wip

Author: asgerf

javascript/ql/lib/semmle/javascript/PackageExports.qll

@@ -237,8 +237,7 @@ private DataFlow::Node getAnExportFromModule(Module mod) {
   // exports saved to the global object
   result = DataFlow::globalObjectRef().getAPropertyWrite().getRhs() and
   result.getTopLevel() = mod
-  or
-  result.analyze().getAValue() = TAbstractModuleObject(mod)
+  // TODO: perhaps rely on name resolution here?
 }
 
 /**

javascript/ql/lib/semmle/javascript/dataflow/TypeInference.qll

@@ -169,6 +169,8 @@ class AnalyzedNode extends DataFlow::Node {
 class AnalyzedValueNode extends AnalyzedNode, DataFlow::ValueNode { }
 
 /**
+ * DEPRECATED. Type inference is no longer used for reasoning about module exports.
+ *
  * A module for which analysis results are available.
  *
  * The type inference supports AMD, CommonJS and ES2015 modules. All three
@@ -177,7 +179,7 @@ class AnalyzedValueNode extends AnalyzedNode, DataFlow::ValueNode { }
  * exports are modeled as property writes on `module.exports`, and imports
  * as property reads on any potential value of `module.exports`.
  */
-class AnalyzedModule extends TopLevel instanceof Module {
+deprecated class AnalyzedModule extends TopLevel instanceof Module {
   /** Gets the name of this module. */
   string getName() { result = super.getName() }
 

javascript/ql/lib/semmle/javascript/dataflow/internal/AbstractPropertiesImpl.qll

@@ -30,13 +30,6 @@ newtype TAbstractProperty =
  * of the concrete objects represented by `baseVal`.
  */
 AbstractValue getAnInitialPropertyValue(DefiniteAbstractValue baseVal, string propertyName) {
-  // initially, `module.exports === exports`
-  exists(Module m |
-    baseVal = TAbstractModuleObject(m) and
-    propertyName = "exports" and
-    result = TAbstractExportsObject(m)
-  )
-  or
   // class members
   result = getAnInitialMemberValue(getMember(baseVal, propertyName))
   or
@@ -77,11 +70,7 @@ private AbstractValue getAnInitialMemberValue(MemberDefinition m) {
  * Holds if `baseVal` is an abstract value whose properties we track for the purposes
  * of `getALocalValue`.
  */
-predicate shouldAlwaysTrackProperties(AbstractValue baseVal) {
-  baseVal instanceof AbstractModuleObject or
-  baseVal instanceof AbstractExportsObject or
-  baseVal instanceof AbstractCallable
-}
+predicate shouldAlwaysTrackProperties(AbstractValue baseVal) { baseVal instanceof AbstractCallable }
 
 /** Holds if `baseVal` is an abstract value whose properties we track. */
 predicate shouldTrackProperties(AbstractValue baseVal) {

javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -8,16 +8,7 @@ import javascript
 deprecated import semmle.javascript.dataflow.Configuration
 import semmle.javascript.dataflow.internal.CallGraphs
 private import semmle.javascript.internal.CachedStages
-
-/**
- * Holds if flow should be tracked through properties of `obj`.
- *
- * Flow is tracked through `module` and `module.exports` objects.
- */
-predicate shouldTrackProperties(AbstractValue obj) {
-  obj instanceof AbstractExportsObject or
-  obj instanceof AbstractModuleObject
-}
+private import semmle.javascript.internal.NameResolution
 
 /**
  * Holds if `source` corresponds to an expression returned by `f`, and
@@ -337,28 +328,16 @@ private module CachedSteps {
     )
   }
 
-  /**
-   * Holds if there is an assignment to property `prop` of an object represented by `obj`
-   * with right hand side `rhs` somewhere, and properties of `obj` should be tracked.
-   */
-  pragma[noinline]
-  private predicate trackedPropertyWrite(AbstractValue obj, string prop, DataFlow::Node rhs) {
-    exists(AnalyzedPropertyWrite pw |
-      pw.writes(obj, prop, rhs) and
-      shouldTrackProperties(obj) and
-      // avoid introducing spurious global flow
-      not pw.baseIsIncomplete("global")
-    )
-  }
-
   /**
    * Holds if there is a flow step from `pred` to `succ` through an object property.
    */
   cached
   predicate propertyFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(AbstractValue obj, string prop |
-      trackedPropertyWrite(obj, prop, pred) and
-      succ.(AnalyzedPropertyRead).reads(obj, prop)
+    // TODO: Ensure name resolution has good enough support for NodeJS and AMD
+    exists(NameResolution::Node node1, NameResolution::Node node2 |
+      NameResolution::ValueFlow::resolvedReadStep(node1, node2) and
+      pred = DataFlow::valueNode(node1) and
+      succ = DataFlow::valueNode(node2)
     )
   }
 

javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll

@@ -45,19 +45,6 @@ private class AnalyzedThisInBoundFunction extends AnalyzedThisExpr {
   }
 }
 
-/**
- * Flow analysis for `this` expressions in node modules.
- *
- * These expressions are assumed to refer to the `module.exports` object.
- */
-private class AnalyzedThisAsModuleExports extends DataFlow::AnalyzedNode, DataFlow::ThisNode {
-  NodeModule m;
-
-  AnalyzedThisAsModuleExports() { m = this.getBindingContainer() }
-
-  override AbstractValue getALocalValue() { result = TAbstractExportsObject(m) }
-}
-
 /**
  * Flow analysis for `this` expressions inside a function that is instantiated.
  *

javascript/ql/lib/semmle/javascript/dataflow/internal/VariableTypeInference.qll

@@ -159,28 +159,6 @@ private class AnalyzedRestParameter extends AnalyzedValueNode {
   override AbstractValue getALocalValue() { result = TAbstractOtherObject() }
 }
 
-/**
- * Flow analysis for `module` and `exports` parameters of AMD modules.
- */
-private class AnalyzedAmdParameter extends AnalyzedVarDef {
-  AbstractValue implicitInitVal;
-
-  AnalyzedAmdParameter() {
-    exists(AmdModule m, AmdModuleDefinition mdef | mdef = m.getDefine() |
-      this = mdef.getModuleParameter() and
-      implicitInitVal = TAbstractModuleObject(m)
-      or
-      this = mdef.getExportsParameter() and
-      implicitInitVal = TAbstractExportsObject(m)
-    )
-  }
-
-  override AbstractValue getAnAssignedValue() {
-    result = super.getAnAssignedValue() or
-    result = implicitInitVal
-  }
-}
-
 /**
  * An SSA definitions that has been analyzed.
  */
@@ -355,10 +333,6 @@ private predicate nodeBuiltins(Variable var, AbstractValue av) {
   exists(Module m, string name | var = m.getScope().getVariable(name) |
     name = "require" and av = TIndefiniteAbstractValue("heap")
     or
-    name = "module" and av = TAbstractModuleObject(m)
-    or
-    name = "exports" and av = TAbstractExportsObject(m)
-    or
     name = "arguments" and av = TAbstractOtherObject()
     or
     (name = "__filename" or name = "__dirname") and

javascript/ql/lib/semmle/javascript/internal/NameResolution.qll

@@ -386,6 +386,10 @@ module NameResolution {
         node2.(JSDocLocalTypeAccess).getALexicalName() = var
       )
       or
+      resolvedReadStep(node1, node2)
+    }
+
+    predicate resolvedReadStep(Node node1, Node node2) {
       exists(Node base, string name, ModuleLike mod |
         readStep(base, name, node2) and
         base = trackModule(mod) and