JS: Add models for webix

[jorgectf]

This PR adds modeling for the Webix framework.

cc @Kwstubbs

[asgerf]

LGTM, just need an update to the test expectations for HeuristicSourceCodeInjection.ql, which resides in the same folder as the regular code injection test.

[asgerf]

Some optional comments for using API graphs instead of local data flow. Note that they're written off the top of the my head and I may have made mistakes.

[jorgectf]

Some optional comments for using API graphs instead of local data flow. Note that they're written off the top of the my head and I may have made mistakes.

Thanks @asgerf! Done ✅

[Kwstubbs]

@asgerf I noticed that webix could be used in the form of

<script src="../../codebase/webix.js" type="text/javascript" charset="utf-8"></script>
<script>webix.extend(object1, object_with_usercontrolled_values) </script> 

Would CodeQL be able to identify calls inside script tags (within an HTML file)? We would like to support this use case as well if possible. Thanks!

[asgerf]

Would CodeQL be able to identify calls inside script tags (within an HTML file)? We would like to support this use case as well if possible. Thanks!

Yes, we'd usually use DataFlow::globalVarRef("webix") to find uses of the global variable webix, see the inline suggestion.

It's slightly cumbersome to get that working with API graphs (we're working on simplifying it). A good example of how to do this can be found in the D3 model:

codeql/javascript/ql/lib/semmle/javascript/frameworks/D3.qll

Line 24 in 36d8678

result = any(D3GlobalEntry i).getANode()

[jorgectf]

Nice catch @Kwstubbs, I have adapted the modeling as per #13529 (review) @asgerf suggestion

[asgerf]

One final comment. I'll start an evaluation of the PR in the meantime.