Skip to content

JS: Model React 'use' and 'use server' #19852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

JS: Model React 'use' and 'use server' #19852

wants to merge 12 commits into from

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Jun 23, 2025

  • Adds flow through the use function from react.
  • Marks parameters of a "use server" function as taint sources.
  • Also makes the React unit tests use inline expectation.

asgerf added 12 commits June 23, 2025 15:26
@github-actions github-actions bot added the JS label Jun 23, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 23, 2025
View reviewed changes
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql
import javascript
import semmle.javascript.frameworks.React

query predicate getADirectStateAccess(ReactComponent c, DataFlow::SourceNode res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql
res = c.getADirectStateAccess()
}

query predicate getInstanceMethod(ReactComponent c, string n, Function res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql
res = c.getInstanceMethod(n)
}

query predicate getAPreviousStateSource(ReactComponent c, DataFlow::SourceNode res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql

query predicate reactComponentRef(ReactComponent c, DataFlow::Node res) { res = c.ref() }

query predicate getACandidateStateSource(ReactComponent c, DataFlow::SourceNode res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql
res = c.getACandidateStateSource()
}

query predicate getADirectPropsSource(ReactComponent c, DataFlow::SourceNode res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql
res = c.getADirectPropsAccess()
}

query predicate getACandidatePropsValue(DataFlow::Node res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
javascript/ql/test/library-tests/frameworks/ReactJS/tests.ql

query predicate reactComponent(ReactComponent c) { any() }

query predicate getAPropRead(ReactComponent c, string n, DataFlow::PropRead res) {

Check warning

Code scanning / CodeQL

Predicates starting with "get" or "as" should return a value Warning test

This predicate starts with 'get' but does not return a value.
@asgerf asgerf marked this pull request as ready for review June 24, 2025 07:26
@asgerf asgerf requested a review from a team as a code owner June 24, 2025 07:26
Napalys
Napalys reviewed Jun 24, 2025
View reviewed changes
Copy link
Contributor

@Napalys Napalys left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good to me, I am just a tiny big confused about double change note, is that expected?
21f1b4b
4fc5738

@asgerf asgerf force-pushed the js/react-use-server branch from 21f1b4b to 4fc5738 Compare June 24, 2025 08:27
@asgerf
Copy link
Contributor Author

asgerf commented Jun 24, 2025

Everything looks good to me, I am just a tiny big confused about double change note, is that expected?

Yeah I saw the change note CI check failing and was confused why my change note had disappeared, and I just wrote a new one. Not sure what happened. Maybe I forgot to push the commit with the original change note. Anyways, I've removed the duplicate change note.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Napalys Napalys Napalys approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asgerf @Napalys