@coana-tech/cli 14.12.167 → 14.12.169
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +36 -8
- package/package.json +1 -1
- package/reachability-analyzers-cli.mjs +42 -12
- package/repos/coana-tech/goana/bin/goana-darwin-amd64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-darwin-arm64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-linux-amd64.gz +0 -0
- package/repos/coana-tech/goana/bin/goana-linux-arm64.gz +0 -0
- package/repos/coana-tech/javap-service/javap-service.jar +0 -0
- package/repos/coana-tech/jelly-private/dist/bundle/approx.js +3 -3
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-BV33FESD.js → chunk-2EM22I7M.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-AAKFGMVW.js → chunk-NHEUSYVH.js} +81 -51
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-ID4Q5QL5.js → chunk-USUJB4DB.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/{chunk-AEP2QDUI.js → chunk-ZYU33ERK.js} +2 -2
- package/repos/coana-tech/jelly-private/dist/bundle/hooks.js +3 -3
- package/repos/coana-tech/jelly-private/dist/bundle/jelly.js +93 -31
package/cli.mjs
CHANGED
|
@@ -205427,7 +205427,7 @@ var TelemetryCollector = class _TelemetryCollector {
|
|
|
205427
205427
|
// ../utils/src/telemetry/analyzer-telemetry-server.ts
|
|
205428
205428
|
import { existsSync, readFileSync, watchFile, unwatchFile } from "fs";
|
|
205429
205429
|
import { unlink, writeFile } from "fs/promises";
|
|
205430
|
-
import { tmpdir } from "os";
|
|
205430
|
+
import { freemem, tmpdir } from "os";
|
|
205431
205431
|
import { join as join2 } from "path";
|
|
205432
205432
|
import { randomBytes } from "crypto";
|
|
205433
205433
|
var AnalyzerTelemetryServer = class {
|
|
@@ -205463,6 +205463,7 @@ var AnalyzerTelemetryServer = class {
|
|
|
205463
205463
|
try {
|
|
205464
205464
|
const parsed = JSON.parse(line);
|
|
205465
205465
|
const event = "data" in parsed && Object.keys(parsed).length === 1 ? parsed : { data: parsed };
|
|
205466
|
+
event.data.freeMemoryMB = freemem();
|
|
205466
205467
|
this.handler.onAnalyzerEvent(event);
|
|
205467
205468
|
} catch {
|
|
205468
205469
|
}
|
|
@@ -205685,11 +205686,37 @@ function argt(statics, ...values) {
|
|
|
205685
205686
|
if (carry !== void 0) res.push(carry);
|
|
205686
205687
|
return res;
|
|
205687
205688
|
}
|
|
205688
|
-
|
|
205689
|
-
|
|
205690
|
-
return
|
|
205691
|
-
|
|
205692
|
-
|
|
205689
|
+
function parseShellArgs(args2) {
|
|
205690
|
+
const s6 = args2.trim();
|
|
205691
|
+
if (!s6) return [];
|
|
205692
|
+
const result = [];
|
|
205693
|
+
let currentToken = "";
|
|
205694
|
+
let quoteChar = null;
|
|
205695
|
+
for (let i7 = 0; i7 < s6.length; i7++) {
|
|
205696
|
+
const char = s6[i7];
|
|
205697
|
+
if (quoteChar !== null) {
|
|
205698
|
+
if (quoteChar === '"' && char === "\\" && s6[i7 + 1] === '"') {
|
|
205699
|
+
currentToken += '"';
|
|
205700
|
+
i7++;
|
|
205701
|
+
} else if (char === quoteChar)
|
|
205702
|
+
quoteChar = null;
|
|
205703
|
+
else
|
|
205704
|
+
currentToken += char;
|
|
205705
|
+
} else {
|
|
205706
|
+
if (char === '"' || char === "'")
|
|
205707
|
+
quoteChar = char;
|
|
205708
|
+
else if (/\s/.test(char)) {
|
|
205709
|
+
if (currentToken.length) {
|
|
205710
|
+
result.push(currentToken);
|
|
205711
|
+
currentToken = "";
|
|
205712
|
+
}
|
|
205713
|
+
} else
|
|
205714
|
+
currentToken += char;
|
|
205715
|
+
}
|
|
205716
|
+
}
|
|
205717
|
+
if (quoteChar !== null) throw new Error(`Unclosed ${quoteChar} quote`);
|
|
205718
|
+
if (currentToken.length) result.push(currentToken);
|
|
205719
|
+
return result;
|
|
205693
205720
|
}
|
|
205694
205721
|
|
|
205695
205722
|
// ../utils/src/file-utils.ts
|
|
@@ -224700,7 +224727,7 @@ var TelemetryCollector2 = class _TelemetryCollector {
|
|
|
224700
224727
|
// ../utils/dist/telemetry/analyzer-telemetry-server.js
|
|
224701
224728
|
import { existsSync as existsSync10, readFileSync as readFileSync3, watchFile as watchFile2, unwatchFile as unwatchFile2 } from "fs";
|
|
224702
224729
|
import { unlink as unlink2, writeFile as writeFile5 } from "fs/promises";
|
|
224703
|
-
import { tmpdir as tmpdir3 } from "os";
|
|
224730
|
+
import { freemem as freemem2, tmpdir as tmpdir3 } from "os";
|
|
224704
224731
|
import { join as join10 } from "path";
|
|
224705
224732
|
import { randomBytes as randomBytes3 } from "crypto";
|
|
224706
224733
|
var AnalyzerTelemetryServer2 = class {
|
|
@@ -224739,6 +224766,7 @@ var AnalyzerTelemetryServer2 = class {
|
|
|
224739
224766
|
try {
|
|
224740
224767
|
const parsed = JSON.parse(line);
|
|
224741
224768
|
const event = "data" in parsed && Object.keys(parsed).length === 1 ? parsed : { data: parsed };
|
|
224769
|
+
event.data.freeMemoryMB = freemem2();
|
|
224742
224770
|
this.handler.onAnalyzerEvent(event);
|
|
224743
224771
|
} catch {
|
|
224744
224772
|
}
|
|
@@ -251307,7 +251335,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
|
|
|
251307
251335
|
}
|
|
251308
251336
|
|
|
251309
251337
|
// dist/version.js
|
|
251310
|
-
var version3 = "14.12.
|
|
251338
|
+
var version3 = "14.12.169";
|
|
251311
251339
|
|
|
251312
251340
|
// dist/cli-core.js
|
|
251313
251341
|
var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
|
package/package.json
CHANGED
|
@@ -81107,7 +81107,7 @@ var TelemetryCollector = class _TelemetryCollector {
|
|
|
81107
81107
|
// ../utils/src/telemetry/analyzer-telemetry-server.ts
|
|
81108
81108
|
import { existsSync, readFileSync, watchFile, unwatchFile } from "fs";
|
|
81109
81109
|
import { unlink, writeFile as writeFile2 } from "fs/promises";
|
|
81110
|
-
import { tmpdir } from "os";
|
|
81110
|
+
import { freemem, tmpdir } from "os";
|
|
81111
81111
|
import { join as join2 } from "path";
|
|
81112
81112
|
import { randomBytes } from "crypto";
|
|
81113
81113
|
var AnalyzerTelemetryServer = class {
|
|
@@ -81143,6 +81143,7 @@ var AnalyzerTelemetryServer = class {
|
|
|
81143
81143
|
try {
|
|
81144
81144
|
const parsed = JSON.parse(line);
|
|
81145
81145
|
const event = "data" in parsed && Object.keys(parsed).length === 1 ? parsed : { data: parsed };
|
|
81146
|
+
event.data.freeMemoryMB = freemem();
|
|
81146
81147
|
this.handler.onAnalyzerEvent(event);
|
|
81147
81148
|
} catch {
|
|
81148
81149
|
}
|
|
@@ -81373,11 +81374,37 @@ function argt(statics, ...values) {
|
|
|
81373
81374
|
if (carry !== void 0) res.push(carry);
|
|
81374
81375
|
return res;
|
|
81375
81376
|
}
|
|
81376
|
-
|
|
81377
|
-
|
|
81378
|
-
return
|
|
81379
|
-
|
|
81380
|
-
|
|
81377
|
+
function parseShellArgs(args) {
|
|
81378
|
+
const s2 = args.trim();
|
|
81379
|
+
if (!s2) return [];
|
|
81380
|
+
const result = [];
|
|
81381
|
+
let currentToken = "";
|
|
81382
|
+
let quoteChar = null;
|
|
81383
|
+
for (let i4 = 0; i4 < s2.length; i4++) {
|
|
81384
|
+
const char = s2[i4];
|
|
81385
|
+
if (quoteChar !== null) {
|
|
81386
|
+
if (quoteChar === '"' && char === "\\" && s2[i4 + 1] === '"') {
|
|
81387
|
+
currentToken += '"';
|
|
81388
|
+
i4++;
|
|
81389
|
+
} else if (char === quoteChar)
|
|
81390
|
+
quoteChar = null;
|
|
81391
|
+
else
|
|
81392
|
+
currentToken += char;
|
|
81393
|
+
} else {
|
|
81394
|
+
if (char === '"' || char === "'")
|
|
81395
|
+
quoteChar = char;
|
|
81396
|
+
else if (/\s/.test(char)) {
|
|
81397
|
+
if (currentToken.length) {
|
|
81398
|
+
result.push(currentToken);
|
|
81399
|
+
currentToken = "";
|
|
81400
|
+
}
|
|
81401
|
+
} else
|
|
81402
|
+
currentToken += char;
|
|
81403
|
+
}
|
|
81404
|
+
}
|
|
81405
|
+
if (quoteChar !== null) throw new Error(`Unclosed ${quoteChar} quote`);
|
|
81406
|
+
if (currentToken.length) result.push(currentToken);
|
|
81407
|
+
return result;
|
|
81381
81408
|
}
|
|
81382
81409
|
|
|
81383
81410
|
// ../utils/src/command-utils-with-debug-logging.ts
|
|
@@ -110075,7 +110102,7 @@ import { existsSync as existsSync8, readdirSync as readdirSync4, statSync as sta
|
|
|
110075
110102
|
import { join as join13 } from "path";
|
|
110076
110103
|
var { memoize } = import_lodash7.default;
|
|
110077
110104
|
var memoizedParseShellArgs = memoize(parseShellArgs);
|
|
110078
|
-
|
|
110105
|
+
function getMavenCLIOpts() {
|
|
110079
110106
|
const opts = process.env.MAVEN_CLI_OPTS;
|
|
110080
110107
|
return opts ? memoizedParseShellArgs(opts) : [];
|
|
110081
110108
|
}
|
|
@@ -110090,7 +110117,7 @@ async function isMavenInstalled() {
|
|
|
110090
110117
|
async function findLocalRepository() {
|
|
110091
110118
|
try {
|
|
110092
110119
|
return await runCommandResolveStdOut2(
|
|
110093
|
-
cmdt`mvn ${
|
|
110120
|
+
cmdt`mvn ${getMavenCLIOpts()} help:evaluate -Dexpression=settings.localRepository -q -DforceStdout`
|
|
110094
110121
|
);
|
|
110095
110122
|
} catch (e) {
|
|
110096
110123
|
return void 0;
|
|
@@ -110988,10 +111015,14 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
|
|
|
110988
111015
|
const jellyExecutable = ToolPathResolver.jellyPath;
|
|
110989
111016
|
const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => {
|
|
110990
111017
|
assert4(v.range);
|
|
111018
|
+
let patterns = v.vulnerabilityAccessPaths;
|
|
111019
|
+
if (experiment === "AUGMENT_IMPORT_PATHS_EXPERIMENT")
|
|
111020
|
+
patterns = patterns.map((p) => p.replace(">", "/**>"));
|
|
111021
|
+
if (patterns.some((p) => p.includes("?")) && patterns.some((p) => p.includes("(cbarg)")))
|
|
111022
|
+
patterns = patterns.filter((p) => !p.includes("?"));
|
|
110991
111023
|
return {
|
|
110992
111024
|
npm: v,
|
|
110993
|
-
patterns
|
|
110994
|
-
// Replace > with /**> to ensure Jelly also matches call <PKG/dist/index.js>.foo for pattern <PKG>.foo
|
|
111025
|
+
patterns
|
|
110995
111026
|
};
|
|
110996
111027
|
});
|
|
110997
111028
|
const vulnerabilitiesFile = resolve13(tmpFolder, "vulnerabilities.json");
|
|
@@ -111002,7 +111033,6 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
|
|
|
111002
111033
|
await writeFile7(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
|
|
111003
111034
|
const useLazy = experiment === "LAZY_EXPERIMENT" || reachabilityAnalysisOptions.lazy;
|
|
111004
111035
|
const { includePackages } = jellyOptions;
|
|
111005
|
-
const additionalFlags = process.env.JELLY_ADDITIONAL_FLAGS?.split(/\s+/).filter(Boolean) ?? [];
|
|
111006
111036
|
const jellyCmd = cmdt`
|
|
111007
111037
|
${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
|
|
111008
111038
|
${logFile && // Enable verbose GC tracing if log file is requested
|
|
@@ -111019,7 +111049,7 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
|
|
|
111019
111049
|
${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
|
|
111020
111050
|
${jellyOptions.approx && "--approx"}
|
|
111021
111051
|
--callstacks-json ${callStackFile}
|
|
111022
|
-
${
|
|
111052
|
+
${parseShellArgs(process.env.JELLY_ADDITIONAL_FLAGS ?? "")}
|
|
111023
111053
|
${filesToAnalyze}
|
|
111024
111054
|
`;
|
|
111025
111055
|
if (PRINT_JELLY_COMMAND)
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
Binary file
|
|
@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
|
|
|
7
7
|
import {
|
|
8
8
|
require_hints,
|
|
9
9
|
require_parser
|
|
10
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-2EM22I7M.js";
|
|
11
11
|
import {
|
|
12
12
|
require_proxy,
|
|
13
13
|
require_sandbox
|
|
14
|
-
} from "./chunk-
|
|
14
|
+
} from "./chunk-USUJB4DB.js";
|
|
15
15
|
import {
|
|
16
16
|
__commonJS,
|
|
17
17
|
__name,
|
|
@@ -21,7 +21,7 @@ import {
|
|
|
21
21
|
require_options,
|
|
22
22
|
require_transform,
|
|
23
23
|
require_util
|
|
24
|
-
} from "./chunk-
|
|
24
|
+
} from "./chunk-NHEUSYVH.js";
|
|
25
25
|
|
|
26
26
|
// lib/approx/approx.js
|
|
27
27
|
var require_approx = __commonJS({
|
|
@@ -14,7 +14,7 @@ import {
|
|
|
14
14
|
require_options,
|
|
15
15
|
require_tokens,
|
|
16
16
|
require_util
|
|
17
|
-
} from "./chunk-
|
|
17
|
+
} from "./chunk-NHEUSYVH.js";
|
|
18
18
|
|
|
19
19
|
// lib/parsing/parser.js
|
|
20
20
|
var require_parser = __commonJS({
|
|
@@ -516,4 +516,4 @@ export {
|
|
|
516
516
|
require_patching,
|
|
517
517
|
require_hints
|
|
518
518
|
};
|
|
519
|
-
//# sourceMappingURL=chunk-
|
|
519
|
+
//# sourceMappingURL=chunk-2EM22I7M.js.map
|
|
@@ -11794,54 +11794,55 @@ var require_listeners = __commonJS({
|
|
|
11794
11794
|
TokenListener2[TokenListener2["CALL_FUNCTION"] = 2] = "CALL_FUNCTION";
|
|
11795
11795
|
TokenListener2[TokenListener2["CALL_REQUIRE"] = 3] = "CALL_REQUIRE";
|
|
11796
11796
|
TokenListener2[TokenListener2["CALL_EXTERNAL"] = 4] = "CALL_EXTERNAL";
|
|
11797
|
-
TokenListener2[TokenListener2["
|
|
11798
|
-
TokenListener2[TokenListener2["
|
|
11799
|
-
TokenListener2[TokenListener2["
|
|
11800
|
-
TokenListener2[TokenListener2["
|
|
11801
|
-
TokenListener2[TokenListener2["
|
|
11802
|
-
TokenListener2[TokenListener2["
|
|
11803
|
-
TokenListener2[TokenListener2["
|
|
11804
|
-
TokenListener2[TokenListener2["
|
|
11805
|
-
TokenListener2[TokenListener2["
|
|
11806
|
-
TokenListener2[TokenListener2["
|
|
11807
|
-
TokenListener2[TokenListener2["
|
|
11808
|
-
TokenListener2[TokenListener2["
|
|
11809
|
-
TokenListener2[TokenListener2["
|
|
11810
|
-
TokenListener2[TokenListener2["
|
|
11811
|
-
TokenListener2[TokenListener2["
|
|
11812
|
-
TokenListener2[TokenListener2["
|
|
11813
|
-
TokenListener2[TokenListener2["
|
|
11814
|
-
TokenListener2[TokenListener2["
|
|
11815
|
-
TokenListener2[TokenListener2["
|
|
11816
|
-
TokenListener2[TokenListener2["
|
|
11817
|
-
TokenListener2[TokenListener2["
|
|
11818
|
-
TokenListener2[TokenListener2["
|
|
11819
|
-
TokenListener2[TokenListener2["
|
|
11820
|
-
TokenListener2[TokenListener2["
|
|
11821
|
-
TokenListener2[TokenListener2["
|
|
11822
|
-
TokenListener2[TokenListener2["
|
|
11823
|
-
TokenListener2[TokenListener2["
|
|
11824
|
-
TokenListener2[TokenListener2["
|
|
11825
|
-
TokenListener2[TokenListener2["
|
|
11826
|
-
TokenListener2[TokenListener2["
|
|
11827
|
-
TokenListener2[TokenListener2["
|
|
11828
|
-
TokenListener2[TokenListener2["
|
|
11829
|
-
TokenListener2[TokenListener2["
|
|
11830
|
-
TokenListener2[TokenListener2["
|
|
11831
|
-
TokenListener2[TokenListener2["
|
|
11832
|
-
TokenListener2[TokenListener2["
|
|
11833
|
-
TokenListener2[TokenListener2["
|
|
11834
|
-
TokenListener2[TokenListener2["
|
|
11835
|
-
TokenListener2[TokenListener2["
|
|
11836
|
-
TokenListener2[TokenListener2["
|
|
11837
|
-
TokenListener2[TokenListener2["
|
|
11838
|
-
TokenListener2[TokenListener2["
|
|
11839
|
-
TokenListener2[TokenListener2["
|
|
11840
|
-
TokenListener2[TokenListener2["
|
|
11841
|
-
TokenListener2[TokenListener2["
|
|
11842
|
-
TokenListener2[TokenListener2["
|
|
11843
|
-
TokenListener2[TokenListener2["
|
|
11844
|
-
TokenListener2[TokenListener2["
|
|
11797
|
+
TokenListener2[TokenListener2["CALLBACK_ARGUMENT"] = 5] = "CALLBACK_ARGUMENT";
|
|
11798
|
+
TokenListener2[TokenListener2["READ_BASE"] = 6] = "READ_BASE";
|
|
11799
|
+
TokenListener2[TokenListener2["READ_BASE_DYNAMIC"] = 7] = "READ_BASE_DYNAMIC";
|
|
11800
|
+
TokenListener2[TokenListener2["READ_GETTER"] = 8] = "READ_GETTER";
|
|
11801
|
+
TokenListener2[TokenListener2["READ_GETTER_THIS"] = 9] = "READ_GETTER_THIS";
|
|
11802
|
+
TokenListener2[TokenListener2["WRITE_BASE"] = 10] = "WRITE_BASE";
|
|
11803
|
+
TokenListener2[TokenListener2["WRITE_BASE_DYNAMIC"] = 11] = "WRITE_BASE_DYNAMIC";
|
|
11804
|
+
TokenListener2[TokenListener2["WRITE_SETTER"] = 12] = "WRITE_SETTER";
|
|
11805
|
+
TokenListener2[TokenListener2["WRITE_SETTER_THIS"] = 13] = "WRITE_SETTER_THIS";
|
|
11806
|
+
TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST"] = 14] = "WRITE_OBJECT_PATTERN_REST";
|
|
11807
|
+
TokenListener2[TokenListener2["WRITE_OBJECT_PATTERN_REST_PROPERTIES"] = 15] = "WRITE_OBJECT_PATTERN_REST_PROPERTIES";
|
|
11808
|
+
TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST"] = 16] = "WRITE_ARRAY_PATTERN_REST";
|
|
11809
|
+
TokenListener2[TokenListener2["WRITE_ARRAY_PATTERN_REST_ARRAY"] = 17] = "WRITE_ARRAY_PATTERN_REST_ARRAY";
|
|
11810
|
+
TokenListener2[TokenListener2["WRITE_REQUIRE_EXTENSIONS"] = 18] = "WRITE_REQUIRE_EXTENSIONS";
|
|
11811
|
+
TokenListener2[TokenListener2["IMPORT_BASE"] = 19] = "IMPORT_BASE";
|
|
11812
|
+
TokenListener2[TokenListener2["EXPORT_BASE"] = 20] = "EXPORT_BASE";
|
|
11813
|
+
TokenListener2[TokenListener2["ANCESTORS"] = 21] = "ANCESTORS";
|
|
11814
|
+
TokenListener2[TokenListener2["READ_ANCESTORS"] = 22] = "READ_ANCESTORS";
|
|
11815
|
+
TokenListener2[TokenListener2["WRITE_ANCESTORS"] = 23] = "WRITE_ANCESTORS";
|
|
11816
|
+
TokenListener2[TokenListener2["CLASS_FIELD"] = 24] = "CLASS_FIELD";
|
|
11817
|
+
TokenListener2[TokenListener2["EXTENDS"] = 25] = "EXTENDS";
|
|
11818
|
+
TokenListener2[TokenListener2["READ_ITERATOR_VALUE"] = 26] = "READ_ITERATOR_VALUE";
|
|
11819
|
+
TokenListener2[TokenListener2["OBJECT_SPREAD"] = 27] = "OBJECT_SPREAD";
|
|
11820
|
+
TokenListener2[TokenListener2["CALL_PROMISE_EXECUTOR"] = 28] = "CALL_PROMISE_EXECUTOR";
|
|
11821
|
+
TokenListener2[TokenListener2["CALL_PROMISE_RESOLVE"] = 29] = "CALL_PROMISE_RESOLVE";
|
|
11822
|
+
TokenListener2[TokenListener2["CALL_PROMISE_ONFULFILLED"] = 30] = "CALL_PROMISE_ONFULFILLED";
|
|
11823
|
+
TokenListener2[TokenListener2["CALL_PROMISE_ONREJECTED"] = 31] = "CALL_PROMISE_ONREJECTED";
|
|
11824
|
+
TokenListener2[TokenListener2["CALL_PROMISE_ONFINALLY"] = 32] = "CALL_PROMISE_ONFINALLY";
|
|
11825
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_RESOLVE"] = 33] = "MAKE_PROMISE_RESOLVE";
|
|
11826
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_REJECT"] = 34] = "MAKE_PROMISE_REJECT";
|
|
11827
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_ALL"] = 35] = "MAKE_PROMISE_ALL";
|
|
11828
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_ALLSETTLED"] = 36] = "MAKE_PROMISE_ALLSETTLED";
|
|
11829
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_ANY"] = 37] = "MAKE_PROMISE_ANY";
|
|
11830
|
+
TokenListener2[TokenListener2["MAKE_PROMISE_RACE"] = 38] = "MAKE_PROMISE_RACE";
|
|
11831
|
+
TokenListener2[TokenListener2["AWAIT"] = 39] = "AWAIT";
|
|
11832
|
+
TokenListener2[TokenListener2["JSX_ELEMENT"] = 40] = "JSX_ELEMENT";
|
|
11833
|
+
TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK"] = 41] = "NATIVE_INVOKE_CALLBACK";
|
|
11834
|
+
TokenListener2[TokenListener2["NATIVE_INVOKE_CALLBACK2"] = 42] = "NATIVE_INVOKE_CALLBACK2";
|
|
11835
|
+
TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY2"] = 43] = "NATIVE_INVOKE_CALL_APPLY2";
|
|
11836
|
+
TokenListener2[TokenListener2["NATIVE_INVOKE_CALL_APPLY3"] = 44] = "NATIVE_INVOKE_CALL_APPLY3";
|
|
11837
|
+
TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES"] = 45] = "NATIVE_ASSIGN_PROPERTIES";
|
|
11838
|
+
TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES2"] = 46] = "NATIVE_ASSIGN_PROPERTIES2";
|
|
11839
|
+
TokenListener2[TokenListener2["NATIVE_ASSIGN_PROPERTIES3"] = 47] = "NATIVE_ASSIGN_PROPERTIES3";
|
|
11840
|
+
TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTY"] = 48] = "NATIVE_OBJECT_DEFINE_PROPERTY";
|
|
11841
|
+
TokenListener2[TokenListener2["NATIVE_OBJECT_DEFINE_PROPERTIES"] = 49] = "NATIVE_OBJECT_DEFINE_PROPERTIES";
|
|
11842
|
+
TokenListener2[TokenListener2["NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS"] = 50] = "NATIVE_ASSIGN_ITERATOR_MAP_VALUE_PAIRS";
|
|
11843
|
+
TokenListener2[TokenListener2["NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY"] = 51] = "NATIVE_ASSIGN_BASE_ARRAY_ARRAY_VALUE_TO_ARRAY";
|
|
11844
|
+
TokenListener2[TokenListener2["NATIVE_RETURN_PROTOTYPE_OF"] = 52] = "NATIVE_RETURN_PROTOTYPE_OF";
|
|
11845
|
+
TokenListener2[TokenListener2["NATIVE_SET_PROTOTYPE_OF"] = 53] = "NATIVE_SET_PROTOTYPE_OF";
|
|
11845
11846
|
})(TokenListener || (exports.TokenListener = TokenListener = {}));
|
|
11846
11847
|
}
|
|
11847
11848
|
});
|
|
@@ -13746,8 +13747,9 @@ var require_accesspaths = __commonJS({
|
|
|
13746
13747
|
"lib/analysis/accesspaths.js"(exports) {
|
|
13747
13748
|
"use strict";
|
|
13748
13749
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13749
|
-
exports.LazyAccessPath = exports.UnknownAccessPath = exports.IgnoredAccessPath = exports.ComponentAccessPath = exports.CallResultAccessPath = exports.PropertyAccessPath = exports.ModuleAccessPath = exports.PatternAccessPath = exports.AccessPath = void 0;
|
|
13750
|
+
exports.LazyAccessPath = exports.UnknownAccessPath = exports.IgnoredAccessPath = exports.CallbackArgumentAccessPath = exports.ComponentAccessPath = exports.CallResultAccessPath = exports.PropertyAccessPath = exports.ModuleAccessPath = exports.PatternAccessPath = exports.AccessPath = void 0;
|
|
13750
13751
|
var infos_1 = require_infos();
|
|
13752
|
+
var util_1 = require_util();
|
|
13751
13753
|
var AccessPath = class {
|
|
13752
13754
|
static {
|
|
13753
13755
|
__name(this, "AccessPath");
|
|
@@ -13821,6 +13823,17 @@ var require_accesspaths = __commonJS({
|
|
|
13821
13823
|
}
|
|
13822
13824
|
};
|
|
13823
13825
|
exports.ComponentAccessPath = ComponentAccessPath;
|
|
13826
|
+
var CallbackArgumentAccessPath = class extends PatternAccessPath {
|
|
13827
|
+
static {
|
|
13828
|
+
__name(this, "CallbackArgumentAccessPath");
|
|
13829
|
+
}
|
|
13830
|
+
fun;
|
|
13831
|
+
constructor(fun) {
|
|
13832
|
+
super(`(cbarg)[${(0, util_1.locationToStringWithFileAndEnd)(fun.loc, true)}]`);
|
|
13833
|
+
this.fun = fun;
|
|
13834
|
+
}
|
|
13835
|
+
};
|
|
13836
|
+
exports.CallbackArgumentAccessPath = CallbackArgumentAccessPath;
|
|
13824
13837
|
var IgnoredAccessPath = class _IgnoredAccessPath extends AccessPath {
|
|
13825
13838
|
static {
|
|
13826
13839
|
__name(this, "IgnoredAccessPath");
|
|
@@ -14457,7 +14470,7 @@ var require_constraintvars = __commonJS({
|
|
|
14457
14470
|
return mod && mod.__esModule ? mod : { "default": mod };
|
|
14458
14471
|
};
|
|
14459
14472
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
14460
|
-
exports.ReadResultVar = exports.AncestorsVar = exports.IntermediateVar = exports.ArgumentsVar = exports.ThisVar = exports.FunctionReturnVar = exports.ObjectPropertyVar = exports.NodeVar = exports.ConstraintVar = void 0;
|
|
14473
|
+
exports.CallbackReceiverVar = exports.ReadResultVar = exports.AncestorsVar = exports.IntermediateVar = exports.ArgumentsVar = exports.ThisVar = exports.FunctionReturnVar = exports.ObjectPropertyVar = exports.NodeVar = exports.ConstraintVar = void 0;
|
|
14461
14474
|
exports.isObjectPropertyVarObj = isObjectPropertyVarObj;
|
|
14462
14475
|
var types_1 = __require("@babel/types");
|
|
14463
14476
|
var util_1 = require_util();
|
|
@@ -14646,6 +14659,23 @@ var require_constraintvars = __commonJS({
|
|
|
14646
14659
|
}
|
|
14647
14660
|
};
|
|
14648
14661
|
exports.ReadResultVar = ReadResultVar;
|
|
14662
|
+
var CallbackReceiverVar = class extends ConstraintVar {
|
|
14663
|
+
static {
|
|
14664
|
+
__name(this, "CallbackReceiverVar");
|
|
14665
|
+
}
|
|
14666
|
+
fun;
|
|
14667
|
+
constructor(fun) {
|
|
14668
|
+
super();
|
|
14669
|
+
this.fun = fun;
|
|
14670
|
+
}
|
|
14671
|
+
toString() {
|
|
14672
|
+
return `CallbackReceiver[${(0, util_1.locationToStringWithFileAndEnd)(this.fun.loc, true)}]`;
|
|
14673
|
+
}
|
|
14674
|
+
getParent() {
|
|
14675
|
+
return this.fun;
|
|
14676
|
+
}
|
|
14677
|
+
};
|
|
14678
|
+
exports.CallbackReceiverVar = CallbackReceiverVar;
|
|
14649
14679
|
}
|
|
14650
14680
|
});
|
|
14651
14681
|
|
|
@@ -19910,4 +19940,4 @@ fill-range/index.js:
|
|
|
19910
19940
|
* Licensed under the MIT License.
|
|
19911
19941
|
*)
|
|
19912
19942
|
*/
|
|
19913
|
-
//# sourceMappingURL=chunk-
|
|
19943
|
+
//# sourceMappingURL=chunk-NHEUSYVH.js.map
|
|
@@ -9,7 +9,7 @@ import {
|
|
|
9
9
|
__name,
|
|
10
10
|
__require,
|
|
11
11
|
require_transform
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-NHEUSYVH.js";
|
|
13
13
|
|
|
14
14
|
// lib/approx/proxy.js
|
|
15
15
|
var require_proxy = __commonJS({
|
|
@@ -268,4 +268,4 @@ export {
|
|
|
268
268
|
require_proxy,
|
|
269
269
|
require_sandbox
|
|
270
270
|
};
|
|
271
|
-
//# sourceMappingURL=chunk-
|
|
271
|
+
//# sourceMappingURL=chunk-USUJB4DB.js.map
|
|
@@ -8,7 +8,7 @@ import {
|
|
|
8
8
|
__commonJS,
|
|
9
9
|
__name,
|
|
10
10
|
__require
|
|
11
|
-
} from "./chunk-
|
|
11
|
+
} from "./chunk-NHEUSYVH.js";
|
|
12
12
|
|
|
13
13
|
// node_modules/source-map/lib/base64.js
|
|
14
14
|
var require_base64 = __commonJS({
|
|
@@ -224380,4 +224380,4 @@ typescript/lib/typescript.js:
|
|
|
224380
224380
|
and limitations under the License.
|
|
224381
224381
|
***************************************************************************** *)
|
|
224382
224382
|
*/
|
|
224383
|
-
//# sourceMappingURL=chunk-
|
|
224383
|
+
//# sourceMappingURL=chunk-ZYU33ERK.js.map
|
|
@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
|
|
|
6
6
|
|
|
7
7
|
import {
|
|
8
8
|
require_moduleresolver
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-ZYU33ERK.js";
|
|
10
10
|
import {
|
|
11
11
|
require_sandbox
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-USUJB4DB.js";
|
|
13
13
|
import {
|
|
14
14
|
__commonJS,
|
|
15
15
|
__name,
|
|
@@ -17,7 +17,7 @@ import {
|
|
|
17
17
|
require_files,
|
|
18
18
|
require_options,
|
|
19
19
|
require_transform
|
|
20
|
-
} from "./chunk-
|
|
20
|
+
} from "./chunk-NHEUSYVH.js";
|
|
21
21
|
|
|
22
22
|
// lib/approx/hooks.js
|
|
23
23
|
var require_hooks = __commonJS({
|
|
@@ -9,11 +9,11 @@ import {
|
|
|
9
9
|
require_hints,
|
|
10
10
|
require_parser,
|
|
11
11
|
require_patching
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-2EM22I7M.js";
|
|
13
13
|
import {
|
|
14
14
|
require_moduleresolver,
|
|
15
15
|
require_typescript
|
|
16
|
-
} from "./chunk-
|
|
16
|
+
} from "./chunk-ZYU33ERK.js";
|
|
17
17
|
import {
|
|
18
18
|
__commonJS,
|
|
19
19
|
__name,
|
|
@@ -37,7 +37,7 @@ import {
|
|
|
37
37
|
require_tokens,
|
|
38
38
|
require_transform,
|
|
39
39
|
require_util
|
|
40
|
-
} from "./chunk-
|
|
40
|
+
} from "./chunk-NHEUSYVH.js";
|
|
41
41
|
|
|
42
42
|
// lib/misc/timer.js
|
|
43
43
|
var require_timer = __commonJS({
|
|
@@ -147,7 +147,7 @@ var require_patterns = __commonJS({
|
|
|
147
147
|
return mod && mod.__esModule ? mod : { "default": mod };
|
|
148
148
|
};
|
|
149
149
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
150
|
-
exports.Type = exports.FilterSelector = exports.TypeFilter = exports.NumArgsCallFilter = exports.Filter = exports.PotentiallyUnknownAccessPathPattern = exports.WildcardAccessPathPattern = exports.ExclusionAccessPathPattern = exports.DisjunctionAccessPathPattern = exports.AbbreviatedPathPattern = exports.ComponentAccessPathPattern = exports.CallResultAccessPathPattern = exports.PropertyAccessPathPattern = exports.ImportAccessPathPattern = exports.ComponentDetectionPattern = exports.CallDetectionPattern = exports.WriteDetectionPattern = exports.ReadDetectionPattern = exports.ImportDetectionPattern = exports.DetectionPattern = void 0;
|
|
150
|
+
exports.Type = exports.FilterSelector = exports.TypeFilter = exports.NumArgsCallFilter = exports.Filter = exports.CallbackArgumentAccessPathPattern = exports.PotentiallyUnknownAccessPathPattern = exports.WildcardAccessPathPattern = exports.ExclusionAccessPathPattern = exports.DisjunctionAccessPathPattern = exports.AbbreviatedPathPattern = exports.ComponentAccessPathPattern = exports.CallResultAccessPathPattern = exports.PropertyAccessPathPattern = exports.ImportAccessPathPattern = exports.ComponentDetectionPattern = exports.CallDetectionPattern = exports.WriteDetectionPattern = exports.ReadDetectionPattern = exports.ImportDetectionPattern = exports.DetectionPattern = void 0;
|
|
151
151
|
var assert_1 = __importDefault(__require("assert"));
|
|
152
152
|
var DetectionPattern = class {
|
|
153
153
|
static {
|
|
@@ -402,6 +402,23 @@ var require_patterns = __commonJS({
|
|
|
402
402
|
}
|
|
403
403
|
};
|
|
404
404
|
exports.PotentiallyUnknownAccessPathPattern = PotentiallyUnknownAccessPathPattern;
|
|
405
|
+
var CallbackArgumentAccessPathPattern = class {
|
|
406
|
+
static {
|
|
407
|
+
__name(this, "CallbackArgumentAccessPathPattern");
|
|
408
|
+
}
|
|
409
|
+
base;
|
|
410
|
+
constructor(base) {
|
|
411
|
+
this.base = base;
|
|
412
|
+
}
|
|
413
|
+
toString() {
|
|
414
|
+
return `${this.base}(cbarg)`;
|
|
415
|
+
}
|
|
416
|
+
visitAccessPathPatterns(visitor) {
|
|
417
|
+
visitor(this);
|
|
418
|
+
this.base.visitAccessPathPatterns(visitor);
|
|
419
|
+
}
|
|
420
|
+
};
|
|
421
|
+
exports.CallbackArgumentAccessPathPattern = CallbackArgumentAccessPathPattern;
|
|
405
422
|
var Filter = class {
|
|
406
423
|
static {
|
|
407
424
|
__name(this, "Filter");
|
|
@@ -617,6 +634,10 @@ var require_patternparser = __commonJS({
|
|
|
617
634
|
pos2 += 2;
|
|
618
635
|
pos2 = parseSpace(pos2);
|
|
619
636
|
p2 = c.canonicalize(new patterns_1.CallResultAccessPathPattern(p2));
|
|
637
|
+
} else if (pattern[pos2] === "(" && pattern.substring(pos2 + 1, pos2 + 7) === "cbarg)") {
|
|
638
|
+
pos2 += 7;
|
|
639
|
+
pos2 = parseSpace(pos2);
|
|
640
|
+
p2 = c.canonicalize(new patterns_1.CallbackArgumentAccessPathPattern(p2));
|
|
620
641
|
} else if (pattern[pos2] === "?") {
|
|
621
642
|
pos2++;
|
|
622
643
|
pos2 = parseSpace(pos2);
|
|
@@ -1064,7 +1085,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
|
|
|
1064
1085
|
return s;
|
|
1065
1086
|
}
|
|
1066
1087
|
__name(getProperties, "getProperties");
|
|
1067
|
-
var [callIdx, componentIdx, moduleIdx] = Array.from({ length:
|
|
1088
|
+
var [callIdx, componentIdx, moduleIdx, cbargIdx] = Array.from({ length: 4 }, (_, i) => {
|
|
1068
1089
|
const bs = new bitset_1.SmallBitSet();
|
|
1069
1090
|
bs.set(i);
|
|
1070
1091
|
return bs;
|
|
@@ -1073,7 +1094,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
|
|
|
1073
1094
|
const unknowns = /* @__PURE__ */ new Map();
|
|
1074
1095
|
return {
|
|
1075
1096
|
graph: new Map(ds.map((p) => {
|
|
1076
|
-
const edges = Array.from({ length:
|
|
1097
|
+
const edges = Array.from({ length: 4 }, () => new bitset_1.SmallBitSet());
|
|
1077
1098
|
const properties = /* @__PURE__ */ new Map();
|
|
1078
1099
|
let wildcardIdx = -1;
|
|
1079
1100
|
const classify = /* @__PURE__ */ __name((p2) => {
|
|
@@ -1083,6 +1104,8 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
|
|
|
1083
1104
|
return componentIdx;
|
|
1084
1105
|
if (p2 instanceof accesspaths_1.ModuleAccessPath)
|
|
1085
1106
|
return moduleIdx;
|
|
1107
|
+
if (p2 instanceof accesspaths_1.CallbackArgumentAccessPath)
|
|
1108
|
+
return cbargIdx;
|
|
1086
1109
|
(0, assert_1.default)(p2 instanceof accesspaths_1.PropertyAccessPath);
|
|
1087
1110
|
return properties.get(p2.prop);
|
|
1088
1111
|
}, "classify");
|
|
@@ -1099,6 +1122,9 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
|
|
|
1099
1122
|
} else if (app instanceof patterns_1.ComponentAccessPathPattern) {
|
|
1100
1123
|
[pre, unknown] = aux(app.component);
|
|
1101
1124
|
post = componentIdx;
|
|
1125
|
+
} else if (app instanceof patterns_1.CallbackArgumentAccessPathPattern) {
|
|
1126
|
+
[pre, unknown] = aux(app.base);
|
|
1127
|
+
post = cbargIdx;
|
|
1102
1128
|
} else if (app instanceof patterns_1.PropertyAccessPathPattern) {
|
|
1103
1129
|
[pre, unknown] = aux(app.base);
|
|
1104
1130
|
post = new bitset_1.SmallBitSet();
|
|
@@ -1218,7 +1244,6 @@ var require_globalstate = __commonJS({
|
|
|
1218
1244
|
dummyModuleInfos = /* @__PURE__ */ new Map();
|
|
1219
1245
|
functionInfos = /* @__PURE__ */ new Map();
|
|
1220
1246
|
entryFiles = /* @__PURE__ */ new Set();
|
|
1221
|
-
reachedFiles = /* @__PURE__ */ new Set();
|
|
1222
1247
|
pendingFiles = new worklist_1.Worklist();
|
|
1223
1248
|
reachedModulesFull = /* @__PURE__ */ new Set();
|
|
1224
1249
|
pendingModulesFull = new worklist_1.Worklist();
|
|
@@ -1328,10 +1353,8 @@ var require_globalstate = __commonJS({
|
|
|
1328
1353
|
}
|
|
1329
1354
|
}
|
|
1330
1355
|
reachedFile(tofile, entry, from, local) {
|
|
1331
|
-
let moduleInfo;
|
|
1332
|
-
if (
|
|
1333
|
-
moduleInfo = this.moduleInfosByPath.get(tofile);
|
|
1334
|
-
else {
|
|
1356
|
+
let moduleInfo = this.moduleInfosByPath.get(tofile);
|
|
1357
|
+
if (!moduleInfo) {
|
|
1335
1358
|
let packageInfo;
|
|
1336
1359
|
let rel = "";
|
|
1337
1360
|
let otherfile;
|
|
@@ -1341,7 +1364,8 @@ var require_globalstate = __commonJS({
|
|
|
1341
1364
|
if (rel.startsWith("../")) {
|
|
1342
1365
|
logger_1.default.warn(`Relative module reference from ${from.getPath()} to ${rel} outside current package ${packageInfo}`);
|
|
1343
1366
|
packageInfo = void 0;
|
|
1344
|
-
}
|
|
1367
|
+
} else
|
|
1368
|
+
moduleInfo = packageInfo.modules.get(rel);
|
|
1345
1369
|
}
|
|
1346
1370
|
if (!packageInfo) {
|
|
1347
1371
|
const p = (0, util_1.getOrSet)(this.packageJsonInfos, (0, path_1.dirname)(tofile), () => (0, packagejson_1.getPackageJsonInfo)(tofile));
|
|
@@ -1365,7 +1389,7 @@ var require_globalstate = __commonJS({
|
|
|
1365
1389
|
const ignoreModule = from && (options_1.options.ignoreDependencies || !packageInfo.isEntry && (options_1.options.includePackages && !options_1.options.includePackages.includes(packageInfo.name))) || options_1.options.excludePackages?.includes(packageInfo.name);
|
|
1366
1390
|
moduleInfo = new infos_1.ModuleInfo(rel, packageInfo, from === void 0, !ignoreModule);
|
|
1367
1391
|
packageInfo.modules.set(rel, moduleInfo);
|
|
1368
|
-
this.
|
|
1392
|
+
this.moduleInfos.set(moduleInfo.toString(), moduleInfo);
|
|
1369
1393
|
if (ignoreModule)
|
|
1370
1394
|
logger_1.default.info(`Ignoring module ${moduleInfo}`);
|
|
1371
1395
|
else
|
|
@@ -1375,7 +1399,6 @@ var require_globalstate = __commonJS({
|
|
|
1375
1399
|
this.moduleInfosByPath.set(otherfile, moduleInfo);
|
|
1376
1400
|
}
|
|
1377
1401
|
this.moduleInfosByPath.set(tofile, moduleInfo);
|
|
1378
|
-
this.moduleInfos.set(moduleInfo.toString(), moduleInfo);
|
|
1379
1402
|
}
|
|
1380
1403
|
if (from) {
|
|
1381
1404
|
const pf = from.packageInfo;
|
|
@@ -1492,6 +1515,9 @@ var require_constraintvarproducer = __commonJS({
|
|
|
1492
1515
|
readResultVar(t, prop) {
|
|
1493
1516
|
return this.a.canonicalizeVar(new constraintvars_1.ReadResultVar(t, prop));
|
|
1494
1517
|
}
|
|
1518
|
+
callbackReceiverVar(fun) {
|
|
1519
|
+
return this.a.vulnerabilities?.hasCallbackArgumentPattern ? this.a.canonicalizeVar(new constraintvars_1.CallbackReceiverVar(fun)) : void 0;
|
|
1520
|
+
}
|
|
1495
1521
|
};
|
|
1496
1522
|
exports.ConstraintVarProducer = ConstraintVarProducer;
|
|
1497
1523
|
}
|
|
@@ -1703,6 +1729,7 @@ var require_fragmentstate = __commonJS({
|
|
|
1703
1729
|
propertyWriteAccessPaths = /* @__PURE__ */ new Map();
|
|
1704
1730
|
callResultAccessPaths = /* @__PURE__ */ new Map();
|
|
1705
1731
|
componentAccessPaths = /* @__PURE__ */ new Map();
|
|
1732
|
+
callbackArgumentAccessPaths = /* @__PURE__ */ new Map();
|
|
1706
1733
|
importDeclRefs = /* @__PURE__ */ new Map();
|
|
1707
1734
|
propertyReads = [];
|
|
1708
1735
|
maybeEmptyPropertyReads = [];
|
|
@@ -2734,20 +2761,22 @@ var require_solver = __commonJS({
|
|
|
2734
2761
|
(0, assert_1.default)(validEdge);
|
|
2735
2762
|
if (validEdge(subap, ap))
|
|
2736
2763
|
ap2s = [a.canonicalizeAccessPath(ap)];
|
|
2737
|
-
|
|
2738
|
-
|
|
2739
|
-
|
|
2740
|
-
|
|
2741
|
-
|
|
2742
|
-
|
|
2743
|
-
|
|
2744
|
-
|
|
2745
|
-
|
|
2746
|
-
|
|
2764
|
+
if (!(ap instanceof accesspaths_1.CallbackArgumentAccessPath)) {
|
|
2765
|
+
let base;
|
|
2766
|
+
if (ap instanceof accesspaths_1.CallResultAccessPath)
|
|
2767
|
+
base = ap.caller;
|
|
2768
|
+
else if (ap instanceof accesspaths_1.ComponentAccessPath)
|
|
2769
|
+
base = ap.component;
|
|
2770
|
+
else
|
|
2771
|
+
(0, assert_1.default)(ap instanceof accesspaths_1.PropertyAccessPath), base = ap.base;
|
|
2772
|
+
const ap2 = new accesspaths_1.PropertyAccessPath(base, "?", subp);
|
|
2773
|
+
if (validEdge(subap, ap2))
|
|
2774
|
+
(ap2s ??= []).push(a.canonicalizeAccessPath(ap2));
|
|
2775
|
+
}
|
|
2747
2776
|
}
|
|
2748
2777
|
} else {
|
|
2749
2778
|
const abstractProp = ap instanceof accesspaths_1.PropertyAccessPath && !(subap instanceof accesspaths_1.ModuleAccessPath && ap.prop === "default") && options_1.patternProperties && !options_1.patternProperties.has(ap.prop);
|
|
2750
|
-
if (subap instanceof accesspaths_1.UnknownAccessPath && (ap instanceof accesspaths_1.CallResultAccessPath || ap instanceof accesspaths_1.ComponentAccessPath || abstractProp || options_1.options.lazy))
|
|
2779
|
+
if (subap instanceof accesspaths_1.UnknownAccessPath && (ap instanceof accesspaths_1.CallResultAccessPath || ap instanceof accesspaths_1.ComponentAccessPath || ap instanceof accesspaths_1.CallbackArgumentAccessPath || abstractProp || options_1.options.lazy))
|
|
2751
2780
|
ap2s = [subap];
|
|
2752
2781
|
else
|
|
2753
2782
|
ap2s = [a.canonicalizeAccessPath(abstractProp ? new accesspaths_1.PropertyAccessPath(ap.base, "?") : ap)];
|
|
@@ -2768,6 +2797,8 @@ var require_solver = __commonJS({
|
|
|
2768
2797
|
(0, util_2.mapGetMap)(f.callResultAccessPaths, subap).set(node, { bp: ap2, sub: ap2.caller, encl });
|
|
2769
2798
|
else if (ap2 instanceof accesspaths_1.ComponentAccessPath)
|
|
2770
2799
|
(0, util_2.mapGetMap)(f.componentAccessPaths, subap).set(node, { bp: ap2, sub: ap2.component, encl });
|
|
2800
|
+
else if (ap2 instanceof accesspaths_1.CallbackArgumentAccessPath)
|
|
2801
|
+
(0, util_2.mapGetMap)(f.callbackArgumentAccessPaths, subap).set(node, { bp: ap2, sub: to, encl });
|
|
2771
2802
|
else
|
|
2772
2803
|
assert_1.default.fail("Unexpected AccessPath");
|
|
2773
2804
|
}
|
|
@@ -4410,7 +4441,7 @@ var require_operations = __commonJS({
|
|
|
4410
4441
|
for (let i = 0; i < argVars.length; i++) {
|
|
4411
4442
|
const argVar = argVars[i];
|
|
4412
4443
|
if (argVar) {
|
|
4413
|
-
this.solver.addForAllTokensConstraint(argVar, listeners_1.TokenListener.CALL_EXTERNAL, pars.node, (at) => this.invokeExternalCallback(at, pars.node, caller));
|
|
4444
|
+
this.solver.addForAllTokensConstraint(argVar, listeners_1.TokenListener.CALL_EXTERNAL, pars.node, (at) => this.invokeExternalCallback(at, pars.node, caller, calleeVar));
|
|
4414
4445
|
f.registerEscapingToExternal(argVar, args[i], caller);
|
|
4415
4446
|
} else if ((0, types_1.isSpreadElement)(args[i]))
|
|
4416
4447
|
f.warnUnsupported(args[i], "SpreadElement in arguments to external function");
|
|
@@ -4477,18 +4508,29 @@ var require_operations = __commonJS({
|
|
|
4477
4508
|
if (!(0, asthelpers_1.isParentExpressionStatement)(pars))
|
|
4478
4509
|
this.solver.addSubsetConstraint(vp.returnVar(t.fun), resultVar);
|
|
4479
4510
|
}
|
|
4480
|
-
invokeExternalCallback(at, node, caller) {
|
|
4511
|
+
invokeExternalCallback(at, node, caller, calleeVar) {
|
|
4481
4512
|
if (at instanceof tokens_1.FunctionToken) {
|
|
4482
4513
|
const f = this.solver.fragmentState;
|
|
4483
4514
|
f.registerCall(node, caller, void 0, { external: true });
|
|
4484
4515
|
f.registerCallEdge(node, caller, this.a.functionInfos.get(at.fun), { external: true });
|
|
4485
4516
|
if (!f.externalCallbacksProcessed.has(at)) {
|
|
4486
4517
|
f.externalCallbacksProcessed.add(at);
|
|
4487
|
-
for (
|
|
4488
|
-
if ((0, types_1.isIdentifier)(
|
|
4489
|
-
this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.nodeVar(
|
|
4518
|
+
for (const param of at.fun.params)
|
|
4519
|
+
if ((0, types_1.isIdentifier)(param))
|
|
4520
|
+
this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.nodeVar(param));
|
|
4490
4521
|
this.solver.addAccessPath(accesspaths_1.UnknownAccessPath.instance, f.varProducer.thisVar(at.fun));
|
|
4522
|
+
const cbargVar = f.varProducer.callbackReceiverVar(at.fun);
|
|
4523
|
+
this.solver.addForAllTokensConstraint(cbargVar, listeners_1.TokenListener.CALLBACK_ARGUMENT, at.fun, (apt) => {
|
|
4524
|
+
if (apt instanceof tokens_1.AccessPathToken) {
|
|
4525
|
+
for (const param of at.fun.params)
|
|
4526
|
+
if ((0, types_1.isIdentifier)(param)) {
|
|
4527
|
+
const paramVar = f.varProducer.nodeVar(param);
|
|
4528
|
+
this.solver.addAccessPath(new accesspaths_1.CallbackArgumentAccessPath(at.fun), paramVar, node, caller, apt.ap);
|
|
4529
|
+
}
|
|
4530
|
+
}
|
|
4531
|
+
});
|
|
4491
4532
|
}
|
|
4533
|
+
this.solver.addSubsetConstraint(calleeVar, f.varProducer.callbackReceiverVar(at.fun));
|
|
4492
4534
|
}
|
|
4493
4535
|
}
|
|
4494
4536
|
readProperty(base, prop, dst, node, enclosing, extrakey = "") {
|
|
@@ -8960,6 +9002,18 @@ var require_patternmatcher = __commonJS({
|
|
|
8960
9002
|
}
|
|
8961
9003
|
transfer(level, sub, tmp, subvs);
|
|
8962
9004
|
}
|
|
9005
|
+
} else if (p instanceof patterns_1.CallbackArgumentAccessPathPattern) {
|
|
9006
|
+
const sub = this.findAccessPathPatternMatches(p.base, moduleFilter);
|
|
9007
|
+
for (const level of exports.confidenceLevels) {
|
|
9008
|
+
const tmp = /* @__PURE__ */ new Map();
|
|
9009
|
+
const subvs = /* @__PURE__ */ new Map();
|
|
9010
|
+
for (const [aps] of sub[level].values())
|
|
9011
|
+
for (const ap of aps) {
|
|
9012
|
+
addMatches(level, ap, f.callbackArgumentAccessPaths.get(ap), tmp, subvs);
|
|
9013
|
+
addEscapingToExternal(ap);
|
|
9014
|
+
}
|
|
9015
|
+
transfer(level, sub, tmp, subvs);
|
|
9016
|
+
}
|
|
8963
9017
|
} else if (p instanceof patterns_1.DisjunctionAccessPathPattern) {
|
|
8964
9018
|
const subs = [];
|
|
8965
9019
|
for (const ap of p.aps)
|
|
@@ -13100,6 +13154,7 @@ var require_vulnerabilitydetector = __commonJS({
|
|
|
13100
13154
|
var vulnerabilities_1 = require_vulnerabilities();
|
|
13101
13155
|
var util_1 = require_util();
|
|
13102
13156
|
var logger_1 = __importStar(require_logger());
|
|
13157
|
+
var patterns_1 = require_patterns();
|
|
13103
13158
|
var patternparser_1 = require_patternparser();
|
|
13104
13159
|
var patternmatcher_1 = require_patternmatcher();
|
|
13105
13160
|
var timer_1 = __importStar(require_timer());
|
|
@@ -13119,6 +13174,7 @@ var require_vulnerabilitydetector = __commonJS({
|
|
|
13119
13174
|
vulnerabilities = /* @__PURE__ */ new Map();
|
|
13120
13175
|
patterns = /* @__PURE__ */ new Map();
|
|
13121
13176
|
importGlobsToPatterns = new Array();
|
|
13177
|
+
hasCallbackArgumentPattern;
|
|
13122
13178
|
vulnerabilityPackageMatches = /* @__PURE__ */ new Map();
|
|
13123
13179
|
vulnerabilityModuleMatches = /* @__PURE__ */ new Map();
|
|
13124
13180
|
vulnerabilityFunctionMatches = /* @__PURE__ */ new Map();
|
|
@@ -13146,11 +13202,17 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
|
|
|
13146
13202
|
}
|
|
13147
13203
|
}
|
|
13148
13204
|
const globToPatterns = /* @__PURE__ */ new Map();
|
|
13149
|
-
|
|
13205
|
+
const patterns = this.getPatterns();
|
|
13206
|
+
for (const p of patterns)
|
|
13150
13207
|
for (const glob of (0, patternloader_1.getGlobs)([p]))
|
|
13151
13208
|
(0, util_1.mapArrayAdd)(glob, p, globToPatterns);
|
|
13152
13209
|
for (const [g, ps] of globToPatterns)
|
|
13153
13210
|
this.importGlobsToPatterns.push([micromatch_1.default.matcher(g), ps]);
|
|
13211
|
+
this.hasCallbackArgumentPattern = patterns.some((p) => {
|
|
13212
|
+
let found = false;
|
|
13213
|
+
p.ap.visitAccessPathPatterns((app) => found ||= app instanceof patterns_1.CallbackArgumentAccessPathPattern);
|
|
13214
|
+
return found;
|
|
13215
|
+
});
|
|
13154
13216
|
}
|
|
13155
13217
|
getPatterns() {
|
|
13156
13218
|
return this.patterns.values().flatMap((ps) => ps).toArray();
|