From 4282005e3289bac344f2cc0f3dd431e63351c403 Mon Sep 17 00:00:00 2001
From: Napalys Klicius <napalys@github.com>
Date: Wed, 17 Sep 2025 11:25:31 +0200
Subject: [PATCH] JS: Add summary model for `graphql`'s `rootValue`

---
 javascript/ql/lib/ext/graph-ql.model.yml           |  6 ++++++
 .../CWE-094/CodeInjection/CodeInjection.expected   | 14 ++++++++++++++
 .../HeuristicSourceCodeInjection.expected          | 13 +++++++++++++
 .../Security/CWE-094/CodeInjection/graph-ql.js     |  4 ++--
 4 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 javascript/ql/lib/ext/graph-ql.model.yml

diff --git a/javascript/ql/lib/ext/graph-ql.model.yml b/javascript/ql/lib/ext/graph-ql.model.yml
new file mode 100644
index 00000000000..4b441579e56
--- /dev/null
+++ b/javascript/ql/lib/ext/graph-ql.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: summaryModel
+    data:
+      - ["graphql", "Member[graphql]", "Argument[0].Member[source]", "Argument[0].Member[rootValue].AnyMember.Parameter[0].AnyMember", "taint"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
index 8ddaba30fc8..140e0295d43 100644
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -61,6 +61,7 @@
 | fastify.js:107:23:107:31 | userInput | fastify.js:106:21:106:38 | request.query.code | fastify.js:107:23:107:31 | userInput | This code execution depends on a $@. | fastify.js:106:21:106:38 | request.query.code | user-provided value |
 | fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
 | fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
+| graph-ql.js:20:19:20:22 | expr | graph-ql.js:28:32:28:39 | req.body | graph-ql.js:20:19:20:22 | expr | This code execution depends on a $@. | graph-ql.js:28:32:28:39 | req.body | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -154,6 +155,12 @@ edges
 | fastify.js:106:9:106:17 | userInput | fastify.js:107:23:107:31 | userInput | provenance |  |
 | fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:17 | userInput | provenance |  |
 | fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:17 | userInput | provenance |  |
+| graph-ql.js:18:12:18:15 | expr | graph-ql.js:18:12:18:15 | expr | provenance |  |
+| graph-ql.js:18:12:18:15 | expr | graph-ql.js:20:19:20:22 | expr | provenance |  |
+| graph-ql.js:28:9:28:28 | { query, variables } | graph-ql.js:28:11:28:15 | query | provenance |  |
+| graph-ql.js:28:11:28:15 | query | graph-ql.js:31:13:31:17 | query | provenance |  |
+| graph-ql.js:28:32:28:39 | req.body | graph-ql.js:28:9:28:28 | { query, variables } | provenance |  |
+| graph-ql.js:31:13:31:17 | query | graph-ql.js:18:12:18:15 | expr | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance |  |
@@ -288,6 +295,13 @@ nodes
 | fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
 | fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
 | fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
+| graph-ql.js:18:12:18:15 | expr | semmle.label | expr |
+| graph-ql.js:18:12:18:15 | expr | semmle.label | expr |
+| graph-ql.js:20:19:20:22 | expr | semmle.label | expr |
+| graph-ql.js:28:9:28:28 | { query, variables } | semmle.label | { query, variables } |
+| graph-ql.js:28:11:28:15 | query | semmle.label | query |
+| graph-ql.js:28:32:28:39 | req.body | semmle.label | req.body |
+| graph-ql.js:31:13:31:17 | query | semmle.label | query |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:13 | tainted | semmle.label | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
index db39855c5e5..5acafe12167 100644
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -55,6 +55,12 @@ edges
 | fastify.js:106:9:106:17 | userInput | fastify.js:107:23:107:31 | userInput | provenance |  |
 | fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:17 | userInput | provenance |  |
 | fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:17 | userInput | provenance |  |
+| graph-ql.js:18:12:18:15 | expr | graph-ql.js:18:12:18:15 | expr | provenance |  |
+| graph-ql.js:18:12:18:15 | expr | graph-ql.js:20:19:20:22 | expr | provenance |  |
+| graph-ql.js:28:9:28:28 | { query, variables } | graph-ql.js:28:11:28:15 | query | provenance |  |
+| graph-ql.js:28:11:28:15 | query | graph-ql.js:31:13:31:17 | query | provenance |  |
+| graph-ql.js:28:32:28:39 | req.body | graph-ql.js:28:9:28:28 | { query, variables } | provenance |  |
+| graph-ql.js:31:13:31:17 | query | graph-ql.js:18:12:18:15 | expr | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:13 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:13 | tainted | provenance |  |
@@ -191,6 +197,13 @@ nodes
 | fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
 | fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
 | fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
+| graph-ql.js:18:12:18:15 | expr | semmle.label | expr |
+| graph-ql.js:18:12:18:15 | expr | semmle.label | expr |
+| graph-ql.js:20:19:20:22 | expr | semmle.label | expr |
+| graph-ql.js:28:9:28:28 | { query, variables } | semmle.label | { query, variables } |
+| graph-ql.js:28:11:28:15 | query | semmle.label | query |
+| graph-ql.js:28:32:28:39 | req.body | semmle.label | req.body |
+| graph-ql.js:31:13:31:17 | query | semmle.label | query |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:13 | tainted | semmle.label | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js
index e0cd0dd5609..46e4ea20e95 100644
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/graph-ql.js
@@ -17,7 +17,7 @@ const root = {
   },
   calc: ({ expr }) => {
     try {
-      return eval(expr).toString(); // $ MISSING: Alert[js/code-injection]
+      return eval(expr).toString(); // $ Alert[js/code-injection]
     } catch (e) {
       return `Error: ${e.message}`;
     }
@@ -25,7 +25,7 @@ const root = {
 };
 
 app.post('/graphql', async (req, res) => {
-  const { query, variables } = req.body; // $ MISSING: Source[js/code-injection]
+  const { query, variables } = req.body; // $ Source[js/code-injection]
   const result = await graphql({
     schema,
     source: query,