Merge pull request #4391 from max-schaefer/js/api-graph-reexport

codeql-ci · web-flow · commit 8eb84b259963 · 2020-10-12T05:26:53.000-07:00
Approved by asgerf
diff --git a/javascript/ql/src/semmle/javascript/ApiGraphs.qll b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -419,11 +419,20 @@ module API {
         exists(DataFlow::Node def, DataFlow::SourceNode pred |
           rhs(base, def) and pred = trackDefNode(def)
         |
+          // from `x` to a definition of `x.prop`
           exists(DataFlow::PropWrite pw | pw = pred.getAPropertyWrite() |
             lbl = Label::memberFromRef(pw) and
             rhs = pw.getRhs()
           )
           or
+          // special case: from `require('m')` to an export of `prop` in `m`
+          exists(Import imp, Module m, string prop |
+            pred = imp.getImportedModuleNode() and
+            m = imp.getImportedModule() and
+            lbl = Label::member(prop) and
+            rhs = m.getAnExportedValue(prop)
+          )
+          or
           exists(DataFlow::FunctionNode fn | fn = pred |
             not fn.getFunction().isAsync() and
             lbl = Label::return() and
@@ -561,15 +570,11 @@ module API {
     cached
     predicate use(TApiNode nd, DataFlow::Node ref) {
       exists(string m, Module mod | nd = MkModuleDef(m) and mod = importableModule(m) |
-        ref = DataFlow::ssaDefinitionNode(SSA::implicitInit(mod.(NodeModule).getModuleVariable()))
-        or
-        ref = DataFlow::parameterNode(mod.(AmdModule).getDefine().getModuleParameter())
+        ref.(ModuleAsSourceNode).getModule() = mod
       )
       or
       exists(string m, Module mod | nd = MkModuleExport(m) and mod = importableModule(m) |
-        ref = DataFlow::ssaDefinitionNode(SSA::implicitInit(mod.(NodeModule).getExportsVariable()))
-        or
-        ref = DataFlow::parameterNode(mod.(AmdModule).getDefine().getExportsParameter())
+        ref.(ExportsAsSourceNode).getModule() = mod
         or
         exists(DataFlow::Node base | use(MkModuleDef(m), base) |
           ref = trackUseNode(base).getAPropertyRead("exports")
@@ -640,6 +645,16 @@ module API {
       rhs(_, nd) and
       result = nd.getALocalSource()
       or
+      // additional backwards step from `require('m')` to `exports` or `module.exports` in m
+      exists(Import imp | imp.getImportedModuleNode() = trackDefNode(nd, t.continue()) |
+        result.(ExportsAsSourceNode).getModule() = imp.getImportedModule()
+        or
+        exists(ModuleAsSourceNode mod |
+          mod.getModule() = imp.getImportedModule() and
+          result = mod.(DataFlow::SourceNode).getAPropertyRead("exports")
+        )
+      )
+      or
       exists(DataFlow::TypeBackTracker t2 | result = trackDefNode(nd, t2).backtrack(t2, t))
     }
 
@@ -796,13 +811,31 @@ private module Label {
 }
 
 /**
- * A CommonJS `module` or `exports` variable, considered as a source node.
+ * A CommonJS/AMD `module` variable, considered as a source node.
  */
-private class AdditionalSourceNode extends DataFlow::SourceNode::Range {
-  AdditionalSourceNode() {
-    exists(NodeModule m, Variable v |
-      v in [m.getModuleVariable(), m.getExportsVariable()] and
-      this = DataFlow::ssaDefinitionNode(SSA::implicitInit(v))
-    )
+private class ModuleAsSourceNode extends DataFlow::SourceNode::Range {
+  Module m;
+
+  ModuleAsSourceNode() {
+    this = DataFlow::ssaDefinitionNode(SSA::implicitInit(m.(NodeModule).getModuleVariable()))
+    or
+    this = DataFlow::parameterNode(m.(AmdModule).getDefine().getModuleParameter())
+  }
+
+  Module getModule() { result = m }
+}
+
+/**
+ * A CommonJS/AMD `exports` variable, considered as a source node.
+ */
+private class ExportsAsSourceNode extends DataFlow::SourceNode::Range {
+  Module m;
+
+  ExportsAsSourceNode() {
+    this = DataFlow::ssaDefinitionNode(SSA::implicitInit(m.(NodeModule).getExportsVariable()))
+    or
+    this = DataFlow::parameterNode(m.(AmdModule).getDefine().getExportsParameter())
   }
+
+  Module getModule() { result = m }
 }
diff --git a/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected b/javascript/ql/test/ApiGraphs/reexport/VerifyAssertions.expected
@@ -1 +0,0 @@
-| lib/utils.js:1:38:1:120 | /* use  ... )))) */ | def (member util (member exports (module reexport))) has no outgoing edge labelled member id; it has no outgoing edges at all. |
diff --git a/javascript/ql/test/ApiGraphs/reexport/index.js b/javascript/ql/test/ApiGraphs/reexport/index.js
@@ -2,5 +2,7 @@ const impl = require("./lib/impl.js");
 
 module.exports = {
     impl,
-    util: require("./lib/utils")
-};
+    util: require("./lib/utils"),
+    other: require("./lib/stuff"),
+    util2: require("./lib/utils2")
+};
diff --git a/javascript/ql/test/ApiGraphs/reexport/lib/stuff.js b/javascript/ql/test/ApiGraphs/reexport/lib/stuff.js
@@ -0,0 +1,5 @@
+function foo(x) { /* use (parameter 0 (member bar (member other (member exports (module reexport)))) */
+    return x + 1;
+}
+
+export const bar = foo;
diff --git a/javascript/ql/test/ApiGraphs/reexport/lib/utils2.js b/javascript/ql/test/ApiGraphs/reexport/lib/utils2.js
@@ -0,0 +1,5 @@
+module.exports = {
+    id: function id(x) { /* use (parameter 0 (member id (member util2 (member exports (module reexport)))) */
+	return x;
+    }
+};

Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-\| lib/utils.js:1:38:1:120 \| /* use ... )))) */ \| def (member util (member exports (module reexport))) has no outgoing edge labelled member id; it has no outgoing edges at all. \|`