github · asgerf · May 13, 2025 · Apr 24, 2025 · Apr 24, 2025 · Apr 24, 2025
@@ -2,6 +2,7 @@
 
 import javascript
 private import semmle.javascript.internal.CachedStages
+private import semmle.javascript.internal.paths.PathExprResolver
 
 /**
  * An ECMAScript 2015 module.
@@ -725,22 +726,7 @@ abstract class ReExportDeclaration extends ExportDeclaration {
   cached
   Module getReExportedModule() {
     Stages::Imports::ref() and
-    result.getFile() = this.getEnclosingModule().resolve(this.getImportedPath())
-    or
-    result = this.resolveFromTypeRoot()
-  }
-
-  /**
-   * Gets a module in a `node_modules/@types/` folder that matches the imported module name.
-   */
-  private Module resolveFromTypeRoot() {
-    result.getFile() =
-      min(TypeRootFolder typeRoot |
-        |
-        typeRoot.getModuleFile(this.getImportedPath().getStringValue())
-        order by
-          typeRoot.getSearchPriority(this.getFile().getParentContainer())
-      )
+    result.getFile() = ImportPathResolver::resolveExpr(this.getImportedPath())
   }
 }
 

@@ -6,6 +6,7 @@
 
 import javascript
 private import semmle.javascript.internal.CachedStages
+private import semmle.javascript.internal.paths.PathExprResolver
 
 /**
  * A module, which may either be an ECMAScript 2015-style module,
@@ -138,39 +139,17 @@ abstract class Import extends AstNode {
   /**
    * Gets the module the path of this import resolves to.
    */
-  Module resolveImportedPath() {
-    result.getFile() = this.getEnclosingModule().resolve(this.getImportedPath())
-  }
+  Module resolveImportedPath() { result.getFile() = this.getTargetFile() }
 
   /**
-   * Gets a module with a `@providesModule` JSDoc tag that matches
-   * the imported path.
-   */
-  private Module resolveAsProvidedModule() {
-    exists(JSDocTag tag |
-      tag.getTitle() = "providesModule" and
-      tag.getParent().getComment().getTopLevel() = result and
-      tag.getDescription().trim() = this.getImportedPath().getValue()
-    )
-  }
-
-  /**
-   * Gets a module in a `node_modules/@types/` folder that matches the imported module name.
+   * Gets the module the path of this import resolves to.
    */
-  private Module resolveFromTypeRoot() {
-    result.getFile() =
-      min(TypeRootFolder typeRoot |
-        |
-        typeRoot.getModuleFile(this.getImportedPath().getValue())
-        order by
-          typeRoot.getSearchPriority(this.getFile().getParentContainer())
-      )
-  }
+  File getTargetFile() { result = ImportPathResolver::resolveExpr(this.getImportedPath()) }
 
   /**
-   * Gets the imported module, as determined by the TypeScript compiler, if any.
+   * DEPRECATED. Use `getImportedModule()` instead.
    */
-  private Module resolveFromTypeScriptSymbol() {
+  deprecated Module resolveFromTypeScriptSymbol() {
     exists(CanonicalName symbol |
       ast_node_symbol(this, symbol) and
       ast_node_symbol(result, symbol)
@@ -190,42 +169,11 @@ abstract class Import extends AstNode {
     Stages::Imports::ref() and
     if exists(this.resolveExternsImport())
     then result = this.resolveExternsImport()
-    else (
-      result = this.resolveAsProvidedModule() or
-      result = this.resolveImportedPath() or
-      result = this.resolveFromTypeRoot() or
-      result = this.resolveFromTypeScriptSymbol() or
-      result = resolveNeighbourPackage(this.getImportedPath().getValue())
-    )
+    else result = this.resolveImportedPath()
   }
 
   /**
    * Gets the data flow node that the default import of this import is available at.
    */
   abstract DataFlow::Node getImportedModuleNode();
 }
-
-/**
- * Gets a module imported from another package in the same repository.
- *
- * No support for importing from folders inside the other package.
- */
-private Module resolveNeighbourPackage(PathString importPath) {
-  exists(PackageJson json | importPath = json.getPackageName() and result = json.getMainModule())
-  or
-  exists(string package |
-    result.getFile().getParentContainer() = getPackageFolder(package) and
-    importPath = package + "/" + [result.getFile().getBaseName(), result.getFile().getStem()]
-  )
-}
-
-/**
- * Gets the folder for a package that has name `package` according to a package.json file in the resulting folder.
- */
-pragma[noinline]
-private Folder getPackageFolder(string package) {
-  exists(PackageJson json |
-    json.getPackageName() = package and
-    result = json.getFile().getParentContainer()
-  )
-}
@@ -3,6 +3,7 @@
  */
 
 private import javascript
+private import semmle.javascript.internal.paths.PathMapping
 
 /**
  * A TypeScript configuration file, usually named `tsconfig.json`.
@@ -178,3 +179,44 @@ private module ResolverConfig implements Folder::ResolveSig {
 }
 
 private module Resolver = Folder::Resolve<ResolverConfig>;
+
+/**
+ * Gets a tsconfig file to use as fallback for handling paths in `c`.
+ *
+ * This holds for files and folders where no tsconfig seems to include it,
+ * but it has one or more tsconfig files in parent directories.
+ */
+private TSConfig getFallbackTSConfig(Container c) {
+  not c = any(TSConfig t).getAnIncludedContainer() and
+  (
+    c = result.getFolder()
+    or
+    result = getFallbackTSConfig(c.getParentContainer())
+  )
+}
+
+private class TSConfigPathMapping extends PathMapping, TSConfig {
+  override File getAnAffectedFile() {
+    result = this.getAnIncludedContainer()
+    or
+    this = getFallbackTSConfig(result)
+  }
+
+  override predicate hasExactPathMapping(string pattern, Container newContext, string newPath) {
+    exists(TSConfig tsconfig |
+      tsconfig = this.getExtendedTSConfig*() and
+      tsconfig.hasExactPathMapping(pattern, newPath) and
+      newContext = tsconfig.getBaseUrlFolderOrOwnFolder()
+    )
+  }
+
+  override predicate hasPrefixPathMapping(string pattern, Container newContext, string newPath) {
+    exists(TSConfig tsconfig |
+      tsconfig = this.getExtendedTSConfig*() and
+      tsconfig.hasPrefixPathMapping(pattern, newPath) and
+      newContext = tsconfig.getBaseUrlFolderOrOwnFolder()
+    )
+  }
+
+  override predicate hasBaseUrl(Container base) { base = this.getBaseUrlFolder() }
+}
@@ -0,0 +1,35 @@
+private import javascript
+
+/**
+ * A path expression that can be constant-folded by concatenating subexpressions.
+ */
+abstract class PathConcatenation extends Expr {
+  /** Gets the separator to insert between paths */
+  string getSeparator() { result = "" }
+
+  /** Gets the `n`th operand to concatenate. */
+  abstract Expr getOperand(int n);
+}
+
+private class AddExprConcatenation extends PathConcatenation, AddExpr {
+  override Expr getOperand(int n) {
+    n = 0 and result = this.getLeftOperand()
+    or
+    n = 1 and result = this.getRightOperand()
+  }
+}
+
+private class TemplateConcatenation extends PathConcatenation, TemplateLiteral {
+  override Expr getOperand(int n) { result = this.getElement(n) }
+}
+
+private class JoinCallConcatenation extends PathConcatenation, CallExpr {
+  JoinCallConcatenation() {
+    this.getReceiver().(VarAccess).getName() = "path" and
+    this.getCalleeName() = ["join", "resolve"]
+  }
+
+  override Expr getOperand(int n) { result = this.getArgument(n) }
+
+  override string getSeparator() { result = "/" }
+}