add source for react-hook-form in xss-through-dom

2026-04-28 02:05:14 +02:00 · 2021-02-08 15:44:34 +01:00
parent 65d93c9061
commit be9636491b
3 changed files with 74 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -154,5 +154,21 @@ module XssThroughDom {
        )
      }
    }
+
+    /**
+     * An object containing input values from a form build with `react-hook-form`.
+     */
+    class ReactHookFormSource extends Source {
+      ReactHookFormSource() {
+        exists(API::Node useForm |
+          useForm = API::moduleImport("react-hook-form").getMember("useForm").getReturn()
+        |
+          this =
+            useForm.getMember("handleSubmit").getParameter(0).getParameter(0).getAnImmediateUse()
+          or
+          this = useForm.getMember("getValues").getACall()
+        )
+      }
+    }
  }
 }