Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules

2026-04-23 07:45:17 +02:00 · 2025-05-23 13:55:40 +02:00
parent 248f83c4db
commit 000e69fd48
8 changed files with 21 additions and 35 deletions
--- a/javascript/ql/lib/ext/arktype.model.yml
+++ b/javascript/ql/lib/ext/arktype.model.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: typeModel
-    data:
-      - ["NonNodeStream", "arktype", "Fuzzy"]
--- a/javascript/ql/lib/ext/execa.model.yml
+++ b/javascript/ql/lib/ext/execa.model.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: typeModel
-    data:
-      - ["NonNodeStream", "execa", "Fuzzy"]
--- a/javascript/ql/lib/ext/highland.model.yml
+++ b/javascript/ql/lib/ext/highland.model.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: typeModel
-    data:
-      - ["NonNodeStream", "highland", "Fuzzy"]
--- a/javascript/ql/lib/ext/rxjs.model.yml
+++ b/javascript/ql/lib/ext/rxjs.model.yml
@@ -1,8 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: typeModel
-    data:
-      - ["NonNodeStream", "rxjs", "Fuzzy"]
-      - ["NonNodeStream", "rxjs/operators", "Fuzzy"]
-      - ["NonNodeStream", "rxjs/testing", "Fuzzy"]
--- a/javascript/ql/lib/ext/strapi.model.yml
+++ b/javascript/ql/lib/ext/strapi.model.yml
@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/javascript-all
-      extensible: typeModel
-    data:
-      - ["NonNodeStream", "@strapi/utils", "Fuzzy"]
--- a/javascript/ql/src/Quality/UnhandledStreamPipe.ql
+++ b/javascript/ql/src/Quality/UnhandledStreamPipe.ql
@@ -35,7 +35,26 @@ class PipeCall extends DataFlow::MethodCallNode {
 * This is used to exclude pipe calls on non-stream objects from analysis.
 */
 DataFlow::Node getNonNodeJsStreamType() {
-  result = ModelOutput::getATypeNode("NonNodeStream").asSource()
+  result = getNonStreamApi().getAValueReachableFromSource()
+}
+
+//highland, arktype execa
+API::Node getNonStreamApi() {
+  exists(string moduleName |
+    moduleName
+        .regexpMatch([
+            "rxjs(|/.*)", "@strapi(|/.*)", "highland(|/.*)", "execa(|/.*)", "arktype(|/.*)"
+          ]) and
+    result = API::moduleImport(moduleName)
+  )
+  or
+  result = getNonStreamApi().getAMember()
+  or
+  result = getNonStreamApi().getAParameter().getAParameter()
+  or
+  result = getNonStreamApi().getReturn()
+  or
+  result = getNonStreamApi().getPromised()
 }

 /**
--- a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/rxjsStreams.js
+++ b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/rxjsStreams.js
@@ -16,5 +16,5 @@ function f(){
    z(source.pipe(null)).toBe(expected,y,);
  });

-  z.option$.pipe(pluck("x")) // $SPURIOUS:Alert
+  z.option$.pipe(pluck("x"))
 }
--- a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected
+++ b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected
@@ -1,4 +1,3 @@
-| rxjsStreams.js:19:3:19:28 | z.optio ... k("x")) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:4:5:4:28 | stream. ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:19:5:19:17 | s2.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:45:5:45:30 | stream2 ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |