Merge

2026-05-01 03:35:13 +02:00 · 2025-01-23 17:00:56 +00:00
parent da68a04cd1 4311553fa0
commit 522f3d1337
1407 changed files with 112486 additions and 49200 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll
@@ -589,4 +589,25 @@ module Angular2 {

    override DataFlow::Node getValueNode() { result = valueNode }
  }
+
+  /**
+   * A source of DOM events originating from the `$event` variable in an event handler installed in an Angular template.
+   */
+  private class DomEventSources extends DOM::DomEventSource::Range {
+    DomEventSources() {
+      exists(HTML::Element elm, string attributeName |
+        elm = any(ComponentClass cls).getATemplateElement() and
+        // Ignore instantiations of known element (mainly focus on native DOM elements)
+        not elm = any(ComponentClass cls).getATemplateInstantiation() and
+        not elm.getName().matches("ng-%") and
+        this =
+          elm.getAttributeByName(attributeName)
+              .getCodeInAttribute()
+              .(TemplateTopLevel)
+              .getAVariableUse("$event") and
+        attributeName.matches("(%)") and // event handler attribute
+        not attributeName.matches("(ng%)") // exclude NG events which aren't necessarily DOM events
+      )
+    }
+  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
@@ -142,7 +142,7 @@ module AsyncPackage {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      exists(DataFlow::FunctionNode iteratee, IterationCall call |
        iteratee = call.getIteratorCallback() and // Require a closure to avoid spurious call/return mismatch.
-        pred = call.getCollection() and
+        pred = call.getCollection() and // TODO: needs a flow summary to ensure ArrayElement content is unfolded
        succ = iteratee.getParameter(0)
      )
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
@@ -52,6 +52,7 @@ module Markdown {
  private class MarkdownTableStep extends MarkdownStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() |
+        // TODO: needs a flow summary to ensure ArrayElement content is unfolded
        succ = call and
        pred = call.getArgument(0)
      )
--- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -56,13 +56,15 @@ predicate parseTypeString(string rawType, string package, string qualifiedName)
 * Holds if models describing `package` may be relevant for the analysis of this database.
 */
 predicate isPackageUsed(string package) {
-  exists(DataFlow::moduleImport(package))
-  or
-  exists(JS::PackageJson json | json.getPackageName() = package)
-  or
  package = "global"
  or
-  any(DataFlow::SourceNode sn).hasUnderlyingType(package, _)
+  package = any(JS::Import imp).getImportedPath().getValue()
+  or
+  any(JS::TypeName t).hasQualifiedName(package, _)
+  or
+  any(JS::TypeAnnotation t).hasQualifiedName(package, _)
+  or
+  exists(JS::PackageJson json | json.getPackageName() = package)
 }

 bindingset[type]