зеркало из https://github.com/github/codeql.git
JavaScript: Broaden scope of imports considered relevant to portals.
Previously, we only considered an import relevant to portals if the path it imported was declared as a dependency. This falls down for deep imports where a specific module inside the package is imported rather than the default entry point, for imports of built-in modules like `fs`, and in cases where a developer simply forgets to declare a dependency. So instead we now consider all imports relevant whose path does not start with a dot or a slash.
This commit is contained in:
Max Schaefer
Родитель
8b4b5781e6
Коммит
c40ef0556a
|
|
@ -181,7 +181,7 @@ private module NpmPackagePortal {
|
|||
predicate imports(DataFlow::SourceNode imp, string pkgName) {
|
||||
exists(NPMPackage pkg |
|
||||
imp = getAModuleImport(pkg, pkgName) and
|
||||
pkg.declaresDependency(pkgName, _)
|
||||
pkgName.regexpMatch("[^./].*")
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -189,7 +189,7 @@ private module NpmPackagePortal {
|
|||
predicate imports(DataFlow::SourceNode imp, string pkgName, string member) {
|
||||
exists(NPMPackage pkg |
|
||||
imp = getAModuleMemberImport(pkg, pkgName, member) and
|
||||
pkg.declaresDependency(pkgName, _)
|
||||
pkgName.regexpMatch("[^./].*")
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче