NestJS dependency injection support useValue provider

2026-04-25 08:45:14 +02:00 · 2025-06-15 00:21:38 +02:00
parent 2b143c86ac
commit 477f32c7ff
6 changed files with 25 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -526,6 +526,9 @@ module NestJS {
      f = tuple.getAPropertyWrite("useFactory").getRhs().getALocalSource() and
      result.getAstNode() = f.getFunction().getAReturnedExpr().getType().(ClassType).getClass()
    )
+    or 
+    result.getAstNode() =
+      tuple.getAPropertyWrite("useValue").getRhs().asExpr().getType().(ClassType).getClass()
  }

  private predicate providerPair(DataFlow::Node interface, DataFlow::Node concreteClass) {
--- a/javascript/ql/test/library-tests/frameworks/Nest/global/app.module.ts
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/app.module.ts
@@ -1,7 +1,9 @@
 import { Module } from '@nestjs/common';
 import { Controller } from './validation';
-import { Foo, Foo2 } from './foo.interface';
-import { FooImpl, Foo2Impl } from './foo.impl';
+import { Foo, Foo2, Foo3 } from './foo.interface';
+import { FooImpl, Foo2Impl, Foo3Impl } from './foo.impl';
+
+const foo3 = new Foo3Impl()

@Module({
  controllers: [Controller],
@@ -13,6 +15,10 @@ import { FooImpl, Foo2Impl } from './foo.impl';
    {
      provide: Foo2,
      useFactory: () => new Foo2Impl()
+    },
+    {
+      provide: Foo3,
+      useValue: foo3
    }
  ],
 })
--- a/javascript/ql/test/library-tests/frameworks/Nest/global/foo.impl.ts
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/foo.impl.ts
@@ -10,4 +10,10 @@ export class Foo2Impl extends Foo2 {
    fooMethod(x: string) {
        sink(x); // $ hasValueFlow=x
    }
+}
+
+export class Foo3Impl extends Foo2 {
+    fooMethod(x: string) {
+        sink(x); // $ hasValueFlow=x
+    }
 }
--- a/javascript/ql/test/library-tests/frameworks/Nest/global/foo.interface.ts
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/foo.interface.ts
@@ -5,3 +5,7 @@ export abstract class Foo {
 export abstract class Foo2 {
    abstract fooMethod(x: string): void;
 }
+
+export abstract class Foo3 {
+    abstract fooMethod(x: string): void;
+}
--- a/javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts
@@ -1,10 +1,10 @@
 import { Get, Query } from '@nestjs/common';
 import { IsIn } from 'class-validator';
-import { Foo, Foo2 } from './foo.interface';
+import { Foo, Foo2, Foo3 } from './foo.interface';

 export class Controller {
  constructor(
-    private readonly foo: Foo, private readonly foo2: Foo2
+    private readonly foo: Foo, private readonly foo2: Foo2, private readonly foo3: Foo3
  ) { }

  @Get()
@@ -17,6 +17,7 @@ export class Controller {
  route2(@Query('x') x: string) {
    this.foo.fooMethod(x);
    this.foo2.fooMethod(x);
+    this.foo3.fooMethod(x);
  }
 }

--- a/javascript/ql/test/library-tests/frameworks/Nest/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
@@ -1,7 +1,7 @@
 testFailures
 routeHandler
 | global/validation.ts:11:3:14:3 | route1( ...  OK\\n  } |
-| global/validation.ts:17:3:20:3 | route2( ... x);\\n  } |
+| global/validation.ts:17:3:21:3 | route2( ... x);\\n  } |
 | local/customDecorator.ts:18:3:20:3 | sneaky( ...  OK\\n  } |
 | local/customDecorator.ts:23:3:25:3 | safe(@S ...  OK\\n  } |
 | local/customPipe.ts:20:5:22:5 | sanitiz ... K\\n    } |