JS: Model newer yargs command-line parsing pattern

RasmusWL · RasmusWL · commit d3ae4c930eb9 · 2024-10-25T15:03:43.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll b/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll
@@ -74,6 +74,8 @@ private class DefaultModels extends CommandLineArguments::Range {
     or
     // `require('commander').opt()` => `{a: ..., b: ...}`
     this = commander().getMember("opts").getACall()
+    or
+    this = API::moduleImport("yargs/yargs").getReturn().getMember("argv").asSource()
   }
 }
 
diff --git a/javascript/ql/test/library-tests/threat-models/sources/sources.js b/javascript/ql/test/library-tests/threat-models/sources/sources.js
@@ -13,7 +13,7 @@ const yargs = require('yargs/yargs');
 const { hideBin } = require('yargs/helpers');
 const argv = yargs(hideBin(process.argv)).argv; // $ threat-source=commandargs
 
-SINK(argv.foo); // $ MISSING: hasFlow
+SINK(argv.foo); // $ hasFlow
 
 // older version
 // https://www.npmjs.com/package/yargs/v/7.1.2

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,8 @@ private class DefaultModels extends CommandLineArguments::Range {`
`74`	`74`	`or`
`75`	`75`	// `require('commander').opt()` => `{a: ..., b: ...}`
`76`	`76`	`this = commander().getMember("opts").getACall()`
	`77`	`+ or`
	`78`	`+ this = API::moduleImport("yargs/yargs").getReturn().getMember("argv").asSource()`
`77`	`79`	`}`
`78`	`80`	`}`
`79`	`81`