Merge pull request #15763 from asgerf/js/escaping-instance-detection

JS: Improve detection of classes with escaping instances

Author: asgerf

javascript/ql/lib/semmle/javascript/endpoints/EndpointNaming.qll

@@ -277,9 +277,16 @@ private predicate nameFromGlobal(DataFlow::Node node, string package, string nam
   (if node.getTopLevel().isExterns() then badness = -10 else badness = 10)
 }
 
+/** Gets an API node whose value is exposed to client code. */
+private API::Node exposedNode() {
+  result = API::moduleExport(_)
+  or
+  result = exposedNode().getASuccessor()
+}
+
 /** Holds if an instance of `cls` can be exposed to client code. */
 private predicate hasEscapingInstance(DataFlow::ClassNode cls) {
-  cls.getAnInstanceReference().flowsTo(any(API::Node n).asSink())
+  cls.getAnInstanceReference().flowsTo(exposedNode().asSink())
 }
 
 private predicate sourceNodeHasNameCandidate(

javascript/ql/test/library-tests/EndpointNaming/pack1/main.js

@@ -13,3 +13,9 @@ export function getEscapingInstance() {
 } // $ name=(pack1).getEscapingInstance
 
 export function publicFunction() {} // $ name=(pack1).publicFunction
+
+// Escapes into an upstream library, but is not exposed downstream
+class InternalClass {
+    m() {}
+}
+require('foo').bar(new InternalClass());