From 0109ab6a70ec285dc5780e34ebf27db3c0e81da6 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Fri, 11 Apr 2025 13:10:08 +0200
Subject: [PATCH] JS: Use sanitizing primitive type in Nest model

---
 .../lib/semmle/javascript/frameworks/Nest.qll | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
index 89b7fe04997..ed3829d133f 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -5,6 +5,8 @@
 import javascript
 private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
+private import semmle.javascript.internal.NameResolution
+private import semmle.javascript.internal.TypeResolution
 
 /**
  * Provides classes and predicates for reasoning about [Nest](https://nestjs.com/).
@@ -133,7 +135,9 @@ module NestJS {
       hasSanitizingPipe(this, false)
       or
       hasSanitizingPipe(this, true) and
-      isSanitizingType(this.getParameter().getType().unfold())
+      // Note: we could consider types with class-validator decorators to be sanitized here, but instead we consider the root
+      // object to be tainted, but omit taint steps for the individual properties names that have sanitizing decorators. See ClassValidator.qll.
+      TypeResolution::isSanitizingPrimitiveType(this.getParameter().getTypeAnnotation())
     }
   }
 
@@ -209,19 +213,6 @@ module NestJS {
     dependsOnType = true
   }
 
-  /**
-   * Holds if a parameter of type `t` is considered sanitized, provided it has been checked by `ValidationPipe`
-   * (which relies on metadata emitted by the TypeScript compiler).
-   */
-  private predicate isSanitizingType(Type t) {
-    t instanceof NumberType
-    or
-    t instanceof BooleanType
-    //
-    // Note: we could consider types with class-validator decorators to be sanitized here, but instead we consider the root
-    // object to be tainted, but omit taint steps for the individual properties names that have sanitizing decorators. See ClassValidator.qll.
-  }
-
   /**
    * A user-defined pipe class, for example:
    * ```js