github/codeqlPublic

NotificationsYou must be signed in to change notification settings
Fork1.7k
Star8.5k

[JavaScript] Find Invocation Nodes without resolved callees that belong to external libraries#18901

Answeredbymbg

jghebre asked this question inQ&A

jghebre

Mar 2, 2025

· 1 comments· 3 replies

AnsweredbymbgReturn to top

Discussion options

jghebre
Mar 2, 2025

Hi 👋,

I'm working on a project and I need a way to determine if Invocations nodes, without any found callees, originate from an external library. I'm not sure if there exists a mechanism to determine this information due to the callee not being found.

To my knowledge, for JavaScript, CodeQL does not analyze the node_modules by default and contains modeling of certain popular external libraries like express.

For example in this code:

varurl=require('fast-url-parser');...varpath=url.parse(request.url).pathname

Running this query:

from DataFlow::InvokeNodenodewherenotexists(node.getACallee(0))selectnode, ...

Correctly finds the callee parse as not being found. However there are many invocation nodes without found callees throughout most packages and I just want to focus on the nodes that relate to external libraries.

I've looked into libraries likeimport semmle.javascript.dependencies.Dependencies to implement this but haven't found anything that worked yet.

Thanks!

You must be logged in to vote

Answered by mbg

Mar 3, 2025

Does this do the job for you:

import javascriptimport semmle.javascript.ApiGraphsselect API::moduleImport(_).getMember(_).getACall()

With your test code, this gets me the three calls to the three external function calls. If you want to additionally check that there's no callee, then you could do something like this:

import javascriptimport semmle.javascript.ApiGraphsfrom DataFlow::CallNodeexternalwhereexternal= API::moduleImport(_).getMember(_).getACall()andnotexists(external.getACallee(0))selectexternal

View full answer

Replies: 1 comment 3 replies

Comment options

mbg
Mar 3, 2025
Maintainer

Hi@jghebre 👋🏻

Would you be able to give an example of the sort of nodes you would want to exclude?

You must be logged in to vote

3 replies

Comment options

jghebre Mar 3, 2025
Author

Hi, thanks for responding!

Here is a quick example I made:

//  Third-Partyimport catMe from 'cat-me';import figlet from 'figlet';import randomstring from 'randomstring';// First Partyconst far = "farwell";const obj = {    [far](name) {        return `Goodbye, ${name}!`;      }}function add(a, b) {  return a + b;}function multiply(a, b) {  return a * b;}(async function main() {  //  Calls to Third-Party Functions  console.log(catMe(), "\n");                   console.log("Third-Party Call #2 (figlet):");  console.log(figlet.textSync("Hello World!"), "\n");   console.log("Third-Party Call #3 (randomstring):");  console.log(randomstring.generate(8), "\n");   // Calls to First-Party Functions  const funcName = "farewell";  console.log(obj.farwell("Bob"), "\n");  const functionArray = [add, multiply];  console.log(functionArray[0](3, 4), "\n");  const { externalFunction } = await import('./extraFirstParty.js');  console.log(externalFunction("Hello!"), "\n");})();

The six calls here are not found by CodeQL:

I'm trying to find a way to filter the Third party calls (catMe, figlet, randomstring) from the first party calls (obj.farwell("Bob"), functionArray[0](3, 4), externalFunction("Hello!"))

For my use case I only care about calls without resolved callees from third party libraries. I'm not sure the limit to which this is possible due to the fact that these calls are not resolved.

Comment options

mbg Mar 3, 2025
Maintainer

Does this do the job for you:

import javascriptimport semmle.javascript.ApiGraphsselect API::moduleImport(_).getMember(_).getACall()

With your test code, this gets me the three calls to the three external function calls. If you want to additionally check that there's no callee, then you could do something like this:

import javascriptimport semmle.javascript.ApiGraphsfrom DataFlow::CallNodeexternalwhereexternal= API::moduleImport(_).getMember(_).getACall()andnotexists(external.getACallee(0))selectexternal

Answer selected byjghebre

Comment options

jghebre Mar 4, 2025
Author

Yep works on all my cases so far. I think this is it, thank you!

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[JavaScript] Find Invocation Nodes without resolved callees that belong to external libraries#18901

Uh oh!

{{title}}

Uh oh!

jghebre
Mar 2, 2025

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

mbg
Mar 3, 2025
Maintainer

Uh oh!

{{title}}

Uh oh!

jghebre Mar 3, 2025
Author

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

mbg Mar 3, 2025
Maintainer

Uh oh!

{{title}}

Uh oh!

jghebre Mar 4, 2025
Author

Select a reply

Uh oh!

Movatterモバイル変換

[JavaScript] Find Invocation Nodes without resolved callees that belong to external libraries#18901

Uh oh!

jghebreMar 2, 2025

Replies: 1 comment· 3 replies

Uh oh!

mbgMar 3, 2025 Maintainer

Uh oh!

jghebreMar 3, 2025 Author

Uh oh!

Uh oh!

mbgMar 3, 2025 Maintainer

Uh oh!

jghebreMar 4, 2025 Author

Uh oh!

jghebre
Mar 2, 2025

Replies: 1 comment 3 replies

mbg
Mar 3, 2025
Maintainer

jghebre Mar 3, 2025
Author

mbg Mar 3, 2025
Maintainer

jghebre Mar 4, 2025
Author