Skip to content

JavaScript: Improve CFG for non-toplevel imports #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
semmle-qlci merged 4 commits into from
Oct 4, 2018
Merged

JavaScript: Improve CFG for non-toplevel imports #275

semmle-qlci merged 4 commits into from
Oct 4, 2018

Conversation

@xiemaisi
Copy link

@xiemaisi xiemaisi commented Oct 3, 2018

This is a non-standard language feature for which we have parser support. Previously, however, the CFG extractor and the QL library still assumed that all imports appear at the toplevel, which gave us strange results for example on meteor.

This PR updates the QL library to remove the assumption about imports being top-level. Furthermore, we patch the missing CFG edges for non-toplevel imports in the library. I will open an internal PR that teaches the extractor to add these edges to begin with. The QL-level patch is compatible with the extractor changes, so having either or both of them works, and consequently we can deal with the PRs independently.

I have verified that this removes the false positives on meteor and doesn't otherwise affect results, at a very moderate cost to performance (<5%, so probably within the margin of error).

@xiemaisi xiemaisi requested a review from a team as a code owner October 3, 2018 12:15
asger-semmle
asger-semmle approved these changes Oct 3, 2018
View reviewed changes
Copy link
Contributor

@asger-semmle asger-semmle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xiemaisi xiemaisi added the JS label Oct 3, 2018
@semmle-qlci semmle-qlci merged commit bea86e5 into github:master Oct 4, 2018
@xiemaisi xiemaisi deleted the js/workaround-for-nested-imports branch October 4, 2018 09:35
@xiemaisi xiemaisi mentioned this pull request Oct 22, 2018
Merged
aibaars pushed a commit that referenced this pull request Oct 14, 2021
@hvitved
Merge pull request #275 from github/hvitved/api-graphs-fix
6e23a9a 
API graphs: Fix bug for resolvable modules
smowton added a commit to smowton/codeql that referenced this pull request Apr 16, 2022
@smowton
Merge pull request github#275 from github/smowton/fix/setvalueorfield…
0dfa016 
…-locations-and-syntactic-enclosure

Fix locations and enclosing statement/callable for assignments
MathiasVP pushed a commit to MathiasVP/ql that referenced this pull request Nov 20, 2025
@ropwareJB
Merge pull request github#275 from microsoft/jb1/AB#13038-fp
bf7ebcc 
False Positive - `cs/zipslip`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@asger-semmle asger-semmle asger-semmle approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xiemaisi @asger-semmle @semmle-qlci