Merge pull request #4566 from asgerf/js/classnames

Approved by erik-krogh

javascript/ql/src/javascript.qll

@@ -73,6 +73,7 @@ import semmle.javascript.frameworks.Azure
 import semmle.javascript.frameworks.Babel
 import semmle.javascript.frameworks.Cheerio
 import semmle.javascript.frameworks.ComposedFunctions
+import semmle.javascript.frameworks.Classnames
 import semmle.javascript.frameworks.ClientRequests
 import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries

javascript/ql/src/semmle/javascript/frameworks/Classnames.qll

@@ -0,0 +1,39 @@
+/**
+ * Provides taint steps modeling flow through the `classnames` and `clsx` libraries.
+ */
+
+import javascript
+
+private DataFlow::SourceNode classnames() {
+  result = DataFlow::moduleImport(["classnames", "classnames/dedupe", "classnames/bind"])
+}
+
+private class PlainStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  PlainStep() {
+    this = classnames().getACall()
+    or
+    this = DataFlow::moduleImport("clsx").getACall()
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = getAnArgument() and
+    succ = this
+  }
+}
+
+/**
+ * Step from `x` or `y` to the result of `classnames.bind(x)(y)`.
+ */
+private class BindStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  DataFlow::CallNode bind;
+
+  BindStep() {
+    bind = classnames().getAMemberCall("bind") and
+    this = bind.getACall()
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = [getAnArgument(), bind.getAnArgument(), bind.getOptionArgument(_, _)] and
+    succ = this
+  }
+}