JS: Restrict what property names that are considered public exports

asgerf · asgerf · commit af1b04de9ccc · 2021-10-01T11:42:03.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/PackageExports.qll b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -30,7 +30,11 @@ private DataFlow::Node getAValueExportedByPackage() {
     getAnExportFromModule(any(PackageJSON pack | exists(pack.getPackageName())).getMainModule())
   or
   // module.exports.bar.baz = result;
-  result = getAValueExportedByPackage().(DataFlow::PropWrite).getRhs()
+  exists(DataFlow::PropWrite write |
+    write = getAValueExportedByPackage() and
+    write.getPropertyName() = publicPropertyName() and
+    result = write.getRhs()
+  )
   or
   // class Foo {
   //   bar() {} // <- result
@@ -39,15 +43,15 @@ private DataFlow::Node getAValueExportedByPackage() {
   exists(DataFlow::SourceNode callee |
     callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
   |
-    result = callee.getAPropertyRead("prototype").getAPropertyWrite().getRhs()
+    result = callee.getAPropertyRead("prototype").getAPropertyWrite(publicPropertyName()).getRhs()
     or
-    result = callee.(DataFlow::ClassNode).getAnInstanceMethod()
+    result = callee.(DataFlow::ClassNode).getInstanceMethod(publicPropertyName())
   )
   or
   result = getAValueExportedByPackage().getALocalSource()
   or
   // Nested property reads.
-  result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference()
+  result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference(publicPropertyName())
   or
   // module.exports.foo = require("./other-module.js");
   exists(Module mod |
@@ -62,8 +66,8 @@ private DataFlow::Node getAValueExportedByPackage() {
   //   constructor() {} // <- result
   // };
   exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
-    result = cla.getAnInstanceMethod() or
-    result = cla.getAStaticMethod() or
+    result = cla.getInstanceMethod(publicPropertyName()) or
+    result = cla.getStaticMethod(publicPropertyName()) or
     result = cla.getConstructor()
   )
   or
@@ -120,7 +124,8 @@ private DataFlow::Node getAValueExportedByPackage() {
   or
   // Object.defineProperty
   exists(CallToObjectDefineProperty call |
-    [call, call.getBaseObject()] = getAValueExportedByPackage()
+    [call, call.getBaseObject()] = getAValueExportedByPackage() and
+    call.getPropertyName() = publicPropertyName()
   |
     result = call.getPropertyDescriptor().getALocalSource().getAPropertyReference("value")
     or
@@ -164,9 +169,19 @@ private DataFlow::Node getAValueExportedByPackage() {
  * Gets an exported node from the module `mod`.
  */
 private DataFlow::Node getAnExportFromModule(Module mod) {
-  result = mod.getAnExportedValue(_)
+  result = mod.getAnExportedValue(publicPropertyName())
   or
   result = mod.getABulkExportedNode()
   or
   result.analyze().getAValue() = TAbstractModuleObject(mod)
 }
+
+/**
+ * Gets a property name that we consider to be public.
+ *
+ * This only allows properties whose first character is a letter or number.
+ */
+bindingset[result]
+private string publicPropertyName() {
+  result.regexpMatch("[a-zA-Z0-9].*")
+}
