Skip to content

Js: Added support for @tanstack/vue-query #19006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Mar 14, 2025
Merged

Js: Added support for @tanstack/vue-query #19006

merged 11 commits into from
Mar 14, 2025

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Mar 13, 2025
edited
Loading

This pull request adds package modeling support for @tanstack/vue-query. Additionally, it includes the previously missing model for useQueries in @tanstack/react-query.

DCA looks good, but there are no new alerts since most of the repositories use Vue 3.

@Napalys Napalys force-pushed the js/vue_tanstack_model branch from 44a0a24 to bcca375 Compare March 13, 2025 11:25
@Napalys Napalys force-pushed the js/vue_tanstack_model branch from bcca375 to 5dff23d Compare March 13, 2025 11:45
@Napalys Napalys marked this pull request as ready for review March 13, 2025 16:01
@Copilot Copilot AI review requested due to automatic review settings March 13, 2025 16:01
@Napalys Napalys requested a review from a team as a code owner March 13, 2025 16:01
Copilot
Copilot AI reviewed Mar 13, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for the @tanstack/vue-query package and models the useQueries function for @tanstack/react-query. Key changes include new test files with queries using react-query and vue-query, updated change notes, and extended YAML models for query taint analysis.

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactUseQueries.jsx Adds a React component using useQueries with two queries
javascript/ql/lib/change-notes/2025-03-13-tanstack-vue.md Documents the addition of support for @tanstack/vue-query
javascript/ql/lib/ext/tanstack.model.yml Extends query model definitions for vue-query and useQueries
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/test.vue Introduces a Vue component with a useQuery example
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testUseQueries.vue Introduces a Vue component using useQueries with mapped query functions
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testUseQueries2.vue Introduces a second Vue component using useQueries with multiple query functions
Files not reviewed (1)
  • javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected: Language not supported
Comments suppressed due to low confidence (1)

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testUseQueries.vue:11

  • The fetch call uses a template literal that does not interpolate a variable; this may lead to an invalid URL.
const response = await fetch("${id}"); // $ MISSING: Source

Tip: Leave feedback on Copilot's review comments with the 👎 and 👍 buttons to help improve review quality. Learn more

@github github deleted a comment from Copilot AI Mar 13, 2025
@github github deleted a comment from Copilot AI Mar 13, 2025
@github github deleted a comment from Copilot AI Mar 13, 2025
asgerf
asgerf reviewed Mar 14, 2025
View reviewed changes
javascript/ql/lib/ext/tanstack.model.yml Outdated
Comment on lines 6 to 10
- ["@tanstack/angular-query-experimental", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "taint"]
- ["@tanstack/angular-query", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "taint"]
- ["@tanstack/vue-query", "Member[useQuery]", "Argument[0].Member[queryFn].ReturnValue.Awaited", "ReturnValue.Member[data]", "taint"]
- ["@tanstack/vue-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "taint"]
- ["@tanstack/react-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "taint"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- ["@tanstack/angular-query-experimental", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "taint"]
- ["@tanstack/angular-query", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "taint"]
- ["@tanstack/vue-query", "Member[useQuery]", "Argument[0].Member[queryFn].ReturnValue.Awaited", "ReturnValue.Member[data]", "taint"]
- ["@tanstack/vue-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "taint"]
- ["@tanstack/react-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "taint"]
- ["@tanstack/angular-query-experimental", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "value"]
- ["@tanstack/angular-query", "Member[injectQuery]", "Argument[0].ReturnValue.Member[queryFn].ReturnValue", "ReturnValue.Member[data].Awaited", "value"]
- ["@tanstack/vue-query", "Member[useQuery]", "Argument[0].Member[queryFn].ReturnValue.Awaited", "ReturnValue.Member[data]", "value"]
- ["@tanstack/vue-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "value"]
- ["@tanstack/react-query", "Member[useQueries]", "Argument[0].Member[queries].ArrayElement.Member[queryFn].ReturnValue.Awaited", "ReturnValue.AnyMember.Member[data]", "value"]

These should all be value steps. If you want to test the difference, you could add a test where the queryFn returns { foo: fetch(...) }, that is, where the taint is wrapped in an object. Then it would only work with value steps.

Also could you perhaps move the @tanstack/react-query model into this file while we're at it? Just for consistency.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, is taint a subset of value? Is it significantly more expensive, or could one just always use value instead?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

value should be used if the value is preserved; taint should be used if the value changed.

taint is mainly used to model string manipulation, where the resulting value is not exactly equal to the original.

Napalys and others added 2 commits March 14, 2025 13:48
@Napalys @asgerf
Changed from taint to value steps.
d40ef0d 
Co-authored-by: Asgerf <asgerf@github.com>
@Napalys
Refactor Tanstack integration: remove Tanstack framework and added mo…
933f3c6 
…del as data for it instead.
@Napalys Napalys requested a review from asgerf March 14, 2025 13:10
@Napalys Napalys merged commit 70232a3 into github:main Mar 14, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @asgerf