Skip to content

JS: Promote js/template-syntax-in-string-literal to the Code Quality suite. #19726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jun 13, 2025
Merged

JS: Promote js/template-syntax-in-string-literal to the Code Quality suite. #19726

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
92084dd
JS: add `js/template-syntax-in-string-literal` to the Code Quality su…
Napalys Jun 11, 2025
861e4ee
JS: Added test cases including manual interpolation and string concat…
Napalys Jun 12, 2025
bafe7e6
JS: Fix template literal detection in string concatination
Napalys Jun 12, 2025
923aff2
JS: Fixed false positive on manual string interpolation.
Napalys Jun 12, 2025
75ee649
JS: add change note
Napalys Jun 12, 2025
da5cd25
Update javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiter…
Napalys Jun 12, 2025
d7ad625
JS: restrict type tracking to strings of interest.
Napalys Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions javascript/ql/integration-tests/query-suite/javascript-code-quality.qls.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ ql/javascript/ql/src/Declarations/IneffectiveParameterType.ql
ql/javascript/ql/src/Expressions/ExprHasNoEffect.ql
ql/javascript/ql/src/Expressions/MissingAwait.ql
ql/javascript/ql/src/LanguageFeatures/SpuriousArguments.ql
ql/javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
ql/javascript/ql/src/Quality/UnhandledErrorInStreamPipeline.ql
ql/javascript/ql/src/RegExp/DuplicateCharacterInCharacterClass.ql
ql/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql
38 changes: 33 additions & 5 deletions javascript/ql/src/LanguageFeatures/TemplateSyntaxInStringLiteral.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@
* @problem.severity warning
* @id js/template-syntax-in-string-literal
* @precision high
* @tags correctness
* @tags quality
* reliability
* correctness
* language-features
*/

import javascript
Expand Down Expand Up @@ -73,9 +76,10 @@ class CandidateStringLiteral extends StringLiteral {
* ```
*/
predicate hasObjectProvidingTemplateVariables(CandidateStringLiteral lit) {
exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj |
call.getAnArgument().getALocalSource() = obj and
call.getAnArgument().asExpr() = lit and
exists(DataFlow::CallNode call, DataFlow::ObjectLiteralNode obj, DataFlow::Node stringArg |
stringArg = [StringConcatenation::getRoot(lit.flow()), lit.flow()] and
stringArg = call.getAnArgument() and
obj.flowsTo(call.getAnArgument()) and
forex(string name | name = lit.getAReferencedVariable() | exists(obj.getAPropertyWrite(name)))
)
}
Expand All @@ -91,12 +95,36 @@ VarDecl getDeclIn(Variable v, Scope scope, string name, CandidateTopLevel tl) {
result.getTopLevel() = tl
}

/**
* Tracks data flow from a string literal that may flow to a replace operation.
*/
DataFlow::SourceNode trackString(CandidateStringLiteral lit, DataFlow::TypeTracker t) {
t.start() and result = lit.flow()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracking all string literals in the program seems unnecessarily expensive. Could you restrict this to just the string literals that we might have flagged otherwise?

Adding exists(lit.getAReferencedVariable()) might be good enough.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added here d7ad625.

or
exists(DataFlow::TypeTracker t2 | result = trackString(lit, t2).track(t2, t))
}

/**
* Gets a string literal that flows to a replace operation.
*/
DataFlow::SourceNode trackString(CandidateStringLiteral lit) {
result = trackString(lit, DataFlow::TypeTracker::end())
}

/**
* Holds if the string literal flows to a replace method call.
*/
predicate hasReplaceMethodCall(CandidateStringLiteral lit) {
trackString(lit).getAMethodCall() instanceof StringReplaceCall
}

from CandidateStringLiteral lit, Variable v, Scope s, string name, VarDecl decl
where
decl = getDeclIn(v, s, name, lit.getTopLevel()) and
lit.getAReferencedVariable() = name and
lit.isInScope(s) and
not hasObjectProvidingTemplateVariables(lit) and
not lit.getStringValue() = "${" + name + "}"
not lit.getStringValue() = "${" + name + "}" and
not hasReplaceMethodCall(lit)
select lit, "This string is not a template literal, but appears to reference the variable $@.",
decl, v.getName()
4 changes: 4 additions & 0 deletions javascript/ql/src/change-notes/2025-06-12-string-interpolation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed false positives in the `js/template-syntax-in-string-literal` query where template syntax in string concatenation and "manual string interpolation" patterns were incorrectly flagged.
4 changes: 4 additions & 0 deletions javascript/ql/src/change-notes/2025-06-12-template-syntax-metadata.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: queryMetadata
---
* Added `reliability` and `language-features` tags to the `js/template-syntax-in-string-literal` query.
28 changes: 27 additions & 1 deletion ...ery-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,30 @@ function foo1() {
writer.emit("Name: ${name}, Date: ${date}.", data);

writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // $ Alert - `foobar` is not in `data`.
}
}

function a(actual, expected, description) {
assert(false, "a", description, "expected (" +
typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", {
expected: expected,
actual: actual
});
}

function replacer(str, name) {
return str.replace("${name}", name);
}

function replacerAll(str, name) {
return str.replaceAll("${name}", name);
}

function manualInterpolation(name) {
let str = "Name: ${name}";
let result1 = replacer(str, name);
console.log(result1);

str = "Name: ${name} and again: ${name}";
let result2 = replacerAll(str, name);
console.log(result2);
}