зеркало из https://github.com/github/codeql.git
JavaScript: Broaden scope of imports considered relevant to portals.
Previously, we only considered an import relevant to portals if the path it imported was declared as a dependency. This falls down for deep imports where a specific module inside the package is imported rather than the default entry point, for imports of built-in modules like `fs`, and in cases where a developer simply forgets to declare a dependency. So instead we now consider all imports relevant whose path does not start with a dot or a slash.
This commit is contained in:
Max Schaefer
Родитель
8b4b5781e6
Коммит
c40ef0556a
|
|
@ -181,7 +181,7 @@ private module NpmPackagePortal {
|
||||||
predicate imports(DataFlow::SourceNode imp, string pkgName) {
|
predicate imports(DataFlow::SourceNode imp, string pkgName) {
|
||||||
exists(NPMPackage pkg |
|
exists(NPMPackage pkg |
|
||||||
imp = getAModuleImport(pkg, pkgName) and
|
imp = getAModuleImport(pkg, pkgName) and
|
||||||
pkg.declaresDependency(pkgName, _)
|
pkgName.regexpMatch("[^./].*")
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -189,7 +189,7 @@ private module NpmPackagePortal {
|
||||||
predicate imports(DataFlow::SourceNode imp, string pkgName, string member) {
|
predicate imports(DataFlow::SourceNode imp, string pkgName, string member) {
|
||||||
exists(NPMPackage pkg |
|
exists(NPMPackage pkg |
|
||||||
imp = getAModuleMemberImport(pkg, pkgName, member) and
|
imp = getAModuleMemberImport(pkg, pkgName, member) and
|
||||||
pkg.declaresDependency(pkgName, _)
|
pkgName.regexpMatch("[^./].*")
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче