Skip to content

JS: Add support for importing files compiled into outDir from tsconfig.json #4552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeql-ci merged 2 commits into from
Nov 5, 2020
Merged

JS: Add support for importing files compiled into outDir from tsconfig.json #4552

codeql-ci merged 2 commits into from
Nov 5, 2020

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Oct 27, 2020

Gets a TP/TN for CVE-2019-10778

I originally made this as part of the js/shell-command-constructed-from-input query.
But back then an evaluation came back with mixed results, so I shelved the implementation.

I dug the implementation up again, refactored it a bit, and added support for rootDir.

Performance looks fine now.

@github-actions github-actions bot added the JS label Oct 27, 2020
@asgerf
Copy link
Contributor

asgerf commented Oct 27, 2020

Hm, the extractor already determines the effective main file for each package.json file. I'd prefer to extract that information and use it in QL, rather than redo the same work in QL.

@erik-krogh
Copy link
Contributor Author

erik-krogh commented Oct 29, 2020

Hm, the extractor already determines the effective main file for each package.json file. I'd prefer to extract that information and use it in QL, rather than redo the same work in QL.

I'm not sure its straightforward to use that extractor code here.

The existing extractor code is only for determining the main import - without regards to where the compiled code ends up.
And the code in this PR is establishing a link between the source code and the compiled code.

@asgerf
Copy link
Contributor

asgerf commented Oct 30, 2020

Ah, great! I looked at the code for the CVE and it seemed the main problem was to identify the entry point for the package, but I see now that the problem is actually connecting that entry point to the real package contents. 👍

@erik-krogh erik-krogh marked this pull request as ready for review October 30, 2020 09:40
@erik-krogh erik-krogh requested a review from a team as a code owner October 30, 2020 09:40
@codeql-ci codeql-ci merged commit 89a808c into github:main Nov 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @asgerf @codeql-ci