Merge master into next.

As of 2846d80f1c.

javascript/ql/src/Declarations/UnusedVariable.ql

@@ -163,6 +163,12 @@ predicate whitelisted(UnusedLocal v) {
     isEnumMember(vd) or
     // ignore ambient declarations - too noisy
     vd.isAmbient()
+  ) or
+  exists (DirectEval eval |
+    // eval nearby
+    eval.getEnclosingFunction() = v.getADeclaration().getEnclosingFunction() and
+    // ... but not on the RHS
+    not v.getAnAssignedExpr() = eval
   )
 }
 

javascript/ql/src/semmle/javascript/AMD.qll

@@ -105,7 +105,7 @@ class AMDModuleDefinition extends CallExpr {
    * parameters `pdep1` and `pdep2` correspond to dependencies
    * `dep1` and `dep2`.
    */
-  private SimpleParameter getDependencyParameter(string name) {
+  Parameter getDependencyParameter(string name) {
     exists (PathExpr dep |
       dependencyParameter(dep, result) and
       dep.getValue() = name

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -418,11 +418,24 @@ private class BindPartialCall extends AdditionalPartialInvokeNode, DataFlow::Met
 }
 
 /**
- * A partial call through `_.partial` or a function with a similar interface.
+ * A partial call through `_.partial`.
  */
-private class LibraryPartialCall extends AdditionalPartialInvokeNode {
-  LibraryPartialCall() {
-    this = LodashUnderscore::member("partial").getACall() or
+private class LodashPartialCall extends AdditionalPartialInvokeNode {
+  LodashPartialCall() {
+    this = LodashUnderscore::member("partial").getACall()
+  }
+
+  override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) {
+    callback = getArgument(0) and
+    argument = getArgument(index+1)
+  }
+}
+
+/**
+ * A partial call through `ramda.partial`.
+ */
+private class RamdaPartialCall extends AdditionalPartialInvokeNode {
+  RamdaPartialCall() {
     this = DataFlow::moduleMember("ramda", "partial").getACall()
   }
 

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -399,10 +399,8 @@ class ModuleImportNode extends DataFlow::DefaultSourceNode {
     )
     or
     // declared AMD dependency
-    exists (AMDModuleDefinition amd, PathExpr dep, Parameter p |
-      amd.dependencyParameter(dep, p) and
-      path = dep.getValue() and
-      this = DataFlow::parameterNode(p)
+    exists (AMDModuleDefinition amd |
+      this = DataFlow::parameterNode(amd.getDependencyParameter(path))
     )
     or
     // AMD require

javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll

@@ -6,6 +6,7 @@
 
 import javascript
 import SyntacticHeuristics
+private import semmle.javascript.security.dataflow.CommandInjection
 
 /**
  * A heuristic source of data flow in a security query.
@@ -26,3 +27,13 @@ private class RemoteFlowPassword extends HeuristicSource, RemoteFlowSource {
   }
 
 }
+
+/**
+ * A use of `JSON.stringify`, viewed as a source for command line injections
+ * since it does not properly escape single quotes and dollar symbols.
+ */
+private class JSONStringifyAsCommandInjectionSource extends HeuristicSource, CommandInjection::Source {
+  JSONStringifyAsCommandInjectionSource() {
+    this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
+  }
+}