Added react-relay useFragment as threat model source.

Napalys · Napalys · commit 1443f314a131 · 2025-03-06T18:10:23.000+01:00
diff --git a/javascript/ql/lib/ext/react-relay-threat.model.yml b/javascript/ql/lib/ext/react-relay-threat.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - ["react-relay", "Member[useFragment].ReturnValue", "response"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -1,5 +1,6 @@
 #select
 | test.jsx:27:29:27:32 | data | test.jsx:5:28:5:63 | fetch(" ... ntent") | test.jsx:27:29:27:32 | data | Cross-site scripting vulnerability due to $@. | test.jsx:5:28:5:63 | fetch(" ... ntent") | user-provided value |
+| testReactRelay.tsx:19:47:19:62 | commentData.text | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:19:47:19:62 | commentData.text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -10,6 +11,9 @@ edges
 | test.jsx:6:24:6:38 | response.json() | test.jsx:6:18:6:38 | await r ... .json() | provenance |  |
 | test.jsx:7:12:7:15 | data | test.jsx:15:11:17:5 | data | provenance |  |
 | test.jsx:15:11:17:5 | data | test.jsx:27:29:27:32 | data | provenance |  |
+| testReactRelay.tsx:5:9:13:3 | commentData | testReactRelay.tsx:19:47:19:57 | commentData | provenance |  |
+| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:5:9:13:3 | commentData | provenance |  |
+| testReactRelay.tsx:19:47:19:57 | commentData | testReactRelay.tsx:19:47:19:62 | commentData.text | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -21,4 +25,8 @@ nodes
 | test.jsx:7:12:7:15 | data | semmle.label | data |
 | test.jsx:15:11:17:5 | data | semmle.label | data |
 | test.jsx:27:29:27:32 | data | semmle.label | data |
+| testReactRelay.tsx:5:9:13:3 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | semmle.label | useFrag ... Ref\\n  ) |
+| testReactRelay.tsx:19:47:19:57 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:19:47:19:62 | commentData.text | semmle.label | commentData.text |
 subpaths
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -10,13 +10,13 @@ const CommentComponent = ({ commentRef }) => {
       }
     `,
     commentRef
-  ); // $ MISSING: Source=[js/xss]
+  ); // $ Source=[js/xss]
 
   return (
     <div>
       <h3>Comment:</h3>
       {/* Directly rendering user input without sanitation */}
-      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ MISSING: Alert=[js/xss]
+      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ Alert=[js/xss]
     </div> 
   );
 };
