add support for re-exports using the spread operator for NodeJS exports

Author: erik-krogh

javascript/ql/src/semmle/javascript/NodeJS.qll

@@ -55,6 +55,22 @@ class NodeModule extends Module {
       name = pwn.getPropertyName()
     )
     or
+    // a re-export using spread-operator. E.g. `const foo = require("./foo"); module.exports = {bar: bar, ...foo};`
+    exists(ObjectExpr obj | obj.analyze().getAValue() = getAModuleExportsValue() |
+      obj
+          .getAProperty()
+          .(SpreadProperty)
+          .getInit()
+          .(SpreadElement)
+          .getOperand()
+          .flow()
+          .getALocalSource()
+          .asExpr()
+          .(Import)
+          .getImportedModule()
+          .exports(name, export)
+    )
+    or
     // an externs definition (where appropriate)
     exists(PropAccess pacc | export = pacc |
       pacc.getBase().analyze().getAValue() = getAModuleExportsValue() and

javascript/ql/test/library-tests/NodeJS/ModuleAccess.expected

@@ -1,2 +1,4 @@
 | b.js:7:22:7:27 | module |
 | d.js:3:1:3:6 | module |
+| reexport/a.js:1:1:1:6 | module |
+| reexport/b.js:3:1:3:6 | module |

javascript/ql/test/library-tests/NodeJS/Module_getAnExportedSymbol.expected

@@ -1,4 +1,7 @@
 | b.js:1:1:8:0 | <toplevel> | sneaky |
 | d.js:1:1:7:15 | <toplevel> | baz |
+| reexport/a.js:1:1:3:1 | <toplevel> | foo |
+| reexport/b.js:1:1:6:1 | <toplevel> | bar |
+| reexport/b.js:1:1:6:1 | <toplevel> | foo |
 | sub/c.js:1:1:4:0 | <toplevel> | foo |
 | sub/f.js:1:1:4:17 | <toplevel> | bar |

javascript/ql/test/library-tests/NodeJS/Module_getAnImport.expected

@@ -15,4 +15,5 @@
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/require-from-js.js:1:12:1:36 | require ... on-me') |
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/require-from-js.js:2:12:2:39 | require ... me.js') |
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/require-from-js.js:3:12:3:40 | require ... e.mjs') |
+| reexport/b.js:1:1:6:1 | <toplevel> | reexport/b.js:1:11:1:24 | require("./a") |
 | sub/c.js:1:1:4:0 | <toplevel> | sub/c.js:1:1:1:15 | require('../a') |

javascript/ql/test/library-tests/NodeJS/Module_getAnImportedModule.expected

@@ -8,4 +8,5 @@
 | index.js:1:1:3:0 | <toplevel> | b.js:1:1:8:0 | <toplevel> |
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/depend-on-me.js:1:1:8:0 | <toplevel> |
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/depend-on-me.mjs:1:1:7:1 | <toplevel> |
+| reexport/b.js:1:1:6:1 | <toplevel> | reexport/a.js:1:1:3:1 | <toplevel> |
 | sub/c.js:1:1:4:0 | <toplevel> | a.js:1:1:14:0 | <toplevel> |

javascript/ql/test/library-tests/NodeJS/Modules.expected

@@ -4,5 +4,7 @@
 | e.js:1:1:6:0 | <toplevel> | e.js:0:0:0:0 | e.js | e.js | e |
 | index.js:1:1:3:0 | <toplevel> | index.js:0:0:0:0 | index.js | index.js | index |
 | mjs-files/require-from-js.js:1:1:4:0 | <toplevel> | mjs-files/require-from-js.js:0:0:0:0 | mjs-files/require-from-js.js | mjs-files/require-from-js.js | require-from-js |
+| reexport/a.js:1:1:3:1 | <toplevel> | reexport/a.js:0:0:0:0 | reexport/a.js | reexport/a.js | a |
+| reexport/b.js:1:1:6:1 | <toplevel> | reexport/b.js:0:0:0:0 | reexport/b.js | reexport/b.js | b |
 | sub/c.js:1:1:4:0 | <toplevel> | sub/c.js:0:0:0:0 | sub/c.js | sub/c.js | c |
 | sub/f.js:1:1:4:17 | <toplevel> | sub/f.js:0:0:0:0 | sub/f.js | sub/f.js | f |

javascript/ql/test/library-tests/NodeJS/NodeModule_exports.expected

@@ -2,5 +2,8 @@
 | d.js:1:1:7:15 | <toplevel> | baz | d.js:4:2:4:8 | baz: 42 |
 | mjs-files/depend-on-me.js:1:1:8:0 | <toplevel> | add | mjs-files/depend-on-me.js:5:1:7:1 | export  ...  + y;\\n} |
 | mjs-files/depend-on-me.mjs:1:1:7:1 | <toplevel> | add | mjs-files/depend-on-me.mjs:5:1:7:1 | export  ...  + y;\\n} |
+| reexport/a.js:1:1:3:1 | <toplevel> | foo | reexport/a.js:2:5:2:26 | foo: fu ... oo() {} |
+| reexport/b.js:1:1:6:1 | <toplevel> | bar | reexport/b.js:4:5:4:26 | bar: fu ... ar() {} |
+| reexport/b.js:1:1:6:1 | <toplevel> | foo | reexport/a.js:2:5:2:26 | foo: fu ... oo() {} |
 | sub/c.js:1:1:4:0 | <toplevel> | foo | sub/c.js:3:1:3:11 | exports.foo |
 | sub/f.js:1:1:4:17 | <toplevel> | bar | sub/f.js:4:1:4:11 | exports.bar |

javascript/ql/test/library-tests/NodeJS/Require.expected

@@ -19,4 +19,5 @@
 | mjs-files/require-from-js.js:1:12:1:36 | require ... on-me') |
 | mjs-files/require-from-js.js:2:12:2:39 | require ... me.js') |
 | mjs-files/require-from-js.js:3:12:3:40 | require ... e.mjs') |
+| reexport/b.js:1:11:1:24 | require("./a") |
 | sub/c.js:1:1:1:15 | require('../a') |

javascript/ql/test/library-tests/NodeJS/RequireImport.expected

@@ -11,4 +11,5 @@
 | mjs-files/require-from-js.js:1:12:1:36 | require ... on-me') | ./depend-on-me | mjs-files/depend-on-me.mjs:1:1:7:1 | <toplevel> |
 | mjs-files/require-from-js.js:2:12:2:39 | require ... me.js') | ./depend-on-me.js | mjs-files/depend-on-me.js:1:1:8:0 | <toplevel> |
 | mjs-files/require-from-js.js:3:12:3:40 | require ... e.mjs') | ./depend-on-me.mjs | mjs-files/depend-on-me.mjs:1:1:7:1 | <toplevel> |
+| reexport/b.js:1:11:1:24 | require("./a") | ./a | reexport/a.js:1:1:3:1 | <toplevel> |
 | sub/c.js:1:1:1:15 | require('../a') | ../a | a.js:1:1:14:0 | <toplevel> |

javascript/ql/test/library-tests/NodeJS/reexport/a.js

@@ -0,0 +1,3 @@
+module.exports = {
+    foo: function foo() {}
+}