From dd6db165504476a6b93702a2d9f429cced89ef85 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 22 Oct 2025 16:51:03 -0400 Subject: [PATCH] Add DomValueSource for react useRef output (object's prop named current) --- .../change-notes/2025-10-21-react-precallgraph-step.md | 3 ++- .../ql/lib/semmle/javascript/frameworks/React.qll | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md b/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md index efba56b3470..e28a900e8d9 100644 --- a/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md +++ b/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md @@ -1,4 +1,5 @@ --- category: minorAnalysis --- -* Added PreCallGraphStep flow model for React's `useRef` hook. \ No newline at end of file +* Added `PreCallGraphStep` flow model for React's `useRef` hook. +* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook. \ No newline at end of file diff --git a/javascript/ql/lib/semmle/javascript/frameworks/React.qll b/javascript/ql/lib/semmle/javascript/frameworks/React.qll index 946b09ffd44..05d8db6a075 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/React.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/React.qll @@ -804,6 +804,16 @@ private class ReactRouterLocationSource extends DOM::LocationSource::Range { } } +private class UseRefDomValueSource extends DOM::DomValueSource::Range { + UseRefDomValueSource() { + exists(DataFlow::PropRead current, UseRefStep step, string prop | current = this | + step.step(_, current) and + current.mayHavePropertyName(prop) and + prop = "current" + ) + } +} + /** * Gets a reference to a function which, if called with a React component, returns wrapped * version of that component, which we model as a direct reference to the underlying component.