Initial merge from main

2026-04-27 01:35:13 +02:00 · 2024-09-15 08:55:31 -04:00
parent ae3f3d0c25 5108799224
commit 485fc04029
2602 changed files with 114048 additions and 76664 deletions
--- a/javascript/ql/lib/change-notes/2024-09-03-outdated-deprecations.md
+++ b/javascript/ql/lib/change-notes/2024-09-03-outdated-deprecations.md
@@ -0,0 +1,10 @@
+---
+category: breaking
+---
+* Deleted the deprecated `isHTMLElement` and `getDOMName` predicates from the JSX library, use `isHtmlElement` and `getDomName` respectively instead.
+* Deleted the deprecated `getPackageJSON` predicate from the `SourceMappingComment` class, use `SourceMappingComment` instead.
+* Deleted many deprecated directives from the `Stmt.qll` file, use the `Directive::` module instead.
+* Deleted the deprecated `YAMLNode`, `YAMLValue`, and `YAMLScalar` classes from the YAML libraries, use `YamlNode`, `YamlValue`, and `YamlScalar` respectively instead.
+* Deleted the deprecated `getARouteHandlerExpr` predicate from `Connect.qll`, use `getARouteHandlerNode` instead.
+* Deleted the deprecated `getGWTVersion` predicate from `GWT.qll`, use `getGwtVersion` instead.
+* Deleted the deprecated `getOwnOptionsObject` predicate from  `Vue.qll`, use `getOwnOptions().getASink()` instead.
--- a/javascript/ql/lib/change-notes/2024-09-10-support-typescript-5.6.md
+++ b/javascript/ql/lib/change-notes/2024-09-10-support-typescript-5.6.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for TypeScript 5.6.
--- a/javascript/ql/lib/semmle/javascript/JSX.qll
+++ b/javascript/ql/lib/semmle/javascript/JSX.qll
@@ -73,9 +73,6 @@ class JsxElement extends JsxNode {
   * That is, the name starts with a lowercase letter.
   */
  predicate isHtmlElement() { this.getName().regexpMatch("[a-z].*") }
-
-  /** DEPRECATED: Alias for isHtmlElement */
-  deprecated predicate isHTMLElement() { this.isHtmlElement() }
 }

 /**
@@ -256,7 +253,4 @@ class JsxPragma extends JSDocTag {
   * the result is `React.DOM`.
   */
  string getDomName() { result = this.getDescription().trim() }
-
-  /** DEPRECATED: Alias for getDomName */
-  deprecated string getDOMName() { result = this.getDomName() }
 }
--- a/javascript/ql/lib/semmle/javascript/NodeJS.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeJS.qll
@@ -295,6 +295,15 @@ private predicate isRequire(DataFlow::Node nd) {
    isCreateRequire(call.getCallee().flow()) and
    nd = call.flow()
  )
+  or
+  // `$.require('underscore');`.
+  // NPM as supported in [XSJS files](https://www.npmjs.com/package/@sap/async-xsjs#npm-packages-support).
+  exists(MethodCallExpr require |
+    nd.getFile().getExtension() = ["xsjs", "xsjslib"] and
+    require.getCalleeName() = "require" and
+    require.getReceiver().(GlobalVarAccess).getName() = "$" and
+    nd = require.getCallee().flow()
+  )
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -197,9 +197,6 @@ class MainModulePath extends PathExpr, @json_string {
    not exists(getExportRelativePath(this)) and result = "."
  }

-  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }
-
  override string getValue() { result = this.(JsonString).getValue() }

  override Folder getAdditionalSearchRoot(int priority) {
@@ -258,9 +255,6 @@ private class FilesPath extends PathExpr, @json_string {
  /** Gets the `package.json` file in which this path occurs. */
  PackageJson getPackageJson() { result = pkg }

-  /** DEPRECATED: Alias for getPackageJson */
-  deprecated PackageJson getPackageJSON() { result = this.getPackageJson() }
-
  override string getValue() { result = this.(JsonString).getValue() }

  override Folder getAdditionalSearchRoot(int priority) {
--- a/javascript/ql/lib/semmle/javascript/SourceMaps.qll
+++ b/javascript/ql/lib/semmle/javascript/SourceMaps.qll
@@ -23,7 +23,4 @@ class SourceMappingComment extends Comment {

  /** Gets the URL of the source map referenced by this comment. */
  string getSourceMappingUrl() { result = url }
-
-  /** DEPRECATED: Alias for getSourceMappingUrl */
-  deprecated string getSourceMappingURL() { result = this.getSourceMappingUrl() }
 }
--- a/javascript/ql/lib/semmle/javascript/Stmt.qll
+++ b/javascript/ql/lib/semmle/javascript/Stmt.qll
@@ -434,36 +434,6 @@ module Directive {
  }
 }

-/** DEPRECATED. Use `Directive::KnownDirective` instead. */
-deprecated class KnownDirective = Directive::KnownDirective;
-
-/** DEPRECATED. Use `Directive::StrictModeDecl` instead. */
-deprecated class StrictModeDecl = Directive::StrictModeDecl;
-
-/** DEPRECATED. Use `Directive::AsmJSDirective` instead. */
-deprecated class AsmJSDirective = Directive::AsmJSDirective;
-
-/** DEPRECATED. Use `Directive::BabelDirective` instead. */
-deprecated class BabelDirective = Directive::BabelDirective;
-
-/** DEPRECATED. Use `Directive::SixToFiveDirective` instead. */
-deprecated class SixToFiveDirective = Directive::SixToFiveDirective;
-
-/** DEPRECATED. Use `Directive::SystemJSFormatDirective` instead. */
-deprecated class SystemJSFormatDirective = Directive::SystemJSFormatDirective;
-
-/** DEPRECATED. Use `Directive::NgInjectDirective` instead. */
-deprecated class NgInjectDirective = Directive::NgInjectDirective;
-
-/** DEPRECATED. Use `Directive::YuiDirective` instead. */
-deprecated class YuiDirective = Directive::YuiDirective;
-
-/** DEPRECATED. Use `Directive::SystemJSDepsDirective` instead. */
-deprecated class SystemJSDepsDirective = Directive::SystemJSDepsDirective;
-
-/** DEPRECATED. Use `Directive::BundleDirective` instead. */
-deprecated class BundleDirective = Directive::BundleDirective;
-
 /**
 * An `if` statement.
 *
--- a/javascript/ql/lib/semmle/javascript/YAML.qll
+++ b/javascript/ql/lib/semmle/javascript/YAML.qll
@@ -54,12 +54,3 @@ private class MyYmlNode extends Locatable instanceof YamlNode {

  override string toString() { result = YamlNode.super.toString() }
 }
-
-/** DEPRECATED: Alias for YamlNode */
-deprecated class YAMLNode = YamlNode;
-
-/** DEPRECATED: Alias for YamlValue */
-deprecated class YAMLValue = YamlValue;
-
-/** DEPRECATED: Alias for YamlScalar */
-deprecated class YAMLScalar = YamlScalar;
--- a/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll
@@ -88,12 +88,6 @@ module Connect {

    override DataFlow::Node getServer() { result = server }

-    /**
-     * DEPRECATED: Use `getARouteHandlerNode` instead.
-     * Gets an argument that represents a route handler being registered.
-     */
-    deprecated Expr getARouteHandlerExpr() { result = this.getARouteHandlerNode().asExpr() }
-
    /**
     * Gets an argument that represents a route handler being registered.
     */
--- a/javascript/ql/lib/semmle/javascript/frameworks/GWT.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/GWT.qll
@@ -28,9 +28,6 @@ class GwtHeader extends InlineScript {
      result = e.getStringValue()
    )
  }
-
-  /** DEPRECATED: Alias for getGwtVersion */
-  deprecated string getGWTVersion() { result = this.getGwtVersion() }
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
@@ -183,14 +183,6 @@ module Vue {
      result = this.getAsClassComponent().getDecoratorOptions()
    }

-    /**
-     * DEPRECATED. Use `getOwnOptions().getASink()`.
-     *
-     * Gets the options passed to the Vue object, such as the object literal `{...}` in `new Vue{{...})`
-     * or the default export of a single-file component.
-     */
-    deprecated DataFlow::Node getOwnOptionsObject() { result = this.getOwnOptions().asSink() }
-
    /**
     * Gets the class implementing this Vue component, if any.
     *
--- a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
-      pack: codeql/javascript-queries
+      pack: codeql/javascript-all
      extensible: requiredHelmetSecuritySetting
    data:
      - ["frameguard"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll
@@ -0,0 +1,41 @@
+/**
+ * Provides classes for working with Helmet
+ */
+
+private import javascript
+
+/**
+ * A write to a property of a route handler from the "helmet" module.
+ */
+class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
+  ExpressLibraries::HelmetRouteHandler helmet;
+
+  HelmetProperty() {
+    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
+  }
+
+  /**
+   * Gets the route handler associated to this property.
+   */
+  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
+
+  /**
+   * Gets the boolean value of this property, if it may evaluate to a `Boolean`.
+   */
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
+
+  /**
+   * Gets the name of the `HelmetProperty`.
+   */
+  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
+
+  /**
+   * read from data extensions to allow enforcing custom settings
+   */
+  predicate isImportantSecuritySetting() { requiredHelmetSecuritySetting(this.getName()) }
+}
+
+/**
+ * defaults are located in `javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml`
+ */
+extensible predicate requiredHelmetSecuritySetting(string name);