Add DomValueSource for react useRef output (object's prop named current)

2026-02-12 05:01:06 +01:00 · 2025-10-22 16:51:03 -04:00
parent 9534188f1f
commit dd6db16550
2 changed files with 12 additions and 1 deletions
--- a/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md
+++ b/javascript/ql/lib/change-notes/2025-10-21-react-precallgraph-step.md
@@ -1,4 +1,5 @@
 ---
 category: minorAnalysis
 ---
-* Added PreCallGraphStep flow model for React's `useRef` hook.
+* Added `PreCallGraphStep` flow model for React's `useRef` hook.
+* Added a `DomValueSource` that uses the `current` property off the object returned by React's `useRef` hook.
--- a/javascript/ql/lib/semmle/javascript/frameworks/React.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/React.qll
@@ -804,6 +804,16 @@ private class ReactRouterLocationSource extends DOM::LocationSource::Range {
  }
 }

+private class UseRefDomValueSource extends DOM::DomValueSource::Range {
+  UseRefDomValueSource() {
+    exists(DataFlow::PropRead current, UseRefStep step, string prop | current = this |
+      step.step(_, current) and
+      current.mayHavePropertyName(prop) and
+      prop = "current"
+    )
+  }
+}
+
 /**
 * Gets a reference to a function which, if called with a React component, returns wrapped
 * version of that component, which we model as a direct reference to the underlying component.