Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Support 'response' threat model and @tanstack/react-query #18834

Merged
merged 7 commits into from
Feb 25, 2025
Merged

JS: Support 'response' threat model and @tanstack/react-query #18834

merged 7 commits into from
Feb 25, 2025

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Feb 21, 2025

The following pull requests introduce support for Tanstack, specifically for the useQuery function.
Closes #464

@github-actions github-actions bot added the JS label Feb 21, 2025
@Napalys Napalys force-pushed the js/tanstack branch 2 times, most recently from ff24c1b to df2e7d1 Compare February 21, 2025 12:22
@Napalys Napalys marked this pull request as ready for review February 25, 2025 11:15
@Copilot Copilot bot review requested due to automatic review settings February 25, 2025 11:15
@Napalys Napalys requested a review from a team as a code owner February 25, 2025 11:15
Copilot
Copilot AI reviewed Feb 25, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request introduces support for Tanstack by modeling the useQuery hook from @tanstack/react-query to enhance the security analysis of DOM-based XSS scenarios.

  • Introduces a test case using the Tanstack useQuery hook in a React component.
  • Adds a wrapper module to re-export useQuery from @tanstack/react-query.
  • Updates threat model configuration and change notes for Tanstack support.

Reviewed Changes

File Description
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/test.jsx Added a new test case simulating a DOM-based XSS scenario using useQuery.
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/wrapper.js Created a wrapper to import and export the Tanstack useQuery hook.
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.ext.yml Updated extension configuration for threat modeling.
javascript/ql/lib/change-notes/2025-02-21-tanstack.md Documented the addition of Tanstack useQuery support.

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
@Napalys Napalys requested a review from asgerf February 25, 2025 12:51
@Napalys @asgerf
Applied comment
bf77ffe 
Co-authored-by: Asgerf <[email protected]>
asgerf
asgerf reviewed Feb 25, 2025
View reviewed changes
javascript/ql/lib/change-notes/2025-02-21-tanstack.md Outdated
@@ -0,0 +1,4 @@
---
category: minorAnalysis
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
category: minorAnalysis
category: majorAnalysis

javascript/ql/lib/change-notes/2025-02-21-tanstack.md
---
category: minorAnalysis
---
* Added support for the `useQuery` hook from `@tanstack/react-query`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Added support for the `useQuery` hook from `@tanstack/react-query`.
* Added support for the `response` threat model kind, which can enabled with [advanced setup](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models). When enabled, the response data coming back from an outgoing HTTP request is considered a source of taint.
* Added support for the `useQuery` hook from `@tanstack/react-query`.

@asgerf asgerf changed the title JS: Tanstack support JS: Support 'response' threat model and @tanstack/react-query Feb 25, 2025
@asgerf
Copy link
Contributor

asgerf commented Feb 25, 2025

Since the PR is also adding support for the response threat model we should include that in the change note. I also went ahead and renamed the PR.

@Napalys Napalys requested a review from asgerf February 25, 2025 14:26
asgerf
asgerf approved these changes Feb 25, 2025
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🎉

@asgerf asgerf merged commit baa7e35 into github:main Feb 25, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @asgerf