jorgectf
diff --git a/‎javascript/change-notes/2021-07-14-mkdirp.md
Lines changed: 4 additions & 0 deletions b/‎javascript/change-notes/2021-07-14-mkdirp.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/Files.qll
Lines changed: 13 additions & 0 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/Files.qll
Lines changed: 13 additions & 0 deletions
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `js/tainted-path` now recognizes the `mkdirp` library as a sink.
+  Affected packages are
+    [mkdirp](https://www.npmjs.com/package/mkdirp)
@@ -470,3 +470,16 @@ class Chokidar extends FileNameProducer, FileSystemAccess, API::CallNode {
     )
   }
 }
+
+/**
+ * A call to the [`mkdirp`](https://www.npmjs.com/package/mkdirp) library.
+ */
+private class Mkdirp extends FileSystemAccess, API::CallNode {
+  Mkdirp() {
+    this = API::moduleImport("mkdirp").getACall()
+    or
+    this = API::moduleImport("mkdirp").getMember("sync").getACall()
+  }
+
+  override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+}
Original file line number	Diff line number	Diff line change
`@@ -470,3 +470,16 @@ class Chokidar extends FileNameProducer, FileSystemAccess, API::CallNode {`
`470`	`470`	`)`
`471`	`471`	`}`
`472`	`472`	`}`
	`473`	`+`
	`474`	`+/**`
	`475`	+ * A call to the [`mkdirp`](https://www.npmjs.com/package/mkdirp) library.
	`476`	`+ */`
	`477`	`+private class Mkdirp extends FileSystemAccess, API::CallNode {`
	`478`	`+ Mkdirp() {`
	`479`	`+ this = API::moduleImport("mkdirp").getACall()`
	`480`	`+ or`
	`481`	`+ this = API::moduleImport("mkdirp").getMember("sync").getACall()`
	`482`	`+ }`
	`483`	`+`
	`484`	`+ override DataFlow::Node getAPathArgument() { result = getArgument(0) }`
	`485`	`+}`