Moved apollo modeling to MaD

Author: Napalys

javascript/ql/lib/ext/apollo-server.model.yml

@@ -5,6 +5,12 @@ extensions:
     data:
       - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].AnyMember.AnyMember.AnyMember.Parameter[1]", "remote"]
 
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+
   - addsTo:
       pack: codeql/javascript-all
       extensible: typeModel
@@ -13,3 +19,9 @@ extensions:
       - ["@apollo/server", "apollo-server-express", ""]
       - ["@apollo/server", "apollo-server-core", ""]
       - ["@apollo/server", "apollo-server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-express", ""]
+      - ["@apollo/server", "apollo-server-express", ""]
+      - ["@apollo/server", "@apollo/server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-core", ""]
+      - ["ApolloServer", "@apollo/server", "Member[ApolloServer]"]
+      - ["GraphQLApollo", "@apollo/server", "Member[gql]"]

javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll

@@ -5,7 +5,6 @@
  */
 
 import javascript
-private import semmle.javascript.frameworks.Apollo
 private import semmle.javascript.frameworks.Cors
 
 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
@@ -109,7 +108,8 @@ module CorsPermissiveConfiguration {
    */
   class CorsApolloServer extends Sink, DataFlow::ValueNode {
     CorsApolloServer() {
-      exists(Apollo::ApolloServer agql |
+      exists(API::NewNode agql |
+        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
         this =
           agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
       )