Merge remote-tracking branch 'upstream/master' into promiseAll

javascript/ql/src/Statements/UseOfReturnlessFunction.ql

@@ -222,6 +222,7 @@ where
   not lastStatementHasNoEffect(func) and
   // anonymous one-shot closure. Those are used in weird ways and we ignore them.
   not oneshotClosure(call) and
-  not hasNonVoidReturnType(func)
+  not hasNonVoidReturnType(func) and
+  not call.getEnclosingExpr() instanceof SuperCall
 select
   call, msg, func, name

javascript/ql/src/javascript.qll

@@ -76,6 +76,7 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
 import semmle.javascript.frameworks.jQuery
+import semmle.javascript.frameworks.Handlebars
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
 import semmle.javascript.frameworks.HttpFrameworks

javascript/ql/src/semmle/javascript/frameworks/Handlebars.qll

@@ -0,0 +1,29 @@
+/**
+ * Provides classes for working with Handlebars code.
+ */
+
+import javascript
+
+module Handlebars {
+  /**
+   * A reference to the Handlebars library. 
+   */
+  class Handlebars extends DataFlow::SourceNode {
+    Handlebars() {
+      this.accessesGlobal("handlebars")
+      or
+      this.accessesGlobal("Handlebars")
+      or
+      this = DataFlow::moduleImport("handlebars")
+      or
+      this.hasUnderlyingType("Handlebars")
+    }
+  }
+
+  /**
+   * A new instantiation of a Handlebars.SafeString.
+   */
+  class SafeString extends DataFlow::NewNode {
+    SafeString() { this = any(Handlebars h).getAConstructorInvocation("SafeString") }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -95,6 +95,8 @@ module DomBasedXss {
         mcn.getMethodName() = m and
         this = mcn.getArgument(1)
       )
+      or
+      this = any(Handlebars::SafeString s).getAnArgument()
     }
   }