require that the factory function is in a main module file

erik-krogh · erik-krogh · commit e333267e69a5 · 2021-05-05T12:00:38.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -16,6 +16,8 @@ DataFlow::ParameterNode getALibraryInputParameter() {
   )
 }
 
+private import NodeModuleResolutionImpl as NodeModule
+
 /**
  * Gets a value exported by the main module from a named `package.json` file.
  */
@@ -77,11 +79,18 @@ private DataFlow::Node getAValueExportedByPackage() {
   //   ....
   // }));
   // ```
+  // Such files are not recognized as modules, so we manually use `NodeModule::resolveMainModule` to resolve the file against a `package.json` file.
   exists(ImmediatelyInvokedFunctionExpr func, DataFlow::ParameterNode prev, int i |
     prev.getName() = "factory" and
     func.getParameter(i) = prev.getParameter() and
     result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn() and
-    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse()
+    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse() and
+    func.getFile() =
+      min(int j, File f |
+        f = NodeModule::resolveMainModule(any(PackageJSON pack | exists(pack.getPackageName())), j)
+      |
+        f order by j
+      )
   )
   or
   // the exported value is a call to a unique callee
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
@@ -1,5 +1,5 @@
 {
   "name": "my-sub-lib",
   "version": "0.0.7",
-  "main": "./my-file.js"
+  "main": "./factory.js"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "my-sub-lib",`
`3`	`3`	`"version": "0.0.7",`
`4`		`- "main": "./my-file.js"`
	`4`	`+ "main": "./factory.js"`
`5`	`5`	`}`