From 7cd820ea868545d2dd8df5dfb2d4c07f39698cfc Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Tue, 13 Jan 2026 11:46:12 +0100
Subject: [PATCH] JS: Add support for props callbacks in router configs

---
 javascript/ql/lib/semmle/javascript/frameworks/Vue.qll      | 4 ++++
 .../ql/test/library-tests/frameworks/Vue/tests.expected     | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll b/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
index f571648294c..ca1eb24f3b5 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Vue.qll
@@ -664,6 +664,10 @@ module Vue {
       or
       result = routeConfig().getMember("beforeEnter").getParameter([0, 1]).asSource()
       or
+      result = routeConfig().getMember("props").getParameter(0).asSource()
+      or
+      result = routeConfig().getMember("props").getAMember().getParameter(0).asSource()
+      or
       exists(Component c |
         result = c.getABoundFunction().getAFunctionValue().getReceiver().getAPropertyRead("$route")
         or
diff --git a/javascript/ql/test/library-tests/frameworks/Vue/tests.expected b/javascript/ql/test/library-tests/frameworks/Vue/tests.expected
index 2b1cbebc431..633a8f9924d 100644
--- a/javascript/ql/test/library-tests/frameworks/Vue/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Vue/tests.expected
@@ -182,6 +182,9 @@ remoteFlowSource
 | router.js:9:17:9:26 | from.query |
 | router.js:15:25:15:32 | to.query |
 | router.js:16:25:16:34 | from.query |
+| router.js:21:20:21:30 | route.query |
+| router.js:26:29:26:39 | route.query |
+| router.js:27:29:27:39 | route.query |
 | router.js:32:9:32:16 | to.query |
 | router.js:33:9:33:18 | from.query |
 | router.js:38:5:38:12 | to.query |
@@ -227,6 +230,9 @@ threatModelSource
 | router.js:9:17:9:26 | from.query | remote |
 | router.js:15:25:15:32 | to.query | remote |
 | router.js:16:25:16:34 | from.query | remote |
+| router.js:21:20:21:30 | route.query | remote |
+| router.js:26:29:26:39 | route.query | remote |
+| router.js:27:29:27:39 | route.query | remote |
 | router.js:32:9:32:16 | to.query | remote |
 | router.js:33:9:33:18 | from.query | remote |
 | router.js:38:5:38:12 | to.query | remote |