Merge pull request github#2943 from esbena/js/more-fs-modules

Approved by erik-krogh

Author: semmle-qlci

change-notes/1.24/analysis-javascript.md

@@ -60,7 +60,7 @@
 | Expression has no effect (`js/useless-expression`) | Fewer false positive results | The query now recognizes block-level flow type annotations and ignores the first statement of a try block. |
 | Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. |
 | Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
-| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed. |
+| Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
 
 ## Changes to libraries

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -429,16 +429,27 @@ module NodeJSLib {
   }
 
   /**
-   * A member `member` from module `fs` or its drop-in replacements `graceful-fs` or `fs-extra`.
+   * A member `member` from module `fs` or its drop-in replacements `graceful-fs`, `fs-extra`, `original-fs`.
    */
   private DataFlow::SourceNode fsModuleMember(string member) {
+    result = fsModule(DataFlow::TypeTracker::end()).getAPropertyRead(member)
+  }
+
+  private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
     exists(string moduleName |
       moduleName = "fs" or
       moduleName = "graceful-fs" or
-      moduleName = "fs-extra"
+      moduleName = "fs-extra" or
+      moduleName = "original-fs"
     |
-      result = DataFlow::moduleMember(moduleName, member)
-    )
+      result = DataFlow::moduleImport(moduleName)
+      or
+      // extra support for flexible names
+      result.asExpr().(Require).getArgument(0).mayHaveStringValue(moduleName)
+    ) and
+    t.start()
+    or
+    exists(DataFlow::TypeTracker t2 | result = fsModule(t2).track(t2, t))
   }
 
   /**