JS: Add ModuleImportNode::Range by asger-semmle · Pull Request #945 · github/codeql

asger-semmle · 2019-02-15T14:00:22Z

Will conflict with #934 which is undergoing a long evaluation. Will evaluate this after rebasing on that.

Would very much appreciate it if this could make it into 1.20, which is why I'm opening this ASAP.

ghost

LGTM modulo the missing evaluation, and some very minor docstring comments.
I assume the big diff is just due to moving code around.

ghost · 2019-02-20T11:19:05Z

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

+
+module ModuleImportNode {
+  /**
+   * Data flow node that refers to an imported module.


Missing A?

A data flow node that refers to an imported module.

ghost · 2019-02-20T11:22:29Z

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

+ * Gets a (default) import of the module with the given path, such as `require("fs")`
+ * or `import * as fs from "fs"`.
+ *
+ * This predicate can be customized by subclassing `ModuleImportNode::Range`.


Do we use "customized" like this anywhere else?
You can only add ModuleImportNodes to this predicate when subclassing ModuleImportNode::Range, so "customize" seems like a stretch.

Changed to "extended"

xiemaisi · 2019-02-25T09:36:12Z

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

+  /**
+   * Data flow node that refers to an imported module.
+   */
+  abstract class Range extends DataFlow::SourceNode {


Do we need this to extend DataFlow::SourceNode itself, or could it extend DataFlow::SourceNode::Range instead?

Extending SourceNode::Range will add more dependencies, which could lead to negative recursion or performance issues. I believe there was only a one-way dependency between ModuleImportNode and SourceNode previously so it seems safer to keep it that way.

xiemaisi · 2019-02-25T09:37:40Z

LGTM, modulo minor comments. I don't think this needs an evaluation, but if you want to do a quick sanity check I won't stand in your way.

asger-semmle · 2019-02-26T09:24:06Z

Evaluation with just Xss.ql looks fine. I also checked the profile viewer and they look identical.

asger-semmle requested a review from a team as a code owner February 15, 2019 14:00

ghost reviewed Feb 20, 2019

View reviewed changes

ghost added the JS label Feb 20, 2019

xiemaisi reviewed Feb 25, 2019

View reviewed changes

asger-semmle added 3 commits February 25, 2019 11:31

JS: add ModuleImportNode::Range

eab034c

JS: add test case

b31d7d1

JS: minor qldoc fixes

707886f

asger-semmle force-pushed the extensible-module-import branch from 7dd02c1 to 707886f Compare February 25, 2019 11:41

xiemaisi approved these changes Feb 26, 2019

View reviewed changes

semmle-qlci merged commit 00d490e into github:master Feb 26, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JS: Add ModuleImportNode::Range#945

JS: Add ModuleImportNode::Range#945
semmle-qlci merged 3 commits intogithub:masterfrom
asger-semmle:extensible-module-import

asger-semmle commented Feb 15, 2019

Uh oh!

ghost left a comment

Uh oh!

ghost Feb 20, 2019

Uh oh!

ghost Feb 20, 2019

Uh oh!

asger-semmle Feb 25, 2019

Uh oh!

xiemaisi Feb 25, 2019

Uh oh!

asger-semmle Feb 25, 2019

Uh oh!

xiemaisi commented Feb 25, 2019

Uh oh!

asger-semmle commented Feb 26, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

asger-semmle commented Feb 15, 2019

Uh oh!

ghost left a comment

Choose a reason for hiding this comment

Uh oh!

ghost Feb 20, 2019

Choose a reason for hiding this comment

Uh oh!

ghost Feb 20, 2019

Choose a reason for hiding this comment

Uh oh!

asger-semmle Feb 25, 2019

Choose a reason for hiding this comment

Uh oh!

xiemaisi Feb 25, 2019

Choose a reason for hiding this comment

Uh oh!

asger-semmle Feb 25, 2019

Choose a reason for hiding this comment

Uh oh!

xiemaisi commented Feb 25, 2019

Uh oh!

asger-semmle commented Feb 26, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants