JS: Improve mssql model

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/SQL.qll

@@ -371,15 +371,32 @@ private module MsSql {
   /** Gets a reference to the `mssql` module. */
   API::Node mssql() { result = API::moduleImport("mssql") }
 
-  /** Gets an expression that creates a request object. */
+  /** Gets a node referring to an instance of the given class. */
+  API::Node mssqlClass(string name) {
+    result = mssql().getMember(name).getInstance()
+    or
+    result = API::Node::ofType("mssql", name)
+  }
+
+  /** Gets an API node referring to a Request object. */
   API::Node request() {
-    // new require('mssql').Request()
-    result = mssql().getMember("Request").getInstance()
+    result = mssqlClass("Request")
     or
-    // request.input(...)
-    result = request().getMember("input").getReturn()
+    result = request().getMember(["input", "replaceInput", "output", "replaceOutput"]).getReturn()
+    or
+    result = [transaction(), pool()].getMember("request").getReturn()
   }
 
+  /** Gets an API node referring to a Transaction object. */
+  API::Node transaction() {
+    result = mssqlClass("Transaction")
+    or
+    result = pool().getMember("transaction").getReturn()
+  }
+
+  /** Gets a API node referring to a ConnectionPool object. */
+  API::Node pool() { result = mssqlClass("ConnectionPool") }
+
   /** A tagged template evaluated as a query. */
   private class QueryTemplateExpr extends DatabaseAccess, DataFlow::ValueNode {
     override TaggedTemplateExpr astNode;
@@ -395,7 +412,7 @@ private module MsSql {
 
   /** A call to a MsSql query method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
-    QueryCall() { this = request().getMember(["query", "batch"]).getACall() }
+    QueryCall() { this = [mssql(), request()].getMember(["query", "batch"]).getACall() }
 
     override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
   }

javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected

@@ -1,9 +1,11 @@
 | mssql1.js:7:40:7:72 | select  ... e id =  |
 | mssql1.js:7:75:7:79 | value |
+| mssql1.js:10:19:10:30 | 'SELECT 123' |
 | mssql2.js:5:15:5:34 | 'select 1 as number' |
 | mssql2.js:13:15:13:66 | 'create ...  table' |
 | mssql2.js:22:24:22:43 | 'select 1 as number' |
 | mssql2.js:29:30:29:81 | 'create ...  table' |
+| mssql-types.ts:7:31:7:42 | 'SELECT 123' |
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql1a.js:17:18:17:43 | 'SELECT ... lution' |

javascript/ql/test/library-tests/frameworks/SQL/mssql-types.ts

@@ -0,0 +1,9 @@
+import { ConnectionPool } from "mssql";
+
+class Foo {
+  constructor(private pool: ConnectionPool) {}
+
+  doSomething() {
+    this.pool.request().query('SELECT 123');
+  }
+}

javascript/ql/test/library-tests/frameworks/SQL/mssql1.js

@@ -6,6 +6,8 @@ async () => {
         const pool = await sql.connect('mssql://username:password@localhost/database')
         const result = await sql.query`select * from mytable where id = ${value}`
         console.dir(result)
+
+        sql.query('SELECT 123');
     } catch (err) {
         // ... error checks 
     }