JS: Use API graphs in Vue model#6574
Conversation
These are Unit types and so should be kept private as you can't use them for anything other than getting all taint steps of a certain type. Also factors out accesses to 'this'.
asgerf
added
JS
Awaiting evaluation
| * Gets a value that is exported as the whole exports object of this module. | ||
| */ | ||
| cached | ||
| DataFlow::Node getABulkExportedNode() { none() } // overridden in subclasses |
There was a problem hiding this comment.
Check out PackageExport.qll::getAnExportFromModule.
That also attempts to capture bulk exports.
I think you could add overrides for getABulkExportedNode in Closure::ClosureModule and AmdModule, and then use getABulkExportedNode in PackageExport.qll::getAnExportFromModule.
(That would also give you more complete support for other module types, although I doubt that's relevant for Vue).
There was a problem hiding this comment.
Done.
Note that there was some dodgy behaviour in getAnExportFromModule regarding the use of type inference:
result.analyze().getAValue() = mod.(AmdModule).getDefine().getAModuleExportsValue()AFAICT, if the exported value was potentially undefined, then any node that could potentially be undefined would be seen as being an export from that AMD module 😖. (Likewise for any other abstract value, such as null)
It's hard to predict what effect this will have, and we might lose some results that were previously caught by chance because of this. For now I'll just evaluate on default slugs again, but maybe we should run something larger.
There was a problem hiding this comment.
AFAICT, if the exported value was potentially undefined, then any node that could potentially be undefined would be seen as being an export from that AMD module confounded.
Oops. Luckily that can only happen if there exists such an AmdModule export in the project. And I expect that to be very rare.
| /** | ||
| * An import referring to a `.vue` file, seen as an API entry point. | ||
| * | ||
| * Concretely, such an import receives the Vue component generated from the .vue file, | ||
| * not the actual exports of the script tag in the file. | ||
| */ |
There was a problem hiding this comment.
Add into the comment that this entrypoint is used in SingleFileComponent::getComponentRef().
| override DataFlow::Node getARhs() { none() } | ||
| } | ||
|
|
||
| /** A value exported from a `.vue` file. */ |
There was a problem hiding this comment.
| /** A value exported from a `.vue` file. */ | |
| /** | |
| * A value exported from a `.vue` file. | |
| * This `EntryPoint` is used by `SingleFileComponent::getOwnOptions()`. | |
| */ |
asgerf
force-pushed
the
js/vue-api-graphs
branch
from
a0525b0 to
4b1f918
Compare
|
Evaluation on default slugs looks good. AFAICT the lost results are due to fixing the issue mentioned in #6574 (comment). |
asgerf
removed
the
Awaiting evaluation
3 participants
Makes the Vue model use API graphs where possible without breaking up the existing interface too much.
Evaluations: