JS: Update API usage in Nest library model

asgerf · asgerf · commit 888c327cff2d · 2025-06-10T10:33:55.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -5,8 +5,6 @@
 import javascript
 private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
-private import semmle.javascript.internal.NameResolution
-private import semmle.javascript.internal.TypeResolution
 
 /**
  * Provides classes and predicates for reasoning about [Nest](https://nestjs.com/).
@@ -137,7 +135,7 @@ module NestJS {
       hasSanitizingPipe(this, true) and
       // Note: we could consider types with class-validator decorators to be sanitized here, but instead we consider the root
       // object to be tainted, but omit taint steps for the individual properties names that have sanitizing decorators. See ClassValidator.qll.
-      TypeResolution::isSanitizingPrimitiveType(this.getParameter().getTypeAnnotation())
+      this.getParameter().getTypeBinding().isSanitizingPrimitiveType()
     }
   }
 
@@ -337,7 +335,11 @@ module NestJS {
       handler.isReturnValueReflected() and
       this = handler.getAReturn() and
       // Only returned strings are sinks. If we can find a type for the return value, it must be string-like.
-      this.asExpr().getTypeBinding().hasUnderlyingStringOrAnyType()
+      (
+        this.asExpr().getTypeBinding().hasUnderlyingStringOrAnyType()
+        or
+        not exists(this.asExpr().getTypeBinding())
+      )
     }
 
     override Http::RouteHandler getRouteHandler() { result = handler }
@@ -472,7 +474,7 @@ module NestJS {
 
   /** Gets the class being referenced at `node` without relying on the call graph. */
   private DataFlow::ClassNode getClassFromNode(DataFlow::Node node) {
-    NameResolution::trackClassValue(result.getAstNode()) = node.asExpr()
+    result = node.asExpr().getNameBinding().getClassNode()
   }
 
   private predicate providerClassPair(
@@ -488,8 +490,7 @@ module NestJS {
   private class DependencyInjectionStep extends PreCallGraphStep {
     override predicate classInstanceSource(DataFlow::ClassNode cls, DataFlow::Node node) {
       exists(DataFlow::ClassNode interfaceClass |
-        TypeResolution::valueHasType(node.asExpr(),
-          TypeResolution::trackType(interfaceClass.getAstNode())) and
+        node.asExpr().getTypeBinding().getTypeDefinition() = interfaceClass.getAstNode() and
         providerClassPair(interfaceClass, cls)
       )
     }
diff --git a/javascript/ql/lib/semmle/javascript/internal/BindingInfo.qll b/javascript/ql/lib/semmle/javascript/internal/BindingInfo.qll
@@ -124,6 +124,14 @@ class TypeNameBindingNode extends NameResolution::Node {
    * Holds if this type contains `string` or `any`, possibly wrapped in a promise.
    */
   predicate hasUnderlyingStringOrAnyType() { TypeResolution::hasUnderlyingStringOrAnyType(this) }
+
+  /**
+   * Holds if this refers to a type that is considered untaintable (if actually enforced at runtime).
+   *
+   * Specifically, the types `number`, `boolean`, `null`, `undefined`, `void`, `never`, as well as literal types (`"foo"`)
+   * and enums and enum members have this property.
+   */
+  predicate isSanitizingPrimitiveType() { TypeResolution::isSanitizingPrimitiveType(this) }
 }
 
 /**
