JS: Step through babel.transform

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/Babel.qll

@@ -188,4 +188,20 @@ module Babel {
     /** Gets the name of the variable used to create JSX elements. */
     string getJsxFactoryVariableName() { result = getOption("pragma").(JSONString).getValue() }
   }
+
+  /**
+   * A taint step through a call to the Babel `transform` function.
+   */
+  private class TransformTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call |
+        call =
+          API::moduleImport(["@babel/standalone", "@babel/core"])
+              .getMember(["transform", "transformSync"])
+              .getACall() and
+        pred = call.getArgument(0) and
+        succ = call
+      )
+    }
+  }
 }