Merge branch 'change/adjust-extracted-files-diagnostics' of https://github.com/sidshank/codeql into change/adjust-extracted-files-diagnostics

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.6
+
+No user-facing changes.
+
 ## 0.8.5
 
 No user-facing changes.

javascript/ql/lib/change-notes/released/0.8.6.md

@@ -0,0 +1,3 @@
+## 0.8.6
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.5
+lastReleaseVersion: 0.8.6

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.8.6-dev
+version: 0.8.7-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/lib/semmle/javascript/frameworks/React.qll

@@ -852,13 +852,13 @@ private class StateTaintStep extends TaintTracking::SharedTaintStep {
 }
 
 /**
- * A taint propagating data flow edge for assignments of the form `c1.props.p = v`,
+ * A data propagating data flow edge for assignments of the form `c1.props.p = v`,
  * where `c1` is an instance of React component `C`; in this case, we consider
- * taint to flow from `v` to any read of `c2.props.p`, where `c2`
+ * data to flow from `v` to any read of `c2.props.p`, where `c2`
  * also is an instance of `C`.
  */
-private class PropsTaintStep extends TaintTracking::SharedTaintStep {
-  override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
+private class PropsFlowStep extends PreCallGraphStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     exists(ReactComponent c, string name, DataFlow::PropRead prn |
       prn = c.getAPropRead(name) or
       prn = c.getAPreviousPropsSource().getAPropertyRead(name)

javascript/ql/lib/semmle/javascript/frameworks/Templating.qll

@@ -580,6 +580,22 @@ module Templating {
     override string getAPackageName() { result = "ejs" }
   }
 
+  /**
+   * doT-style syntax, using `{{! }}` for safe interpolation, and `{{= }}` for
+   * unsafe interpolation.
+   */
+  private class DotStyleSyntax extends TemplateSyntax {
+    DotStyleSyntax() { this = "dot" }
+
+    override string getRawInterpolationRegexp() { result = "(?s)\\{\\{!(.*?)\\}\\}" }
+
+    override string getEscapingInterpolationRegexp() { result = "(?s)\\{\\{=(.*?)\\}\\}" }
+
+    override string getAFileExtension() { result = "dot" }
+
+    override string getAPackageName() { result = "dot" }
+  }
+
   private TemplateSyntax getOwnTemplateSyntaxInFolder(Folder f) {
     exists(PackageDependencies deps |
       deps.getADependency(result.getAPackageName(), _) and

javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -48,6 +48,8 @@ predicate parseTypeString(string rawType, string package, string qualifiedName)
 predicate isPackageUsed(string package) {
   exists(DataFlow::moduleImport(package))
   or
+  exists(JS::PackageJson json | json.getPackageName() = package)
+  or
   package = "global"
   or
   any(DataFlow::SourceNode sn).hasUnderlyingType(package, _)
@@ -124,7 +126,7 @@ API::Node getExtraNodeFromType(string type) {
     parseRelevantTypeString(type, package, qualifiedName)
   |
     qualifiedName = "" and
-    result = API::moduleImport(package)
+    result = [API::moduleImport(package), API::moduleExport(package)]
     or
     // Access instance of a type based on type annotations
     result = API::Internal::getANodeOfTypeRaw(package, qualifiedName)