V1

Author: am0o0

javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll

@@ -760,6 +760,21 @@ module NodeJSLib {
     }
   }
 
+  /**
+   * The dynamic import expression input can be a `data:` URL which loads any module from that data
+   */
+  class DynamicImport extends SystemCommandExecution, DataFlow::ExprNode {
+    DynamicImport() { this = any(DynamicImportExpr e).getAChildExpr().flow() }
+
+    override DataFlow::Node getACommandArgument() { result = this }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this }
+
+    override predicate isSync() { none() }
+
+    override DataFlow::Node getOptionsArg() { none() }
+  }
+
   /**
    * A call to a method from module `child_process`.
    */

javascript/ql/test/library-tests/frameworks/NodeJSLib/exec.js

@@ -5,3 +5,6 @@ cp.execFileSync("sh", ["-c", "node --version"]);
 cp.fork("foo", ["arg"]);
 cp.spawn("echo", ["Hi"], cb);
 cp.spawnSync("echo", ["Hi", "there"]);
+
+// dynamic import 
+await import('data:text/javascript,console.log("hello!");')