() instanceof NodeModule
     }
 
@@ -24,9 +27,17 @@ module NodeJSLib {
    * Gets a reference to the 'process' object.
    */
   DataFlow::SourceNode process() {
+    result = DataFlow::globalVarRef("process") or
     result = DataFlow::moduleImport("process")
   }
 
+  /**
+   * Gets a reference to a member of the 'process' object.
+   */
+  private DataFlow::SourceNode processMember(string member) {
+    result = process().getAPropertyRead(member)
+  }
+
   /**
    * Holds if `call` is an invocation of `http.createServer` or `https.createServer`.
    */
@@ -365,7 +376,7 @@ module NodeJSLib {
     ProcessTermination() {
       this = DataFlow::moduleImport("exit").getAnInvocation()
       or
-      this = DataFlow::moduleMember("process", "exit").getACall()
+      this = processMember("exit").getACall()
     }
   }
 
diff --git a/javascript/ql/test/library-tests/ModuleImportNodes/TSGlobalImport.expected b/javascript/ql/test/library-tests/ModuleImportNodes/TSGlobalImport.expected
@@ -16,4 +16,3 @@
 | process2.js:1:1:1:13 | require('fs') | fs |
 | process2.js:2:10:2:16 | process | process |
 | process.js:1:10:1:27 | require('process') | process |
-| process.js:2:10:2:23 | global.process | process |
diff --git a/javascript/ql/test/library-tests/ModuleImportNodes/process.js b/javascript/ql/test/library-tests/ModuleImportNodes/process.js
@@ -1,2 +1,2 @@
 var p1 = require('process');
-var p2 = global.process;
+var p2 = global.process; // not detected yet
diff --git a/javascript/ql/test/library-tests/ModuleImportNodes/tests.expected b/javascript/ql/test/library-tests/ModuleImportNodes/tests.expected
@@ -44,7 +44,6 @@ test_moduleImport
 | net | client1.ts:6:9:6:11 | net |
 | process | process2.js:2:10:2:16 | process |
 | process | process.js:1:10:1:27 | require('process') |
-| process | process.js:2:10:2:23 | global.process |
 test_moduleMember
 | electron | BrowserWindow | destructuringES6.js:1:10:1:22 | BrowserWindow |
 | electron | BrowserWindow | destructuringRequire.js:1:9:1:21 | BrowserWindow |
@@ -78,7 +77,6 @@ test_ModuleImportNode_getPath
 | process2.js:1:1:1:13 | require('fs') | fs |
 | process2.js:2:10:2:16 | process | process |
 | process.js:1:10:1:27 | require('process') | process |
-| process.js:2:10:2:23 | global.process | process |
 test_ModuleImportNode_getAMethodCall
 | amd1.js:1:25:1:26 | fs | amd1.js:2:3:2:29 | fs.read ... a.txt") |
 | amd2.js:2:12:2:24 | require('fs') | amd2.js:3:3:3:29 | fs.read ... a.txt") |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`var p1 = require('process');`
`2`		`-var p2 = global.process;`
	`2`	`+var p2 = global.process; // not detected yet`