JS: Implement import resolution

asgerf · asgerf · commit 201f39e08f45 · 2025-04-24T11:44:33.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Modules.qll b/javascript/ql/lib/semmle/javascript/Modules.qll
@@ -6,6 +6,7 @@
 
 import javascript
 private import semmle.javascript.internal.CachedStages
+private import semmle.javascript.internal.paths.PathExprResolver as PathExprResolver
 
 /**
  * A module, which may either be an ECMAScript 2015-style module,
@@ -139,7 +140,7 @@ abstract class Import extends AstNode {
    * Gets the module the path of this import resolves to.
    */
   Module resolveImportedPath() {
-    result.getFile() = this.getEnclosingModule().resolve(this.getImportedPath())
+    result.getFile() = PathExprResolver::resolvePathExpr(this.getImportedPath())
   }
 
   /**
@@ -168,9 +169,9 @@ abstract class Import extends AstNode {
   }
 
   /**
-   * Gets the imported module, as determined by the TypeScript compiler, if any.
+   * DEPRECATED. Use `getImportedModule()` instead.
    */
-  private Module resolveFromTypeScriptSymbol() {
+  deprecated Module resolveFromTypeScriptSymbol() {
     exists(CanonicalName symbol |
       ast_node_symbol(this, symbol) and
       ast_node_symbol(result, symbol)
@@ -193,9 +194,7 @@ abstract class Import extends AstNode {
     else (
       result = this.resolveAsProvidedModule() or
       result = this.resolveImportedPath() or
-      result = this.resolveFromTypeRoot() or
-      result = this.resolveFromTypeScriptSymbol() or
-      result = resolveNeighbourPackage(this.getImportedPath().getValue())
+      result = this.resolveFromTypeRoot()
     )
   }
 
@@ -204,28 +203,3 @@ abstract class Import extends AstNode {
    */
   abstract DataFlow::Node getImportedModuleNode();
 }
-
-/**
- * Gets a module imported from another package in the same repository.
- *
- * No support for importing from folders inside the other package.
- */
-private Module resolveNeighbourPackage(PathString importPath) {
-  exists(PackageJson json | importPath = json.getPackageName() and result = json.getMainModule())
-  or
-  exists(string package |
-    result.getFile().getParentContainer() = getPackageFolder(package) and
-    importPath = package + "/" + [result.getFile().getBaseName(), result.getFile().getStem()]
-  )
-}
-
-/**
- * Gets the folder for a package that has name `package` according to a package.json file in the resulting folder.
- */
-pragma[noinline]
-private Folder getPackageFolder(string package) {
-  exists(PackageJson json |
-    json.getPackageName() = package and
-    result = json.getFile().getParentContainer()
-  )
-}
diff --git a/javascript/ql/lib/semmle/javascript/internal/paths/PathExprResolver.qll b/javascript/ql/lib/semmle/javascript/internal/paths/PathExprResolver.qll
@@ -0,0 +1,254 @@
+private import javascript
+private import semmle.javascript.TSConfig
+private import semmle.javascript.internal.paths.PackageJsonEx
+private import semmle.javascript.internal.paths.JSPaths
+
+final private class FinalPathExpr = PathExpr;
+
+private class RelevantPathExpr extends FinalPathExpr {
+  pragma[nomagic]
+  RelevantPathExpr() { this = any(Import imprt).getImportedPath() }
+}
+
+/**
+ * Gets a tsconfig file to use as fallback for handling paths in `c`.
+ *
+ * This holds for files and folders where no tsconfig seems to include it,
+ * but it has one or more tsconfig files in parent directories.
+ */
+private TSConfig getFallbackTSConfig(Container c) {
+  not c = any(TSConfig t).getAnIncludedContainer() and
+  (
+    c = result.getFolder()
+    or
+    result = getFallbackTSConfig(c.getParentContainer())
+  )
+}
+
+/**
+ * Gets the TSConfig file relevant for resolving `expr`.
+ */
+pragma[nomagic]
+private TSConfig getTSConfigFromPathExpr(RelevantPathExpr expr) {
+  result.getAnIncludedContainer() = expr.getFile()
+  or
+  result = getFallbackTSConfig(expr.getFile())
+}
+
+/**
+ * Holds if `path` is relative, in the sense that it should be resolved relative to its enclosing folder.
+ */
+bindingset[path]
+pragma[inline_late]
+predicate isRelativePath(string path) { path.regexpMatch("\\.\\.?(?:[/\\\\].*)?") }
+
+/**
+ * Gets the NPM package name from the beginning of the given import path, e.g.
+ * gets `foo` from `foo/bar`, and `@example/foo` from `@example/foo/bar`.
+ */
+pragma[nomagic]
+private string getPackagePrefixFromPathExpr(RelevantPathExpr expr) {
+  result = expr.getValue().regexpFind("^(@[^/\\\\]+[/\\\\])?[^@./\\\\][^/\\\\]*", _, _)
+}
+
+private Variable dirname() { result.getName() = "__dirname" }
+
+/** Holds if `add` is a relevant path expression of form `__dirname + expr`. */
+private predicate prefixedByDirname(PathExpr expr) {
+  expr = dirname().getAnAccess()
+  or
+  prefixedByDirname(expr.(AddExpr).getLeftOperand())
+  or
+  prefixedByDirname(expr.(CallExpr).getArgument(0))
+}
+
+/**
+ * Holds if `expr` matches a path mapping, and should thus be resolved as `newPath` relative to `base`.
+ */
+pragma[nomagic]
+private predicate resolveViaPathMapping(RelevantPathExpr expr, Container base, string newPath) {
+  // Handle tsconfig mappings such as `{ "paths": { "@/*": "./src/*" }}`
+  exists(TSConfig config, string value |
+    config = getTSConfigFromPathExpr(expr).getExtendedTSConfig*() and
+    value = expr.getValue() and
+    base = config.getBaseUrlFolderOrOwnFolder()
+  |
+    config.hasExactPathMapping(value, newPath)
+    or
+    exists(string pattern, string suffix, string mappedPath |
+      config.hasPrefixPathMapping(pattern, mappedPath) and
+      value = pattern + suffix and
+      newPath = mappedPath + suffix
+    )
+  )
+  or
+  // Handle imports referring to a package by name, where we have a package.json
+  // file for that package in the codebase.
+  //
+  // This part only handles the "exports" property of package.json. "main" and "modules" are
+  // handled further down because their semantics are easier to handle there.
+  exists(PackageJsonEx pkg, string packageName, string remainder |
+    packageName = getPackagePrefixFromPathExpr(expr) and
+    pkg.getDeclaredPackageName() = packageName and
+    remainder = expr.getValue().suffix(packageName.length()).regexpReplaceAll("^[/\\\\]", "")
+  |
+    // "exports": { ".": "./foo.js" }
+    // "exports": { "./foo.js": "./foo/impl.js" }
+    pkg.hasExactPathMappingTo(remainder, base) and
+    newPath = ""
+    or
+    // "exports": { "./*": "./foo/*" }
+    exists(string prefix |
+      pkg.hasPrefixPathMappingTo(prefix, base) and
+      remainder = prefix + newPath
+    )
+  )
+}
+
+pragma[noopt]
+private predicate relativePathExpr(RelevantPathExpr expr, Container base, string path) {
+  expr instanceof RelevantPathExpr and
+  path = expr.getValue() and
+  isRelativePath(path) and
+  exists(File file |
+    file = expr.getFile() and
+    base = file.getParentContainer()
+  )
+}
+
+/**
+ * Holds if `expr` should be resolved as `path` relative to `base`.
+ */
+pragma[nomagic]
+private predicate shouldResolve(RelevantPathExpr expr, Container base, string path) {
+  // Relative paths are resolved from their enclosing folder
+  relativePathExpr(expr, base, path)
+  or
+  // Paths prefixed by __dirname should be resolved from the root dir, because __dirname
+  // currently has a getValue() that returns its absolute path.
+  prefixedByDirname(expr) and
+  not exists(base.getParentContainer()) and // get root dir
+  path = expr.getValue()
+  or
+  resolveViaPathMapping(expr, base, path)
+  or
+  // Resolve from baseUrl of relevant tsconfig.json file
+  path = expr.getValue() and
+  not isRelativePath(path) and
+  base = getTSConfigFromPathExpr(expr).getBaseUrlFolder()
+  or
+  // If the path starts with the name of a package, but did not match any path mapping,
+  // resolve relative to the enclosing directory of that package.
+  // Note that `getFileFromFolderImport` may subsequently redirect this to the package's "main",
+  // so we don't have to deal with that here.
+  exists(PackageJson pkg, string packageName |
+    packageName = getPackagePrefixFromPathExpr(expr) and
+    pkg.getDeclaredPackageName() = packageName and
+    path = expr.getValue().suffix(packageName.length()).regexpReplaceAll("^[/\\\\]", "") and
+    base = pkg.getFolder()
+  )
+}
+
+private module ResolverConfig implements Folder::ResolveSig {
+  predicate shouldResolve(Container base, string path) { shouldResolve(_, base, path) }
+
+  predicate getAnAdditionalChild = JSPaths::getAnAdditionalChild/2;
+}
+
+private module Resolver = Folder::Resolve<ResolverConfig>;
+
+private Container resolvePathExpr1(RelevantPathExpr expr) {
+  exists(Container base, string path |
+    shouldResolve(expr, base, path) and
+    result = Resolver::resolve(base, path)
+  )
+}
+
+/**
+ * Removes the scope from a package name, e.g. `@foo/bar` -> `bar`.
+ */
+bindingset[name]
+private string stripPackageScope(string name) { result = name.regexpReplaceAll("^@[^/]+/", "") }
+
+private File guessPackageJsonMain1(PackageJsonEx pkg) {
+  not exists(pkg.getMainFile()) and
+  exists(Folder folder, Folder subfolder |
+    folder = pkg.getFolder() and
+    (
+      subfolder = folder or
+      subfolder = folder.getChildContainer(getASrcFolderName()) or
+      subfolder =
+        folder
+            .getChildContainer(getASrcFolderName())
+            .(Folder)
+            .getChildContainer(getASrcFolderName())
+    )
+  |
+    result = subfolder.getJavaScriptFileOrTypings("index")
+    or
+    result = subfolder.getJavaScriptFileOrTypings(stripPackageScope(pkg.getDeclaredPackageName()))
+  )
+}
+
+private File guessPackageJsonMain2(PackageJsonEx pkg) {
+  not exists(pkg.getMainFile()) and
+  not exists(guessPackageJsonMain1(pkg)) and
+  result = pkg.getAFileInFilesArray()
+}
+
+private File getFileFromFolderImport(Folder folder) {
+  result = folder.getJavaScriptFileOrTypings("index")
+  or
+  // Note that unlike "exports" paths, "main" and "module" also take effect when the package
+  // is imported via a relative path, e.g. `require("..")` targeting a folder with a package.json file.
+  exists(PackageJsonEx pkg | pkg.getFolder() = folder |
+    result = pkg.getMainFile()
+    or
+    result = guessPackageJsonMain1(pkg)
+    or
+    result = guessPackageJsonMain2(pkg)
+  )
+}
+
+File resolvePathExpr(PathExpr expr) {
+  result = resolvePathExpr1(expr)
+  or
+  result = getFileFromFolderImport(resolvePathExpr1(expr))
+}
+
+module Debug {
+  class PathExprToDebug extends RelevantPathExpr {
+    PathExprToDebug() { this.getValue() = "vs/nls" }
+  }
+
+  query PathExprToDebug pathExprs() { any() }
+
+  query TSConfig getTSConfigFromPathExpr_(PathExprToDebug expr) {
+    result = getTSConfigFromPathExpr(expr)
+  }
+
+  query string getPackagePrefixFromPathExpr_(PathExprToDebug expr) {
+    result = getPackagePrefixFromPathExpr(expr)
+  }
+
+  query predicate resolveViaPathMapping_(PathExprToDebug expr, Container base, string newPath) {
+    resolveViaPathMapping(expr, base, newPath)
+  }
+
+  query predicate shouldResolve_(PathExprToDebug expr, Container base, string newPath) {
+    shouldResolve(expr, base, newPath)
+  }
+
+  query Container resolvePathExpr1_(PathExprToDebug expr) { result = resolvePathExpr1(expr) }
+
+  query File resolvePathExpr_(PathExprToDebug expr) { result = resolvePathExpr(expr) }
+
+  // Some predicates that are usually small enough that they don't need restriction
+  query File getPackageMainFile(PackageJsonEx pkg) { result = pkg.getMainFile() }
+
+  query predicate guessPackageJsonMain1_ = guessPackageJsonMain1/1;
+
+  query predicate guessPackageJsonMain2_ = guessPackageJsonMain2/1;
+
+  query predicate getFileFromFolderImport_ = getFileFromFolderImport/1;
+}
