JS: Use sanitizing primitive types in ViewComponentInput

asgerf · asgerf · commit 2d21074598fe · 2025-05-20T13:20:09.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/ViewComponentInput.qll b/javascript/ql/lib/semmle/javascript/ViewComponentInput.qll
@@ -3,6 +3,7 @@
  */
 
 private import javascript
+private import semmle.javascript.internal.TypeResolution
 
 /**
  * An input to a view component, such as React props.
@@ -14,34 +15,11 @@ abstract class ViewComponentInput extends DataFlow::Node {
 
 private class ViewComponentInputAsThreatModelSource extends ThreatModelSource::Range instanceof ViewComponentInput
 {
-  ViewComponentInputAsThreatModelSource() { not isSafeType(this.asExpr().getType()) }
+  ViewComponentInputAsThreatModelSource() {
+    not TypeResolution::valueHasSanitizingPrimitiveType(this.asExpr())
+  }
 
   final override string getThreatModel() { result = "view-component-input" }
 
   final override string getSourceType() { result = ViewComponentInput.super.getSourceType() }
 }
-
-private predicate isSafeType(Type t) {
-  t instanceof NumberLikeType
-  or
-  t instanceof BooleanLikeType
-  or
-  t instanceof UndefinedType
-  or
-  t instanceof NullType
-  or
-  t instanceof VoidType
-  or
-  hasSafeTypes(t, t.(UnionType).getNumElementType())
-  or
-  isSafeType(t.(IntersectionType).getAnElementType())
-}
-
-/** Hold if the first `n` components of `t` are safe types. */
-private predicate hasSafeTypes(UnionType t, int n) {
-  isSafeType(t.getElementType(0)) and
-  n = 1
-  or
-  isSafeType(t.getElementType(n - 1)) and
-  hasSafeTypes(t, n - 1)
-}
