JS: whitelist _.bindAll-methods in js/unbound-event-handler-receiver

javascript/ql/src/Expressions/UnboundEventHandlerReceiver.ql

@@ -13,16 +13,30 @@ import javascript
  * Holds if the receiver of `method` is bound in a method of its class.
  */
 private predicate isBoundInMethod(MethodDeclaration method) {
-  exists (DataFlow::ThisNode thiz, MethodDeclaration bindingMethod |
+  exists (DataFlow::ThisNode thiz, MethodDeclaration bindingMethod, string name |
+    name = method.getName() and
     bindingMethod.getDeclaringClass() = method.getDeclaringClass() and
     not bindingMethod.isStatic() and
-    thiz.getBinder().getAstNode() = bindingMethod.getBody() and
+    thiz.getBinder().getAstNode() = bindingMethod.getBody() |
     exists (DataFlow::Node rhs, DataFlow::MethodCallNode bind |
       // this.<methodName> = <expr>.bind(...)
-      thiz.hasPropertyWrite(method.getName(), rhs) and
+      thiz.hasPropertyWrite(name, rhs) and
       bind.flowsTo(rhs) and
       bind.getMethodName() = "bind"
     )
+    or
+    exists (DataFlow::MethodCallNode bindAll |
+      bindAll.getMethodName() = "bindAll" and
+      thiz.flowsTo(bindAll.getArgument(0)) |
+      // _.bindAll(this, <name1>)
+      bindAll.getArgument(1).mayHaveStringValue(name)
+      or
+      // _.bindAll(this, [<name1>, <name2>])
+      exists (DataFlow::ArrayLiteralNode names |
+        names.flowsTo(bindAll.getArgument(1)) and
+        names.getAnElement().mayHaveStringValue(name)
+      )
+    )
   )
 }