JS: Add support for createNamespacedHelpers

asgerf · asgerf · commit ee608540c5bb · 2021-07-02T12:47:55.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Vuex.qll b/javascript/ql/src/semmle/javascript/frameworks/Vuex.qll
@@ -96,10 +96,20 @@ module Vuex {
    */
   private class MapHelperCall extends API::CallNode {
     string helperName;
+    string namespace;
 
     MapHelperCall() {
-      this = vuex().getMember(helperName).getACall() and
-      helperName = ["mapActions", "mapGetters", "mapMutations", "mapState"]
+      helperName = ["mapActions", "mapGetters", "mapMutations", "mapState"] and
+      (
+        this = vuex().getMember(helperName).getACall() and
+        namespace = ""
+        or
+        exists(API::CallNode call |
+          call = vuex().getMember("createNamespacedHelpers").getACall() and
+          namespace = call.getParameter(0).getAValueReachingRhs().getStringValue() + "/" and
+          this = call.getReturn().getMember(helperName).getACall()
+        )
+      )
     }
 
     /** Gets the name of the `vuex` method being invoked, such as `mapGetters`. */
@@ -109,10 +119,10 @@ module Vuex {
     pragma[noinline]
     string getPrefix() {
       getNumArgument() = 2 and
-      result = getArgument(0).getStringValue() + "/"
+      result = namespace + getParameter(0).getAValueReachingRhs().getStringValue() + "/"
       or
       getNumArgument() = 1 and
-      result = ""
+      result = namespace
     }
 
     /**
diff --git a/javascript/ql/test/library-tests/frameworks/Vuex/vuex.js b/javascript/ql/test/library-tests/frameworks/Vuex/vuex.js
@@ -1,6 +1,6 @@
 import Vue from 'vue';
 import Vuex from 'vuex';
-import { mapGetters, mapState, mapMutations, mapActions } from 'vuex';
+import { mapGetters, mapState, mapMutations, mapActions, createNamespacedHelpers } from 'vuex';
 
 Vue.use(Vuex);
 
@@ -18,6 +18,9 @@ const submoduleB = {
     }
 };
 
+const { mapGetters: mapGettersA } = createNamespacedHelpers('submoduleA');
+const { mapGetters: mapGettersB } = createNamespacedHelpers('submoduleB');
+
 const store = new Vuex.Store({
     getters: {
         getterWithSink: state => { sink(state.tainted); }, // NOT OK
@@ -72,8 +75,10 @@ const Component = new Vue({
             derivedUntainted: state => state.untainted,
         }),
         ...mapState(['tainted2']),
-        ...mapGetters('submoduleA', {fooA: 'foo'}),
-        ...mapGetters('submoduleB', {fooB: 'foo'}),
+        ...mapGetters('submoduleA', {fooA1: 'foo'}),
+        ...mapGettersA({fooA2: 'foo'}),
+        ...mapGetters('submoduleB', {fooB1: 'foo'}),
+        ...mapGettersB({fooB2: 'foo'}),
     },
     methods: {
         doCommitsAndActions() {
@@ -95,8 +100,10 @@ const Component = new Vue({
             sink(this.untaintedGetter); // OK
             sink(this.derivedUntainted); // OK
 
-            sink(this.fooA); // NOT OK
-            sink(this.fooB); // OK
+            sink(this.fooA1); // NOT OK
+            sink(this.fooA2); // NOT OK
+            sink(this.fooB1); // OK
+            sink(this.fooB2); // OK
         },
         ...mapMutations({ sneakyTaint3: 'setTainted3' }),
         ...mapActions({ emitTaint4: 'doTaint4' }),
