From 5b0ef40a3ec76679124669715ba7fca4ea7a1bfe Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 4 Sep 2025 09:35:42 +0200 Subject: [PATCH 1/2] JS: Remove special treatment of strings in AngularJS code String literals are already SourceNodes. But we need to add template literals as well --- .../semmle/javascript/dataflow/Sources.qll | 1 + .../frameworks/AngularJS/AngularJSCore.qll | 40 ------------------- 2 files changed, 1 insertion(+), 40 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll b/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll index f861488a046c..7503e5001e0f 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/Sources.qll @@ -334,6 +334,7 @@ module SourceNode { astNode instanceof Templating::PipeRefExpr or astNode instanceof Templating::TemplateVarRefExpr or astNode instanceof StringLiteral or + astNode instanceof TemplateLiteral or astNode instanceof TypeAssertion or astNode instanceof SatisfiesExpr ) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll b/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll index 248a88e3d1cc..41d14c1e3be4 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll @@ -23,46 +23,6 @@ DataFlow::SourceNode angular() { result = DataFlow::moduleImport("angular") } -/** - * Holds if `tl` appears to be a top-level using the AngularJS library. - * - * Should not depend on the `SourceNode` class. - */ -pragma[nomagic] -private predicate isAngularTopLevel(TopLevel tl) { - exists(Import imprt | - imprt.getTopLevel() = tl and - imprt.getImportedPathString() = "angular" - ) - or - exists(GlobalVarAccess global | - global.getName() = "angular" and - global.getTopLevel() = tl - ) -} - -/** - * Holds if `s` is a string in a top-level using the AngularJS library. - * - * Should not depend on the `SourceNode` class. - */ -pragma[nomagic] -private predicate isAngularString(Expr s) { - isAngularTopLevel(s.getTopLevel()) and - ( - s instanceof StringLiteral or - s instanceof TemplateLiteral - ) -} - -/** - * String literals in Angular code are often used as identifiers or references, so we - * want to track them. - */ -private class TrackStringsInAngularCode extends DataFlow::SourceNode::Range, DataFlow::ValueNode { - TrackStringsInAngularCode() { isAngularString(astNode) } -} - /** * Holds if `m` is of the form `angular.module("name", ...)`. */ From 4926d278a270ff84ba6ba5dfb99da5880ecf0e27 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 4 Sep 2025 13:59:19 +0200 Subject: [PATCH 2/2] JS: Update test output --- javascript/ql/test/library-tests/DataFlow/tests.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/javascript/ql/test/library-tests/DataFlow/tests.expected b/javascript/ql/test/library-tests/DataFlow/tests.expected index 7655c8b9f84c..7ba6cbb60f39 100644 --- a/javascript/ql/test/library-tests/DataFlow/tests.expected +++ b/javascript/ql/test/library-tests/DataFlow/tests.expected @@ -1564,8 +1564,10 @@ sources | tst.js:50:14:53:3 | () {\\n ... et`\\n } | | tst.js:50:14:53:3 | return of constructor of class A | | tst.js:51:5:51:13 | super(42) | +| tst.js:57:1:57:9 | `x: ${x}` | | tst.js:58:1:58:3 | tag | | tst.js:58:1:58:13 | tag `x: ${x}` | +| tst.js:58:5:58:13 | `x: ${x}` | | tst.js:61:1:61:5 | ::o.m | | tst.js:61:3:61:5 | o.m | | tst.js:62:1:62:4 | o::g |