Merge pull request github#3441 from erik-krogh/BabelDirectives

Approved by esbena

Author: semmle-qlci

change-notes/1.25/analysis-javascript.md

@@ -21,6 +21,7 @@
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Expression has no effect (`js/useless-expression`) | Less results | This query no longer flags an expression when that expression is the only content of the containing file. |
+| Unknown directive (`js/unknown-directive`) | Less results | This query no longer flags directives generated by the Babel compiler. |
 
 ## Changes to libraries
 

javascript/ql/src/Expressions/UnknownDirective.ql

@@ -16,5 +16,7 @@ where
   // ignore ":" pseudo-directive sometimes seen in dual-use shell/node.js scripts
   not d.getExpr().getStringValue() = ":" and
   // but exclude attribute top-levels: `<a href="javascript:'some-attribute-string'">`
-  not d.getParent() instanceof CodeInAttribute
+  not d.getParent() instanceof CodeInAttribute and
+  // exclude babel generated directives like "@babel/helpers - typeof".
+  not d.getDirectiveText().prefix(14) = "@babel/helpers"
 select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)") + "'."

javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js

@@ -45,3 +45,7 @@ function yui() {
     ":nomunge"; // NOT OK
     "foo(), bar, baz:nomunge"; // NOT OK
 }
+
+function babel_typeof(obj) { 
+    "@babel/helpers - typeof"
+}