JS: Improve handling of default exports in Vue

asgerf · asgerf · commit f450476b2712 · 2021-08-31T11:19:00.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Modules.qll b/javascript/ql/lib/semmle/javascript/Modules.qll
@@ -111,6 +111,23 @@ abstract class Module extends TopLevel {
   cached
   abstract DataFlow::Node getAnExportedValue(string name);
 
+  /**
+   * Gets a value that is exported as the whole exports object of this module.
+   */
+  cached
+  DataFlow::Node getABulkExportedNode() { none() } // overridden in subclasses
+
+  /**
+   * Gets the ES2015 `default` export from this module, or for other types of modules,
+   * gets a bulk exported node.
+   *
+   * This can be used to determine which value a default-import will likely refer to,
+   * as the interaction between different module types is not standardized.
+   */
+  DataFlow::Node getDefaultOrBulkExport() {
+    result = [getAnExportedValue("default"), getABulkExportedNode()]
+  }
+
   /**
    * Gets the root folder relative to which the given import path (which must
    * appear in this module) is resolved.
diff --git a/javascript/ql/lib/semmle/javascript/NodeJS.qll b/javascript/ql/lib/semmle/javascript/NodeJS.qll
@@ -99,6 +99,13 @@ class NodeModule extends Module {
     )
   }
 
+  override DataFlow::Node getABulkExportedNode() {
+    exists(DataFlow::PropWrite write |
+      write.getBase().asExpr() = getModuleVariable().getAnAccess() and
+      result = write.getRhs()
+    )
+  }
+
   /** Gets a symbol that the module object inherits from its prototypes. */
   private string getAnImplicitlyExportedSymbol() {
     exists(ExternalConstructor ec | ec = getPrototypeOfExportedExpr() |
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll b/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
@@ -21,7 +21,7 @@ module Vue {
     override DataFlow::SourceNode getAUse() { none() }
 
     override DataFlow::Node getARhs() {
-      result = any(SingleFileComponent c).getModule().getAnExportedValue("default")
+      result = any(SingleFileComponent c).getModule().getDefaultOrBulkExport()
     }
   }
 
@@ -550,10 +550,8 @@ module Vue {
     }
 
     override API::Node getOwnOptions() {
-      exists(ExportDefaultDeclaration decl |
-        decl.getTopLevel() = getModule() and
-        result.getARhs() = DataFlow::valueNode(decl.getOperand())
-      )
+      // Use the entry point generated by `VueExportEntryPoint`
+      result.getARhs() = getModule().getDefaultOrBulkExport()
     }
 
     override DataFlow::Node getOwnOptionsObject() {

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,13 @@ class NodeModule extends Module {`
`99`	`99`	`)`
`100`	`100`	`}`
`101`	`101`
	`102`	`+ override DataFlow::Node getABulkExportedNode() {`
	`103`	`+ exists(DataFlow::PropWrite write \|`
	`104`	`+ write.getBase().asExpr() = getModuleVariable().getAnAccess() and`
	`105`	`+ result = write.getRhs()`
	`106`	`+ )`
	`107`	`+ }`
	`108`	`+`
`102`	`109`	`/** Gets a symbol that the module object inherits from its prototypes. */`
`103`	`110`	`private string getAnImplicitlyExportedSymbol() {`
`104`	`111`	`exists(ExternalConstructor ec \| ec = getPrototypeOfExportedExpr() \|`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ module Vue {`
`21`	`21`	`override DataFlow::SourceNode getAUse() { none() }`
`22`	`22`
`23`	`23`	`override DataFlow::Node getARhs() {`
`24`		`- result = any(SingleFileComponent c).getModule().getAnExportedValue("default")`
	`24`	`+ result = any(SingleFileComponent c).getModule().getDefaultOrBulkExport()`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`@@ -550,10 +550,8 @@ module Vue {`
`550`	`550`	`}`
`551`	`551`
`552`	`552`	`override API::Node getOwnOptions() {`
`553`		`- exists(ExportDefaultDeclaration decl \|`
`554`		`- decl.getTopLevel() = getModule() and`
`555`		`- result.getARhs() = DataFlow::valueNode(decl.getOperand())`
`556`		`- )`
	`553`	+ // Use the entry point generated by `VueExportEntryPoint`
	`554`	`+ result.getARhs() = getModule().getDefaultOrBulkExport()`
`557`	`555`	`}`
`558`	`556`
`559`	`557`	`override DataFlow::Node getOwnOptionsObject() {`