fix(isRequire): do not resolve CallExpr (#200)

fraxken · web-flow · commit 8d8abe00b10d · 2024-01-14T14:37:03.000+01:00
diff --git a/src/probes/isRequire.js b/src/probes/isRequire.js
@@ -13,7 +13,9 @@ import {
 import { ProbeSignals } from "../ProbeRunner.js";
 
 function validateNodeRequire(node, { tracer }) {
-  const id = getCallExpressionIdentifier(node);
+  const id = getCallExpressionIdentifier(node, {
+    resolveCallExpression: false
+  });
   if (id === null) {
     return [false];
   }
diff --git a/test/issues/177-wrongUnsafeRequire.spec.js b/test/issues/177-wrongUnsafeRequire.spec.js
@@ -0,0 +1,38 @@
+// Import Node.js Dependencies
+import { test } from "node:test";
+import assert from "node:assert";
+
+// Import Internal Dependencies
+import { runASTAnalysis } from "../../index.js";
+
+/**
+ * @see https://github.com/NodeSecure/js-x-ray/issues/177
+ */
+test("should detect unsafe-import and unsafe-statement", () => {
+  const { warnings, dependencies } = runASTAnalysis(`const help = require('help-me')({
+    dir: path.join(__dirname, 'help'),
+    ext: '.txt'
+  })`);
+
+  assert.strictEqual(warnings.length, 0);
+  assert.ok(dependencies.has("help-me"));
+  const dependency = dependencies.get("help-me");
+
+  assert.deepEqual(
+    dependency,
+    {
+      unsafe: false,
+      inTry: false,
+      location: {
+        end: {
+          column: 31,
+          line: 1
+        },
+        start: {
+          column: 13,
+          line: 1
+        }
+      }
+    }
+  );
+});
diff --git a/test/issues/179-UnsafeEvalRequire.spec.js b/test/issues/179-UnsafeEvalRequire.spec.js
@@ -9,7 +9,7 @@ import { runASTAnalysis } from "../../index.js";
  * @see https://github.com/NodeSecure/js-x-ray/issues/179
  */
 // CONSTANTS
-const kIncriminedCodeSample = `const stream = eval('require')('stream');`;
+const kIncriminedCodeSample = "const stream = eval('require')('stream');";
 const kWarningUnsafeImport = "unsafe-import";
 const kWarningUnsafeStatement = "unsafe-stmt";
 
