JS: Exclude methods declared private/protected

asgerf · asgerf · commit 600e5bad0d71 · 2021-10-01T11:46:32.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/PackageExports.qll b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -45,7 +45,8 @@ private DataFlow::Node getAValueExportedByPackage() {
   |
     result = callee.getAPropertyRead("prototype").getAPropertyWrite(publicPropertyName()).getRhs()
     or
-    result = callee.(DataFlow::ClassNode).getInstanceMethod(publicPropertyName())
+    result = callee.(DataFlow::ClassNode).getInstanceMethod(publicPropertyName()) and
+    not isPrivateMethodDeclaration(result)
   )
   or
   result = getAValueExportedByPackage().getALocalSource()
@@ -65,7 +66,10 @@ private DataFlow::Node getAValueExportedByPackage() {
   //   static baz() {} // <- result
   //   constructor() {} // <- result
   // };
-  exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
+  exists(DataFlow::ClassNode cla |
+    cla = getAValueExportedByPackage() and
+    not isPrivateMethodDeclaration(result)
+  |
     result = cla.getInstanceMethod(publicPropertyName()) or
     result = cla.getStaticMethod(publicPropertyName()) or
     result = cla.getConstructor()
@@ -185,3 +189,17 @@ bindingset[result]
 private string publicPropertyName() {
   result.regexpMatch("[a-zA-Z0-9].*")
 }
+
+/**
+ * Holds if the given function is part of a private (or protected) method declaration.
+ */
+private predicate isPrivateMethodDeclaration(DataFlow::FunctionNode func) {
+  exists(MethodDeclaration decl |
+    decl.getBody() = func.getFunction() and
+    (
+      decl.isPrivate()
+      or
+      decl.isProtected()
+    )
+  )
+}
