Add react precallgraphstep useRef

2026-02-12 05:01:06 +01:00 · 2025-10-21 17:16:39 -04:00
parent a28a718409
commit 9534188f1f
2 changed files with 23 additions and 0 deletions
--- a/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md
+++ b/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added PreCallGraphStep flow model for React's `useRef` hook.
--- a/javascript/ql/lib/semmle/javascript/frameworks/React.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/React.qll
@@ -612,6 +612,25 @@ private class UseStateStep extends PreCallGraphStep {
  }
 }

+/**
+ * Step through a `useRef` call.
+ *
+ * It returns a pair of the initial state, and an object with a single property (current) potentially containing an input value.
+ *
+ * For example:
+ * ```js
+ * const inputRef1 = useRef(initialValue);
+ * ```
+ */
+private class UseRefStep extends PreCallGraphStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call | call = react().getAMemberCall("useRef") |
+      pred = call.getArgument(0) and // initial state
+      succ = call.getAPropertyRead("current")
+    )
+  }
+}
+
 /**
 * A step through a React context object.
 *