Merge pull request #15380 from asgerf/js/endpoint-naming

JS: Add library for naming endpoints

Author: asgerf

javascript/ql/lib/semmle/javascript/ApiGraphs.qll

@@ -594,6 +594,9 @@ module API {
       exportedName = "" and
       result = getAModuleImportRaw(moduleName)
     }
+
+    /** Gets a sink node that represents instances of `cls`. */
+    Node getClassInstance(DataFlow::ClassNode cls) { result = Impl::MkClassInstance(cls) }
   }
 
   /**
@@ -1621,6 +1624,7 @@ private predicate exports(string m, DataFlow::Node rhs) {
   exists(Module mod | mod = importableModule(m) |
     rhs = mod.(AmdModule).getDefine().getModuleExpr().flow()
     or
+    not mod.(ES2015Module).hasBothNamedAndDefaultExports() and
     exports(m, "default", rhs)
     or
     exists(ExportAssignDeclaration assgn | assgn.getTopLevel() = mod |
@@ -1634,6 +1638,7 @@ private predicate exports(string m, DataFlow::Node rhs) {
 /** Holds if module `m` exports `rhs` under the name `prop`. */
 private predicate exports(string m, string prop, DataFlow::Node rhs) {
   exists(ExportDeclaration exp | exp.getEnclosingModule() = importableModule(m) |
+    not exp.isTypeOnly() and
     rhs = exp.getSourceNode(prop)
     or
     exists(Variable v |

javascript/ql/lib/semmle/javascript/Classes.qll

@@ -516,16 +516,37 @@ class MemberDeclaration extends @property, Documentable {
    */
   predicate hasPublicKeyword() { has_public_keyword(this) }
 
+  /**
+   * Holds if this member is considered private.
+   *
+   * This may occur in two cases:
+   * - it is a TypeScript member annotated with the `private` keyword, or
+   * - the member has a private name, such as `#foo`, referring to a private field in the class
+   */
+  predicate isPrivate() { this.hasPrivateKeyword() or this.hasPrivateFieldName() }
+
   /**
    * Holds if this is a TypeScript member annotated with the `private` keyword.
    */
-  predicate isPrivate() { has_private_keyword(this) }
+  predicate hasPrivateKeyword() { has_private_keyword(this) }
 
   /**
    * Holds if this is a TypeScript member annotated with the `protected` keyword.
    */
   predicate isProtected() { has_protected_keyword(this) }
 
+  /**
+   * Holds if the member has a private name, such as `#foo`, referring to a private field in the class.
+   *
+   * For example:
+   * ```js
+   * class Foo {
+   *   #method() {}
+   * }
+   * ```
+   */
+  predicate hasPrivateFieldName() { this.getNameExpr().(Label).getName().charAt(0) = "#" }
+
   /**
    * Gets the expression specifying the name of this member,
    * or nothing if this is a call signature.

javascript/ql/lib/semmle/javascript/ES2015Modules.qll

@@ -39,6 +39,20 @@ class ES2015Module extends Module {
     // modules are implicitly strict
     any()
   }
+
+  /**
+   * Holds if this module contains both named and `default` exports.
+   *
+   * This is used to determine whether a default-import of the module should be reinterpreted
+   * as a namespace-import, to accommodate the non-standard behavior implemented by some compilers.
+   *
+   * When a module has both named and `default` exports, the non-standard interpretation can lead to
+   * ambiguities, so we only allow the standard interpretation in that case.
+   */
+  predicate hasBothNamedAndDefaultExports() {
+    hasNamedExports(this) and
+    hasDefaultExport(this)
+  }
 }
 
 /**
@@ -64,17 +78,6 @@ private predicate hasDefaultExport(ES2015Module mod) {
   mod.getAnExport().(ExportNamedDeclaration).getASpecifier().getExportedName() = "default"
 }
 
-/**
- * Holds if `mod` contains both named and `default` exports.
- *
- * This is used to determine whether a default-import of the module should be reinterpreted
- * as a namespace-import, to accommodate the non-standard behavior implemented by some compilers.
- */
-private predicate hasBothNamedAndDefaultExports(ES2015Module mod) {
-  hasNamedExports(mod) and
-  hasDefaultExport(mod)
-}
-
 /**
  * An import declaration.
  *
@@ -131,7 +134,7 @@ class ImportDeclaration extends Stmt, Import, @import_declaration {
       // For compatibility with the non-standard implementation of default imports,
       // treat default imports as namespace imports in cases where it can't cause ambiguity
       // between named exports and the properties of a default-exported object.
-      not hasBothNamedAndDefaultExports(this.getImportedModule()) and
+      not this.getImportedModule().(ES2015Module).hasBothNamedAndDefaultExports() and
       is.getImportedName() = "default"
     )
     or

javascript/ql/lib/semmle/javascript/NPM.qll

@@ -29,7 +29,8 @@ class PackageJson extends JsonObject {
       parentDir.getAChildContainer+() = currentDir and
       pkgNameDiff = currentDir.getAbsolutePath().suffix(parentDir.getAbsolutePath().length()) and
       not exists(pkgNameDiff.indexOf("/node_modules/")) and
-      result = parentPkgName + pkgNameDiff
+      result = parentPkgName + pkgNameDiff and
+      not parentPkg.isPrivate()
     )
   }