JS: Use hasUnderlyingStringOrAnyType in Nest model

2026-04-25 16:55:19 +02:00 · 2025-04-11 13:10:32 +02:00
parent 6fdd7feed4
commit 4e44fdaa7b
2 changed files with 7 additions and 12 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -318,14 +318,6 @@ module NestJS {
    }
  }

-  private predicate isStringType(Type type) {
-    type instanceof StringType
-    or
-    type instanceof AnyType
-    or
-    isStringType(type.(PromiseType).getElementType().unfold())
-  }
-
  /**
   * A return value from a route handler, seen as an argument to `res.send()`.
   *
@@ -344,10 +336,10 @@ module NestJS {
    ReturnValueAsResponseSend() {
      handler.isReturnValueReflected() and
      this = handler.getAReturn() and
-      // Only returned strings are sinks
-      not exists(Type type |
-        type = this.asExpr().getType() and
-        not isStringType(type.unfold())
+      // Only returned strings are sinks. If we can find a type for the return value, it must be string-like.
+      not exists(NameResolution::Node type |
+        TypeResolution::valueHasType(this.asExpr(), type) and
+        not TypeResolution::hasUnderlyingStringOrAnyType(type)
      )
    }

--- a/javascript/ql/test/library-tests/frameworks/Nest/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
@@ -71,6 +71,9 @@ responseSendArgument
 | local/customPipe.ts:37:16:37:31 | '' + unsanitized |
 | local/customPipe.ts:42:16:42:31 | '' + unsanitized |
 | local/customPipe.ts:48:16:48:31 | '' + unsanitized |
+| local/routes.ts:7:12:7:16 | 'foo' |
+| local/routes.ts:12:12:12:16 | 'foo' |
+| local/routes.ts:17:12:17:16 | 'foo' |
 | local/routes.ts:32:31:32:31 | x |
 | local/routes.ts:33:31:33:38 | queryObj |
 | local/routes.ts:34:31:34:34 | name |