Added missing doc strings for Tanstack queries

Napalys · Napalys · commit ff24c1bcb076 · 2025-02-21T13:12:47.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
@@ -862,6 +862,10 @@ module ClientRequest {
     }
   }
 
+  /**
+   * Threat model source representing HTTP response data.
+   * Marks nodes originating from a client request’s response data as tainted.
+   */
   private class ClientRequestThreatModel extends ThreatModelSource::Range {
     ClientRequestThreatModel() { this = any(ClientRequest r).getAResponseDataNode() }
 
@@ -870,6 +874,10 @@ module ClientRequest {
     override string getSourceType() { result = "HTTP response data" }
   }
 
+  /**
+   * An additional taint step that captures taint propagation from the receiver of fetch response methods
+   * (such as "json", "text", "blob", and "arrayBuffer") to the call result.
+   */
   class FetchResponseStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
       exists(DataFlow::MethodCallNode call |
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Fetch.qll b/javascript/ql/lib/semmle/javascript/frameworks/Fetch.qll
@@ -1,5 +1,9 @@
 private import javascript
 
+/**
+ * An additional flow step that propagates data from the receiver of fetch response methods
+ * (like "json", "text", "blob", and "arrayBuffer") to the call result.
+ */
 class Fetch extends DataFlow::AdditionalFlowStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     exists(DataFlow::MethodCallNode call |
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Tanstack.qll b/javascript/ql/lib/semmle/javascript/frameworks/Tanstack.qll
@@ -1,5 +1,9 @@
 private import javascript
 
+/**
+ * An additional flow step that propagates data from the return value of the query function,
+ * defined in a useQuery call from the '@tanstack/react-query' module, to the 'data' property.
+ */
 class TanstackStep extends DataFlow::AdditionalFlowStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     exists(DataFlow::CallNode useQuery |
@@ -17,6 +21,9 @@ class TanstackStep extends DataFlow::AdditionalFlowStep {
   }
 }
 
+/**
+ * Retrieves a call node representing a useQuery invocation from the '@tanstack/react-query' module.
+ */
 DataFlow::CallNode useQueryCall() {
   result = DataFlow::moduleImport("@tanstack/react-query").getAPropertyRead("useQuery").getACall()
 }

Original file line number	Diff line number	Diff line change
`@@ -862,6 +862,10 @@ module ClientRequest {`
`862`	`862`	`}`
`863`	`863`	`}`
`864`	`864`
	`865`	`+ /**`
	`866`	`+ * Threat model source representing HTTP response data.`
	`867`	`+ * Marks nodes originating from a client request’s response data as tainted.`
	`868`	`+ */`
`865`	`869`	`private class ClientRequestThreatModel extends ThreatModelSource::Range {`
`866`	`870`	`ClientRequestThreatModel() { this = any(ClientRequest r).getAResponseDataNode() }`
`867`	`871`
`@@ -870,6 +874,10 @@ module ClientRequest {`
`870`	`874`	`override string getSourceType() { result = "HTTP response data" }`
`871`	`875`	`}`
`872`	`876`
	`877`	`+ /**`
	`878`	`+ * An additional taint step that captures taint propagation from the receiver of fetch response methods`
	`879`	`+ * (such as "json", "text", "blob", and "arrayBuffer") to the call result.`
	`880`	`+ */`
`873`	`881`	`class FetchResponseStep extends TaintTracking::AdditionalTaintStep {`
`874`	`882`	`override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
`875`	`883`	`exists(DataFlow::MethodCallNode call \|`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,9 @@`
`1`	`1`	`private import javascript`
`2`	`2`
	`3`	`+/**`
	`4`	`+ * An additional flow step that propagates data from the return value of the query function,`
	`5`	`+ * defined in a useQuery call from the '@tanstack/react-query' module, to the 'data' property.`
	`6`	`+ */`
`3`	`7`	`class TanstackStep extends DataFlow::AdditionalFlowStep {`
`4`	`8`	`override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
`5`	`9`	`exists(DataFlow::CallNode useQuery \|`
`@@ -17,6 +21,9 @@ class TanstackStep extends DataFlow::AdditionalFlowStep {`
`17`	`21`	`}`
`18`	`22`	`}`
`19`	`23`
	`24`	`+/**`
	`25`	`+ * Retrieves a call node representing a useQuery invocation from the '@tanstack/react-query' module.`
	`26`	`+ */`
`20`	`27`	`DataFlow::CallNode useQueryCall() {`
`21`	`28`	`result = DataFlow::moduleImport("@tanstack/react-query").getAPropertyRead("useQuery").getACall()`
`22`	`29`	`}`