refactor(probe/isSerializeEnv): simplify tracing & add new UT with a spread (#392)

fraxken · web-flow · commit 02a2d05b22be · 2025-07-11T21:57:22.000+02:00
diff --git a/.changeset/eager-coats-float.md b/.changeset/eager-coats-float.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": minor
+---
+
+Simplify tracing validation & add new spread test for the probe
diff --git a/workspaces/js-x-ray/src/probes/isSerializeEnv.ts b/workspaces/js-x-ray/src/probes/isSerializeEnv.ts
@@ -47,8 +47,8 @@ function validateNode(
   }
 
   if (firstArg.type === "Identifier") {
-    const data = tracer.getDataFromIdentifier("process.env");
-    if (data !== null && data.assignmentMemory.some(({ name }) => name === firstArg.name)) {
+    const data = tracer.getDataFromIdentifier(firstArg.name);
+    if (data !== null) {
       return [true];
     }
   }
@@ -71,12 +71,16 @@ function main(
   return ProbeSignals.Skip;
 }
 
-function initialize(sourceFile: SourceFile) {
-  sourceFile.tracer.trace("process.env", {
-    followConsecutiveAssignment: true
-  }).trace("JSON.stringify", {
-    followConsecutiveAssignment: true
-  });
+function initialize(
+  { tracer }: SourceFile
+) {
+  tracer
+    .trace("process.env", {
+      followConsecutiveAssignment: true
+    })
+    .trace("JSON.stringify", {
+      followConsecutiveAssignment: true
+    });
 }
 
 export default {
diff --git a/workspaces/js-x-ray/test/probes/isSerializeEnv.spec.ts b/workspaces/js-x-ray/test/probes/isSerializeEnv.spec.ts
@@ -80,6 +80,20 @@ test("should be able to detect reassigned JSON.stringify", () => {
   assert.strictEqual(warning.value, "JSON.stringify(process.env)");
 });
 
+test("should be able to detect serialization of process.env using a SpreadElement", () => {
+  const str = `
+  const env = {...process.env};
+  JSON.stringify(env);
+`;
+  const ast = parseScript(str);
+  const sastAnalysis = getSastAnalysis(isSerializeEnv).execute(ast.body);
+
+  assert.strictEqual(sastAnalysis.warnings().length, 1);
+  const warning = sastAnalysis.getWarning("serialize-environment");
+  assert.strictEqual(warning.kind, "serialize-environment");
+  assert.strictEqual(warning.value, "JSON.stringify(process.env)");
+});
+
 test("should not detect other JSON.stringify calls", () => {
   const str = "JSON.stringify({ foo: 'bar' })";
   const ast = parseScript(str);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@nodesecure/js-x-ray": minor
 +---
++
 +Simplify tracing validation & add new spread test for the probe