JS: infer this to be module.exports in node modules

esbena · esbena · commit 2fac7434df48 · 2020-03-13T14:10:35.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll
@@ -45,6 +45,19 @@ private class AnalyzedThisInBoundFunction extends AnalyzedThisExpr {
   }
 }
 
+/**
+ * Flow analysis for `this` expressions in node modules.
+ *
+ * These expressions are assumed to refer to the `module.exports` object.
+ */
+private class AnalyzedThisAsModuleExports extends DataFlow::AnalyzedNode, DataFlow::ThisNode {
+  NodeModule m;
+
+  AnalyzedThisAsModuleExports() { m = getBindingContainer() }
+
+  override AbstractValue getALocalValue() { result = TAbstractExportsObject(m) }
+}
+
 /**
  * Flow analysis for `this` expressions inside a function that is instantiated.
  *
diff --git a/javascript/ql/test/library-tests/ThisExpr/ThisExpr_analyzed.expected b/javascript/ql/test/library-tests/ThisExpr/ThisExpr_analyzed.expected
@@ -1,4 +1,5 @@
 | module-exports.js:3:1:3:4 | this | file://:0:0:0:0 | indefinite value (call) |
+| module-exports.js:3:1:3:4 | this | module-exports.js:1:1:8:0 | exports object of module module-exports |
 | module-exports.js:4:28:4:31 | this | file://:0:0:0:0 | indefinite value (call) |
 | module-exports.js:4:28:4:31 | this | module-exports.js:1:1:8:0 | exports object of module module-exports |
 | module-exports.js:4:28:4:31 | this | module-exports.js:4:15:4:34 | instance of anonymous function |
@@ -7,7 +8,9 @@
 | module-exports.js:5:35:5:38 | this | module-exports.js:1:1:8:0 | exports object of module module-exports |
 | module-exports.js:5:35:5:38 | this | module-exports.js:5:22:5:41 | instance of anonymous function |
 | module-exports.js:6:21:6:24 | this | file://:0:0:0:0 | indefinite value (call) |
+| module-exports.js:6:21:6:24 | this | module-exports.js:1:1:8:0 | exports object of module module-exports |
 | module-exports.js:7:28:7:31 | this | file://:0:0:0:0 | indefinite value (call) |
+| module-exports.js:7:28:7:31 | this | module-exports.js:1:1:8:0 | exports object of module module-exports |
 | tst.js:4:9:4:12 | this | file://:0:0:0:0 | indefinite value (call) |
 | tst.js:4:9:4:12 | this | tst.js:1:1:11:1 | instance of class C_normal |
 | tst.js:8:15:8:18 | this | file://:0:0:0:0 | indefinite value (call) |

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,19 @@ private class AnalyzedThisInBoundFunction extends AnalyzedThisExpr {`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
	`48`	`+/**`
	`49`	+ * Flow analysis for `this` expressions in node modules.
	`50`	`+ *`
	`51`	+ * These expressions are assumed to refer to the `module.exports` object.
	`52`	`+ */`
	`53`	`+private class AnalyzedThisAsModuleExports extends DataFlow::AnalyzedNode, DataFlow::ThisNode {`
	`54`	`+ NodeModule m;`
	`55`	`+`
	`56`	`+ AnalyzedThisAsModuleExports() { m = getBindingContainer() }`
	`57`	`+`
	`58`	`+ override AbstractValue getALocalValue() { result = TAbstractExportsObject(m) }`
	`59`	`+}`
	`60`	`+`
`48`	`61`	`/**`
`49`	`62`	* Flow analysis for `this` expressions inside a function that is instantiated.
`50`	`63`	`*`