Javascript - Figure out whether CallExpr refers to function defined in external file

[DSimsek000]

I'm trying to find calls to built-in APIs.

For the following query, I am looking for a query that returns 0, 1, 2:

0. decodeURIComponent("test");
1. Array.isArray(1);
2. "".trim();
3. "".def(); // not in String.prototype

I implemented the following query which gets all function names of the declarations in the external files and compares them with the name of the callee:

from CallExpr ca
where
  exists(ExternalFunction fn | fn.getName() = ca.getCalleeName())
select ca

This however does not check the type and wrongly outputs 5 here:

4. const ext = require("external")
5. ext.isArray()

Instead, I tried to retrieve references to the global builtin functions using the following query:

from ExternalGlobalFunctionDecl fn
where fn.getName() = "isArray"
select fn, fn.getVariable().getAnAccess()

but that only shows the references in the file where it is declared.

How to resolve the calls to the actual declarations?

[jketema]

Hi @DSimsek000 ,

Thanks for your question. I've asked the CodeQL JavaScript team to take a look.

[asgerf]

This is a difficult problem and not one that we provide a simple solution for.

You can look at ExternalAPIUsedWithUntrustedDataCustomizations for an example of one way to deal with it.

[DSimsek000]

I see, thanks for the reference!