recognize more src folders when "main" in package.json points to a compiled output

Author: erik-krogh

javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll

@@ -102,10 +102,14 @@ File resolveMainModule(PackageJSON pkg, int priority) {
     )
   )
   or
-  exists(Folder folder | folder = pkg.getFile().getParentContainer() |
-    result =
-      tryExtensions([folder, folder.getChildContainer(["src", "lib"])], "index",
-        priority - prioritiesPerCandidate())
+  exists(Folder folder, Folder child |
+    child = folder or
+    child = folder.getChildContainer(getASrcFolderName()) or
+    child =
+      folder.getChildContainer(getASrcFolderName()).(Folder).getChildContainer(getASrcFolderName())
+  |
+    folder = pkg.getFile().getParentContainer() and
+    result = tryExtensions(child, "index", priority - prioritiesPerCandidate())
   )
   or
   // if there is no main module, then we look for files that are explicitly included in the published package.
@@ -130,6 +134,11 @@ File resolveMainModule(PackageJSON pkg, int priority) {
   )
 }
 
+/**
+ * Gets a folder name that is a common source folder name.
+ */
+private string getASrcFolderName() { result = ["ts", "js", "src", "lib"] }
+
 /**
  * A JSON string in a `package.json` file specifying the path of the main
  * module of the package.

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected

@@ -30,6 +30,7 @@
 | lib/closure.js:4:6:4:7 | u* | Strings with many repetitions of 'u' can start matching anywhere after the start of the preceeding u*o |
 | lib/lib.js:1:15:1:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | polynomial-redos.js:7:24:7:26 | \\s+ | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding \\s+$ |
 | polynomial-redos.js:8:17:8:18 |  * | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding  *, * |

javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected

@@ -11,6 +11,10 @@ nodes
 | lib/lib.js:7:19:7:22 | name |
 | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:8:13:8:16 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name |
+| lib/otherLib/js/src/index.js:2:13:2:16 | name |
+| lib/otherLib/js/src/index.js:2:13:2:16 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:13:24:13:27 | name |
@@ -170,6 +174,10 @@ edges
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name |
+| lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
@@ -315,6 +323,7 @@ edges
 | lib/closure.js:4:5:4:17 | /u*o/.test(x) | lib/closure.js:3:21:3:21 | x | lib/closure.js:4:16:4:16 | x | This $@ that depends on $@ may run slow on strings with many repetitions of 'u'. | lib/closure.js:4:6:4:7 | u* | regular expression | lib/closure.js:3:21:3:21 | x | library input |
 | lib/lib.js:4:2:4:18 | regexp.test(name) | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:14:4:17 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/lib.js:1:15:1:16 | a* | regular expression | lib/lib.js:3:28:3:31 | name | library input |
 | lib/lib.js:8:2:8:17 | /f*g/.test(name) | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:8:3:8:4 | f* | regular expression | lib/lib.js:7:19:7:22 | name | library input |
+| lib/otherLib/js/src/index.js:2:2:2:17 | /a*b/.test(name) | lib/otherLib/js/src/index.js:1:28:1:31 | name | lib/otherLib/js/src/index.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/otherLib/js/src/index.js:2:3:2:4 | a* | regular expression | lib/otherLib/js/src/index.js:1:28:1:31 | name | library input |
 | lib/sublib/factory.js:13:13:13:28 | /f*g/.test(name) | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/sublib/factory.js:13:14:13:15 | f* | regular expression | lib/sublib/factory.js:12:26:12:29 | name | library input |
 | polynomial-redos.js:7:2:7:34 | tainted ... /g, '') | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:7:2:7:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:7:24:7:26 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:8:2:8:23 | tainted ...  *, */) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:8:2:8:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:8:17:8:18 |  * | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |

javascript/ql/test/query-tests/Performance/ReDoS/lib/otherLib/js/src/index.js

@@ -0,0 +1,3 @@
+module.exports = function (name) {
+	/a*b/.test(name); // NOT OK
+};

javascript/ql/test/query-tests/Performance/ReDoS/lib/otherLib/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "my-other-lib",
+  "version": "0.0.7",
+  "main": "./js/src/index.js",
+  "scripts": {
+    "build": "tsc"
+  }
+}