JS: Expand D3 model a bit

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/D3.qll

@@ -9,6 +9,9 @@ module D3 {
   API::Node d3() {
     result = API::moduleImport("d3")
     or
+    // recognize copies of d3 in a scope
+    result = API::moduleImport(any(string s | s.regexpMatch("@.*/d3(-\\w+)?")))
+    or
     result = API::moduleImport("d3-node").getInstance().getMember("d3")
   }
 
@@ -44,6 +47,10 @@ module D3 {
       or
       name = ["attr", "classed", "style", "property", "on"] and
       call.getNumArgument() > 1 // exclude 1-argument version, which returns the current value
+      or
+      // Setting multiple things at once
+      name = ["attr", "classed", "style", "property", "on"] and
+      call.getArgument(0).getALocalSource() instanceof DataFlow::ObjectLiteralNode
     )
     or
     result = d3Selection().getMember("call").getParameter(0).getParameter(0)

javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

@@ -61,15 +61,20 @@ module XssThroughDom {
    */
   class D3TextSource extends Source {
     D3TextSource() {
-      exists(DataFlow::MethodCallNode call, string methodName, string argValue |
+      exists(DataFlow::MethodCallNode call, string methodName |
         this = call and
-        call = D3::d3Selection().getMember(methodName).getACall() and
+        call = D3::d3Selection().getMember(methodName).getACall()
+        |
+        methodName = "attr" and
         call.getNumArgument() = 1 and
-        call.getArgument(0).mayHaveStringValue(argValue)
-      |
-        methodName = "attr" and argValue = unsafeAttributeName()
+        call.getArgument(0).mayHaveStringValue(unsafeAttributeName())
+        or
+        methodName = "property" and
+        call.getNumArgument() = 1 and
+        call.getArgument(0).mayHaveStringValue(unsafeDomPropertyName())
         or
-        methodName = "property" and argValue = unsafeDomPropertyName()
+        methodName = "text" and
+        call.getNumArgument() = 0
       )
     }
   }