From 1e3b8625e64d81b611b7545c6577fe90134baa1d Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Tue, 25 Feb 2025 12:10:56 +0100
Subject: [PATCH 1/7] Added a test case where useFragment from react-relay
 should be marked as a source but isn't

---
 .../testReactRelay.tsx                        | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx

diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
new file mode 100644
index 000000000000..01c30daec958
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -0,0 +1,22 @@
+import React from 'react';
+import { useFragment } from 'react-relay';
+
+const CommentComponent = ({ commentRef }) => {
+  const commentData = useFragment(
+    graphql`
+      fragment CommentComponent_comment on Comment {
+        id
+        text
+      }
+    `,
+    commentRef
+  ); // $ MISSING: Source=[js/xss]
+
+  return (
+    <div>
+      <h3>Comment:</h3>
+      {/* Directly rendering user input without sanitation */}
+      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ MISSING: Alert=[js/xss]
+    </div> 
+  );
+};

From 1443f314a1319a51e6fa978bafd6a159b417fff8 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Tue, 25 Feb 2025 12:27:43 +0100
Subject: [PATCH 2/7] Added react-relay useFragment as threat model source.

---
 javascript/ql/lib/ext/react-relay-threat.model.yml        | 6 ++++++
 .../CWE-079/DomBasedXssWithResponseThreat/Xss.expected    | 8 ++++++++
 .../DomBasedXssWithResponseThreat/testReactRelay.tsx      | 4 ++--
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 javascript/ql/lib/ext/react-relay-threat.model.yml

diff --git a/javascript/ql/lib/ext/react-relay-threat.model.yml b/javascript/ql/lib/ext/react-relay-threat.model.yml
new file mode 100644
index 000000000000..238128b5c3a5
--- /dev/null
+++ b/javascript/ql/lib/ext/react-relay-threat.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - ["react-relay", "Member[useFragment].ReturnValue", "response"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
index f83c9f40b315..0275a8ba283a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -1,5 +1,6 @@
 #select
 | test.jsx:27:29:27:32 | data | test.jsx:5:28:5:63 | fetch(" ... ntent") | test.jsx:27:29:27:32 | data | Cross-site scripting vulnerability due to $@. | test.jsx:5:28:5:63 | fetch(" ... ntent") | user-provided value |
+| testReactRelay.tsx:19:47:19:62 | commentData.text | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:19:47:19:62 | commentData.text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -10,6 +11,9 @@ edges
 | test.jsx:6:24:6:38 | response.json() | test.jsx:6:18:6:38 | await r ... .json() | provenance |  |
 | test.jsx:7:12:7:15 | data | test.jsx:15:11:17:5 | data | provenance |  |
 | test.jsx:15:11:17:5 | data | test.jsx:27:29:27:32 | data | provenance |  |
+| testReactRelay.tsx:5:9:13:3 | commentData | testReactRelay.tsx:19:47:19:57 | commentData | provenance |  |
+| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:5:9:13:3 | commentData | provenance |  |
+| testReactRelay.tsx:19:47:19:57 | commentData | testReactRelay.tsx:19:47:19:62 | commentData.text | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -21,4 +25,8 @@ nodes
 | test.jsx:7:12:7:15 | data | semmle.label | data |
 | test.jsx:15:11:17:5 | data | semmle.label | data |
 | test.jsx:27:29:27:32 | data | semmle.label | data |
+| testReactRelay.tsx:5:9:13:3 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | semmle.label | useFrag ... Ref\\n  ) |
+| testReactRelay.tsx:19:47:19:57 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:19:47:19:62 | commentData.text | semmle.label | commentData.text |
 subpaths
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
index 01c30daec958..b03a44a5661a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -10,13 +10,13 @@ const CommentComponent = ({ commentRef }) => {
       }
     `,
     commentRef
-  ); // $ MISSING: Source=[js/xss]
+  ); // $ Source=[js/xss]
 
   return (
     <div>
       <h3>Comment:</h3>
       {/* Directly rendering user input without sanitation */}
-      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ MISSING: Alert=[js/xss]
+      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ Alert=[js/xss]
     </div> 
   );
 };

From 0166e76ccab1f22ed56a534433485559b9f6cc03 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Tue, 25 Feb 2025 12:31:05 +0100
Subject: [PATCH 3/7] Add change note

---
 javascript/ql/lib/change-notes/2025-02-25-react-relay.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/ql/lib/change-notes/2025-02-25-react-relay.md

diff --git a/javascript/ql/lib/change-notes/2025-02-25-react-relay.md b/javascript/ql/lib/change-notes/2025-02-25-react-relay.md
new file mode 100644
index 000000000000..822f429f62a4
--- /dev/null
+++ b/javascript/ql/lib/change-notes/2025-02-25-react-relay.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for the `react-relay` library.

From 89040d0d06083946c65d3abdc7b63d3128a96e72 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Tue, 25 Feb 2025 14:32:06 +0100
Subject: [PATCH 4/7] Added missing `response` and `request` MaD source kinds.

---
 shared/mad/codeql/mad/ModelValidation.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll
index 012e255580a0..4c1d6793d652 100644
--- a/shared/mad/codeql/mad/ModelValidation.qll
+++ b/shared/mad/codeql/mad/ModelValidation.qll
@@ -125,7 +125,7 @@ module KindValidation<KindValidationConfigSig Config> {
           // C#
           "file-write", "windows-registry",
           // JavaScript
-          "database-access-result"
+          "database-access-result", "response", "request"
         ]
       or
       this.matches([

From 5a1991bb690e4f68f023f4aa2339c2d65c748cd9 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Thu, 6 Mar 2025 13:38:14 +0100
Subject: [PATCH 5/7] Added test cases for `react-relay` functions that
 retrieve data

---
 .../Xss.expected                              |  34 +++-
 .../testReactRelay.tsx                        | 149 ++++++++++++++++--
 2 files changed, 158 insertions(+), 25 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
index 0275a8ba283a..83be683cac9b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -1,6 +1,6 @@
 #select
 | test.jsx:27:29:27:32 | data | test.jsx:5:28:5:63 | fetch(" ... ntent") | test.jsx:27:29:27:32 | data | Cross-site scripting vulnerability due to $@. | test.jsx:5:28:5:63 | fetch(" ... ntent") | user-provided value |
-| testReactRelay.tsx:19:47:19:62 | commentData.text | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:19:47:19:62 | commentData.text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | user-provided value |
+| testReactRelay.tsx:7:43:7:58 | commentData.text | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | testReactRelay.tsx:7:43:7:58 | commentData.text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -11,9 +11,9 @@ edges
 | test.jsx:6:24:6:38 | response.json() | test.jsx:6:18:6:38 | await r ... .json() | provenance |  |
 | test.jsx:7:12:7:15 | data | test.jsx:15:11:17:5 | data | provenance |  |
 | test.jsx:15:11:17:5 | data | test.jsx:27:29:27:32 | data | provenance |  |
-| testReactRelay.tsx:5:9:13:3 | commentData | testReactRelay.tsx:19:47:19:57 | commentData | provenance |  |
-| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | testReactRelay.tsx:5:9:13:3 | commentData | provenance |  |
-| testReactRelay.tsx:19:47:19:57 | commentData | testReactRelay.tsx:19:47:19:62 | commentData.text | provenance |  |
+| testReactRelay.tsx:5:9:5:52 | commentData | testReactRelay.tsx:7:43:7:53 | commentData | provenance |  |
+| testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | testReactRelay.tsx:5:9:5:52 | commentData | provenance |  |
+| testReactRelay.tsx:7:43:7:53 | commentData | testReactRelay.tsx:7:43:7:58 | commentData.text | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -25,8 +25,26 @@ nodes
 | test.jsx:7:12:7:15 | data | semmle.label | data |
 | test.jsx:15:11:17:5 | data | semmle.label | data |
 | test.jsx:27:29:27:32 | data | semmle.label | data |
-| testReactRelay.tsx:5:9:13:3 | commentData | semmle.label | commentData |
-| testReactRelay.tsx:5:23:13:3 | useFrag ... Ref\\n  ) | semmle.label | useFrag ... Ref\\n  ) |
-| testReactRelay.tsx:19:47:19:57 | commentData | semmle.label | commentData |
-| testReactRelay.tsx:19:47:19:62 | commentData.text | semmle.label | commentData.text |
+| testReactRelay.tsx:5:9:5:52 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | semmle.label | useFrag ... entRef) |
+| testReactRelay.tsx:7:43:7:53 | commentData | semmle.label | commentData |
+| testReactRelay.tsx:7:43:7:58 | commentData.text | semmle.label | commentData.text |
 subpaths
+testFailures
+| testReactRelay.tsx:17:45:17:64 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:18:77:18:95 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:28:70:28:88 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:37:43:37:62 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:38:61:38:79 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:44:73:44:92 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:47:57:47:75 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:69:41:69:60 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:70:61:70:79 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:82:25:82:44 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:87:71:87:89 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:99:24:99:43 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:112:68:112:86 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:123:23:123:42 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:126:46:126:64 | // $ Missing: Alert | Missing result: Alert |
+| testReactRelay.tsx:135:42:135:61 | // $ Missing: Source | Missing result: Source |
+| testReactRelay.tsx:136:63:136:81 | // $ Missing: Alert | Missing result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
index b03a44a5661a..34107a44c0e8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -1,22 +1,137 @@
-import React from 'react';
+import React, { useState } from "react";
 import { useFragment } from 'react-relay';
 
-const CommentComponent = ({ commentRef }) => {
-  const commentData = useFragment(
-    graphql`
-      fragment CommentComponent_comment on Comment {
-        id
-        text
-      }
-    `,
-    commentRef
-  ); // $ Source=[js/xss]
+const func1 = ({ commentRef, query }) => {
+  const commentData = useFragment(query, commentRef); // $ Source=[js/xss]
+  return (
+    <p dangerouslySetInnerHTML={{ __html: commentData.text }}> // $ Alert=[js/xss]
+      {" "}
+      {commentData.text}
+    </p>
+  ); 
+};
+
+import { useLazyLoadQuery } from "react-relay";
 
+function func2({ query }) {
+  const data = useLazyLoadQuery(query, {}); // $ Missing: Source
+  return <p dangerouslySetInnerHTML={{ __html: data.comments[0].text }} />; // $ Missing: Alert
+}
+
+import { useQueryLoader, usePreloadedQuery } from "react-relay";
+
+function func3({ initialQueryRef, query }) {
+  const [queryReference, loadQuery] = useQueryLoader(query, initialQueryRef);
   return (
-    <div>
-      <h3>Comment:</h3>
-      {/* Directly rendering user input without sanitation */}
-      <p dangerouslySetInnerHTML = {{ __html: commentData.text}}> {commentData.text}</p> // $ Alert=[js/xss]
-    </div> 
+    <h1
+      dangerouslySetInnerHTML={{
+        __html: usePreloadedQuery(query, queryReference).user?.name, // $ Missing: Alert
+      }}
+    />
+  ); 
+}
+
+import { useClientQuery } from "react-relay";
+
+function func4({ query }) {
+  const data = useClientQuery(query, {}); // $ Missing: Source
+  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Missing: Alert
+}
+
+import { useRefetchableFragment } from "react-relay";
+
+function func5({ query, props }) {
+  const [data, refetch] = useRefetchableFragment(query, props.comment); // $ Missing: Source
+  return (
+    <>
+      <h1 dangerouslySetInnerHTML={{ __html: data }} /> // $ Missing: Alert
+      <Button
+        onClick={() => {
+          refetch({ lang: "SPANISH" }, { fetchPolicy: "store-or-network" });
+        }}
+      ></Button>
+    </>
   );
-};
+}
+
+import { usePaginationFragment } from "react-relay";
+
+function func6({ query }) {
+  const {
+    data,
+    loadNext,
+    loadPrevious,
+    hasNext,
+    hasPrevious,
+    isLoadingNext,
+    isLoadingPrevious,
+    refetch,
+  } = usePaginationFragment(query, {}); // $ Missing: Source
+  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Missing: Alert
+}
+
+
+import { useMutation } from 'react-relay';
+import type { FeedbackLikeMutation } from './FeedbackLikeMutation.graphql';
+
+function func7(query) {
+  const [commit, inFlight] = useMutation<FeedbackLikeMutation>(query);
+  const [feedbackText, setFeedbackText] = useState('');
+  
+  commit({
+    onCompleted(data) { // $ Missing: Source
+      setFeedbackText(data);
+    },
+  });
+
+  return (<div dangerouslySetInnerHTML={{__html: feedbackText, }}/>); // $ Missing: Alert
+}
+
+import { useSubscription } from 'react-relay';
+import { useMemo } from 'react';
+
+function func8({GroupLessonsSubscription}) {
+  const [fragmentRef, setFragmentRef] = useState();
+
+  const groupLessonConfig = useMemo(() => ({
+    subscription: GroupLessonsSubscription,
+    variables: {},
+    onNext: (res) => { // $ Missing: Source
+      setFragmentRef(res);
+    },
+    onError: (err) => {
+      console.error('Error with subscription:', err);
+    },
+    onCompleted: () => {
+      console.log('Subscription completed');
+    },
+  }), []);
+
+  useSubscription(groupLessonConfig);
+
+return (<div dangerouslySetInnerHTML={{__html: fragmentRef, }}/>); // $ Missing: Alert
+}
+
+
+import { fetchQuery } from 'react-relay'
+
+function func9({query, environment}) {
+  fetchQuery(environment, query,{id: 4},).subscribe({
+    start: () => {},
+    complete: () => {},
+    error: (error) => {},
+    next: (data) => { // $ Missing: Source
+      const outputElement = document.getElementById('output');
+      if (outputElement) {
+        outputElement.innerHTML = data.user; // $ Missing: Alert
+      }
+    }
+  });
+}
+
+import { readFragment } from "relay-runtime";
+
+function func10({ query, key }) {
+  const data = readFragment(query, key); // $ Missing: Source
+  return (<h1 dangerouslySetInnerHTML={{ __html: data }} />); // $ Missing: Alert
+}

From c12c12c4163d17425c1fd76852fbc3c30ad378d3 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Thu, 6 Mar 2025 13:41:13 +0100
Subject: [PATCH 6/7] Added modeling for `react-relay` functions that retrieve
 data.

---
 .../ql/lib/ext/react-relay-threat.model.yml   |  9 ++
 .../Xss.expected                              | 84 +++++++++++++++----
 .../testReactRelay.tsx                        | 34 ++++----
 3 files changed, 92 insertions(+), 35 deletions(-)

diff --git a/javascript/ql/lib/ext/react-relay-threat.model.yml b/javascript/ql/lib/ext/react-relay-threat.model.yml
index 238128b5c3a5..d895afd918c5 100644
--- a/javascript/ql/lib/ext/react-relay-threat.model.yml
+++ b/javascript/ql/lib/ext/react-relay-threat.model.yml
@@ -4,3 +4,12 @@ extensions:
       extensible: sourceModel
     data:
       - ["react-relay", "Member[useFragment].ReturnValue", "response"]
+      - ["react-relay", "Member[useLazyLoadQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[usePreloadedQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[useClientQuery].ReturnValue", "response"]
+      - ["react-relay", "Member[useRefetchableFragment].ReturnValue", "response"]
+      - ["react-relay", "Member[usePaginationFragment].ReturnValue", "response"]
+      - ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Argument[0]", "response"]
+      - ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Argument[0]", "response"]
+      - ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Argument[0]", "response"]
+      - ["relay-runtime", "Member[readFragment].ReturnValue", "response"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
index 83be683cac9b..186ef9212517 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -1,6 +1,15 @@
 #select
 | test.jsx:27:29:27:32 | data | test.jsx:5:28:5:63 | fetch(" ... ntent") | test.jsx:27:29:27:32 | data | Cross-site scripting vulnerability due to $@. | test.jsx:5:28:5:63 | fetch(" ... ntent") | user-provided value |
 | testReactRelay.tsx:7:43:7:58 | commentData.text | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | testReactRelay.tsx:7:43:7:58 | commentData.text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | user-provided value |
+| testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | user-provided value |
+| testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | user-provided value |
+| testReactRelay.tsx:38:49:38:52 | data | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:38:49:38:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | user-provided value |
+| testReactRelay.tsx:47:46:47:49 | data | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:47:46:47:49 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | user-provided value |
+| testReactRelay.tsx:70:49:70:52 | data | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:70:49:70:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | user-provided value |
+| testReactRelay.tsx:87:50:87:61 | feedbackText | testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:87:50:87:61 | feedbackText | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:82:17:82:20 | data | user-provided value |
+| testReactRelay.tsx:112:48:112:58 | fragmentRef | testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:112:48:112:58 | fragmentRef | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:99:14:99:16 | res | user-provided value |
+| testReactRelay.tsx:126:35:126:43 | data.user | testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:43 | data.user | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:123:12:123:15 | data | user-provided value |
+| testReactRelay.tsx:136:50:136:53 | data | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:136:50:136:53 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -14,6 +23,30 @@ edges
 | testReactRelay.tsx:5:9:5:52 | commentData | testReactRelay.tsx:7:43:7:53 | commentData | provenance |  |
 | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | testReactRelay.tsx:5:9:5:52 | commentData | provenance |  |
 | testReactRelay.tsx:7:43:7:53 | commentData | testReactRelay.tsx:7:43:7:58 | commentData.text | provenance |  |
+| testReactRelay.tsx:17:9:17:42 | data | testReactRelay.tsx:18:48:18:51 | data | provenance |  |
+| testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | testReactRelay.tsx:17:9:17:42 | data | provenance |  |
+| testReactRelay.tsx:18:48:18:51 | data | testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | provenance |  |
+| testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | provenance |  |
+| testReactRelay.tsx:37:9:37:40 | data | testReactRelay.tsx:38:49:38:52 | data | provenance |  |
+| testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:37:9:37:40 | data | provenance |  |
+| testReactRelay.tsx:44:9:44:23 | [data, refetch] | testReactRelay.tsx:44:9:44:70 | data | provenance |  |
+| testReactRelay.tsx:44:9:44:70 | data | testReactRelay.tsx:47:46:47:49 | data | provenance |  |
+| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:44:9:44:23 | [data, refetch] | provenance |  |
+| testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | testReactRelay.tsx:60:9:69:38 | data | provenance |  |
+| testReactRelay.tsx:60:9:69:38 | data | testReactRelay.tsx:70:49:70:52 | data | provenance |  |
+| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | provenance |  |
+| testReactRelay.tsx:79:9:79:54 | feedbackText | testReactRelay.tsx:87:50:87:61 | feedbackText | provenance |  |
+| testReactRelay.tsx:79:10:79:21 | feedbackText | testReactRelay.tsx:79:9:79:54 | feedbackText | provenance |  |
+| testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:83:23:83:26 | data | provenance |  |
+| testReactRelay.tsx:83:23:83:26 | data | testReactRelay.tsx:79:10:79:21 | feedbackText | provenance |  |
+| testReactRelay.tsx:94:9:94:50 | fragmentRef | testReactRelay.tsx:112:48:112:58 | fragmentRef | provenance |  |
+| testReactRelay.tsx:94:10:94:20 | fragmentRef | testReactRelay.tsx:94:9:94:50 | fragmentRef | provenance |  |
+| testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:100:22:100:24 | res | provenance |  |
+| testReactRelay.tsx:100:22:100:24 | res | testReactRelay.tsx:94:10:94:20 | fragmentRef | provenance |  |
+| testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:38 | data | provenance |  |
+| testReactRelay.tsx:126:35:126:38 | data | testReactRelay.tsx:126:35:126:43 | data.user | provenance |  |
+| testReactRelay.tsx:135:9:135:39 | data | testReactRelay.tsx:136:50:136:53 | data | provenance |  |
+| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:135:9:135:39 | data | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -29,22 +62,37 @@ nodes
 | testReactRelay.tsx:5:23:5:52 | useFrag ... entRef) | semmle.label | useFrag ... entRef) |
 | testReactRelay.tsx:7:43:7:53 | commentData | semmle.label | commentData |
 | testReactRelay.tsx:7:43:7:58 | commentData.text | semmle.label | commentData.text |
+| testReactRelay.tsx:17:9:17:42 | data | semmle.label | data |
+| testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | semmle.label | useLazy ... ry, {}) |
+| testReactRelay.tsx:18:48:18:51 | data | semmle.label | data |
+| testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | semmle.label | data.co ... 0].text |
+| testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | semmle.label | usePrel ... erence) |
+| testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | semmle.label | usePrel ... r?.name |
+| testReactRelay.tsx:37:9:37:40 | data | semmle.label | data |
+| testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | semmle.label | useClie ... ry, {}) |
+| testReactRelay.tsx:38:49:38:52 | data | semmle.label | data |
+| testReactRelay.tsx:44:9:44:23 | [data, refetch] | semmle.label | [data, refetch] |
+| testReactRelay.tsx:44:9:44:70 | data | semmle.label | data |
+| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | semmle.label | useRefe ... omment) |
+| testReactRelay.tsx:47:46:47:49 | data | semmle.label | data |
+| testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | semmle.label | {\\n    d ... ch,\\n  } |
+| testReactRelay.tsx:60:9:69:38 | data | semmle.label | data |
+| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | semmle.label | usePagi ... ry, {}) |
+| testReactRelay.tsx:70:49:70:52 | data | semmle.label | data |
+| testReactRelay.tsx:79:9:79:54 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:79:10:79:21 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:82:17:82:20 | data | semmle.label | data |
+| testReactRelay.tsx:83:23:83:26 | data | semmle.label | data |
+| testReactRelay.tsx:87:50:87:61 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:94:9:94:50 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:94:10:94:20 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:99:14:99:16 | res | semmle.label | res |
+| testReactRelay.tsx:100:22:100:24 | res | semmle.label | res |
+| testReactRelay.tsx:112:48:112:58 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:123:12:123:15 | data | semmle.label | data |
+| testReactRelay.tsx:126:35:126:38 | data | semmle.label | data |
+| testReactRelay.tsx:126:35:126:43 | data.user | semmle.label | data.user |
+| testReactRelay.tsx:135:9:135:39 | data | semmle.label | data |
+| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
+| testReactRelay.tsx:136:50:136:53 | data | semmle.label | data |
 subpaths
-testFailures
-| testReactRelay.tsx:17:45:17:64 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:18:77:18:95 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:28:70:28:88 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:37:43:37:62 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:38:61:38:79 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:44:73:44:92 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:47:57:47:75 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:69:41:69:60 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:70:61:70:79 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:82:25:82:44 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:87:71:87:89 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:99:24:99:43 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:112:68:112:86 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:123:23:123:42 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:126:46:126:64 | // $ Missing: Alert | Missing result: Alert |
-| testReactRelay.tsx:135:42:135:61 | // $ Missing: Source | Missing result: Source |
-| testReactRelay.tsx:136:63:136:81 | // $ Missing: Alert | Missing result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
index 34107a44c0e8..5997b458a845 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -14,8 +14,8 @@ const func1 = ({ commentRef, query }) => {
 import { useLazyLoadQuery } from "react-relay";
 
 function func2({ query }) {
-  const data = useLazyLoadQuery(query, {}); // $ Missing: Source
-  return <p dangerouslySetInnerHTML={{ __html: data.comments[0].text }} />; // $ Missing: Alert
+  const data = useLazyLoadQuery(query, {}); // $ Source
+  return <p dangerouslySetInnerHTML={{ __html: data.comments[0].text }} />; // $ Alert
 }
 
 import { useQueryLoader, usePreloadedQuery } from "react-relay";
@@ -25,7 +25,7 @@ function func3({ initialQueryRef, query }) {
   return (
     <h1
       dangerouslySetInnerHTML={{
-        __html: usePreloadedQuery(query, queryReference).user?.name, // $ Missing: Alert
+        __html: usePreloadedQuery(query, queryReference).user?.name, // $ Alert
       }}
     />
   ); 
@@ -34,17 +34,17 @@ function func3({ initialQueryRef, query }) {
 import { useClientQuery } from "react-relay";
 
 function func4({ query }) {
-  const data = useClientQuery(query, {}); // $ Missing: Source
-  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Missing: Alert
+  const data = useClientQuery(query, {}); // $ Source
+  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Alert
 }
 
 import { useRefetchableFragment } from "react-relay";
 
 function func5({ query, props }) {
-  const [data, refetch] = useRefetchableFragment(query, props.comment); // $ Missing: Source
+  const [data, refetch] = useRefetchableFragment(query, props.comment); // $ Source
   return (
     <>
-      <h1 dangerouslySetInnerHTML={{ __html: data }} /> // $ Missing: Alert
+      <h1 dangerouslySetInnerHTML={{ __html: data }} /> // $ Alert
       <Button
         onClick={() => {
           refetch({ lang: "SPANISH" }, { fetchPolicy: "store-or-network" });
@@ -66,8 +66,8 @@ function func6({ query }) {
     isLoadingNext,
     isLoadingPrevious,
     refetch,
-  } = usePaginationFragment(query, {}); // $ Missing: Source
-  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Missing: Alert
+  } = usePaginationFragment(query, {}); // $ Source
+  return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Alert
 }
 
 
@@ -79,12 +79,12 @@ function func7(query) {
   const [feedbackText, setFeedbackText] = useState('');
   
   commit({
-    onCompleted(data) { // $ Missing: Source
+    onCompleted(data) { // $ Source
       setFeedbackText(data);
     },
   });
 
-  return (<div dangerouslySetInnerHTML={{__html: feedbackText, }}/>); // $ Missing: Alert
+  return (<div dangerouslySetInnerHTML={{__html: feedbackText, }}/>); // $ Alert
 }
 
 import { useSubscription } from 'react-relay';
@@ -96,7 +96,7 @@ function func8({GroupLessonsSubscription}) {
   const groupLessonConfig = useMemo(() => ({
     subscription: GroupLessonsSubscription,
     variables: {},
-    onNext: (res) => { // $ Missing: Source
+    onNext: (res) => { // $ Source
       setFragmentRef(res);
     },
     onError: (err) => {
@@ -109,7 +109,7 @@ function func8({GroupLessonsSubscription}) {
 
   useSubscription(groupLessonConfig);
 
-return (<div dangerouslySetInnerHTML={{__html: fragmentRef, }}/>); // $ Missing: Alert
+return (<div dangerouslySetInnerHTML={{__html: fragmentRef, }}/>); // $ Alert
 }
 
 
@@ -120,10 +120,10 @@ function func9({query, environment}) {
     start: () => {},
     complete: () => {},
     error: (error) => {},
-    next: (data) => { // $ Missing: Source
+    next: (data) => { // $ Source
       const outputElement = document.getElementById('output');
       if (outputElement) {
-        outputElement.innerHTML = data.user; // $ Missing: Alert
+        outputElement.innerHTML = data.user; // $ Alert
       }
     }
   });
@@ -132,6 +132,6 @@ function func9({query, environment}) {
 import { readFragment } from "relay-runtime";
 
 function func10({ query, key }) {
-  const data = readFragment(query, key); // $ Missing: Source
-  return (<h1 dangerouslySetInnerHTML={{ __html: data }} />); // $ Missing: Alert
+  const data = readFragment(query, key); // $ Source
+  return (<h1 dangerouslySetInnerHTML={{ __html: data }} />); // $ Alert
 }

From d077d6807ad9f55ecc58e60cf31ba04a572849a8 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Mon, 10 Mar 2025 12:24:45 +0100
Subject: [PATCH 7/7] Applied changes from comments

Co-authored-by: Asgerf <asgerf@github.com>
---
 .../ql/lib/ext/react-relay-threat.model.yml   | 10 +--
 .../Xss.expected                              | 86 +++++++++----------
 .../testReactRelay.tsx                        |  5 +-
 3 files changed, 49 insertions(+), 52 deletions(-)

diff --git a/javascript/ql/lib/ext/react-relay-threat.model.yml b/javascript/ql/lib/ext/react-relay-threat.model.yml
index d895afd918c5..47b1d086533e 100644
--- a/javascript/ql/lib/ext/react-relay-threat.model.yml
+++ b/javascript/ql/lib/ext/react-relay-threat.model.yml
@@ -7,9 +7,9 @@ extensions:
       - ["react-relay", "Member[useLazyLoadQuery].ReturnValue", "response"]
       - ["react-relay", "Member[usePreloadedQuery].ReturnValue", "response"]
       - ["react-relay", "Member[useClientQuery].ReturnValue", "response"]
-      - ["react-relay", "Member[useRefetchableFragment].ReturnValue", "response"]
-      - ["react-relay", "Member[usePaginationFragment].ReturnValue", "response"]
-      - ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Argument[0]", "response"]
-      - ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Argument[0]", "response"]
-      - ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Argument[0]", "response"]
+      - ["react-relay", "Member[useRefetchableFragment].ReturnValue.Member[0]", "response"]
+      - ["react-relay", "Member[usePaginationFragment].ReturnValue.Member[data]", "response"]
+      - ["react-relay", "Member[useMutation].ReturnValue.Member[0].Argument[0].Member[onCompleted].Parameter[0]", "response"]
+      - ["react-relay", "Member[useSubscription].Argument[0].Member[onNext].Parameter[0]", "response"]
+      - ["react-relay", "Member[fetchQuery].ReturnValue.Member[subscribe].Argument[0].Member[next].Parameter[0]", "response"]
       - ["relay-runtime", "Member[readFragment].ReturnValue", "response"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
index 186ef9212517..b2be2a7bcc2e 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected
@@ -4,12 +4,12 @@
 | testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | testReactRelay.tsx:18:48:18:68 | data.co ... 0].text | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:17:16:17:42 | useLazy ... ry, {}) | user-provided value |
 | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | user-provided value |
 | testReactRelay.tsx:38:49:38:52 | data | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:38:49:38:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | user-provided value |
-| testReactRelay.tsx:47:46:47:49 | data | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:47:46:47:49 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | user-provided value |
-| testReactRelay.tsx:70:49:70:52 | data | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:70:49:70:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | user-provided value |
-| testReactRelay.tsx:87:50:87:61 | feedbackText | testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:87:50:87:61 | feedbackText | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:82:17:82:20 | data | user-provided value |
-| testReactRelay.tsx:112:48:112:58 | fragmentRef | testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:112:48:112:58 | fragmentRef | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:99:14:99:16 | res | user-provided value |
-| testReactRelay.tsx:126:35:126:43 | data.user | testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:43 | data.user | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:123:12:123:15 | data | user-provided value |
-| testReactRelay.tsx:136:50:136:53 | data | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:136:50:136:53 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | user-provided value |
+| testReactRelay.tsx:47:46:47:49 | data | testReactRelay.tsx:44:10:44:13 | data | testReactRelay.tsx:47:46:47:49 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:44:10:44:13 | data | user-provided value |
+| testReactRelay.tsx:71:49:71:52 | data | testReactRelay.tsx:62:5:62:8 | data | testReactRelay.tsx:71:49:71:52 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:62:5:62:8 | data | user-provided value |
+| testReactRelay.tsx:88:50:88:61 | feedbackText | testReactRelay.tsx:83:17:83:20 | data | testReactRelay.tsx:88:50:88:61 | feedbackText | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:83:17:83:20 | data | user-provided value |
+| testReactRelay.tsx:113:48:113:58 | fragmentRef | testReactRelay.tsx:100:14:100:16 | res | testReactRelay.tsx:113:48:113:58 | fragmentRef | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:100:14:100:16 | res | user-provided value |
+| testReactRelay.tsx:127:35:127:43 | data.user | testReactRelay.tsx:124:12:124:15 | data | testReactRelay.tsx:127:35:127:43 | data.user | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:124:12:124:15 | data | user-provided value |
+| testReactRelay.tsx:137:50:137:53 | data | testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | testReactRelay.tsx:137:50:137:53 | data | Cross-site scripting vulnerability due to $@. | testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | user-provided value |
 edges
 | test.jsx:5:11:5:63 | response | test.jsx:6:24:6:31 | response | provenance |  |
 | test.jsx:5:22:5:63 | await f ... ntent") | test.jsx:5:11:5:63 | response | provenance |  |
@@ -29,24 +29,22 @@ edges
 | testReactRelay.tsx:28:17:28:56 | usePrel ... erence) | testReactRelay.tsx:28:17:28:67 | usePrel ... r?.name | provenance |  |
 | testReactRelay.tsx:37:9:37:40 | data | testReactRelay.tsx:38:49:38:52 | data | provenance |  |
 | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | testReactRelay.tsx:37:9:37:40 | data | provenance |  |
-| testReactRelay.tsx:44:9:44:23 | [data, refetch] | testReactRelay.tsx:44:9:44:70 | data | provenance |  |
 | testReactRelay.tsx:44:9:44:70 | data | testReactRelay.tsx:47:46:47:49 | data | provenance |  |
-| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | testReactRelay.tsx:44:9:44:23 | [data, refetch] | provenance |  |
-| testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | testReactRelay.tsx:60:9:69:38 | data | provenance |  |
-| testReactRelay.tsx:60:9:69:38 | data | testReactRelay.tsx:70:49:70:52 | data | provenance |  |
-| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | provenance |  |
-| testReactRelay.tsx:79:9:79:54 | feedbackText | testReactRelay.tsx:87:50:87:61 | feedbackText | provenance |  |
-| testReactRelay.tsx:79:10:79:21 | feedbackText | testReactRelay.tsx:79:9:79:54 | feedbackText | provenance |  |
-| testReactRelay.tsx:82:17:82:20 | data | testReactRelay.tsx:83:23:83:26 | data | provenance |  |
-| testReactRelay.tsx:83:23:83:26 | data | testReactRelay.tsx:79:10:79:21 | feedbackText | provenance |  |
-| testReactRelay.tsx:94:9:94:50 | fragmentRef | testReactRelay.tsx:112:48:112:58 | fragmentRef | provenance |  |
-| testReactRelay.tsx:94:10:94:20 | fragmentRef | testReactRelay.tsx:94:9:94:50 | fragmentRef | provenance |  |
-| testReactRelay.tsx:99:14:99:16 | res | testReactRelay.tsx:100:22:100:24 | res | provenance |  |
-| testReactRelay.tsx:100:22:100:24 | res | testReactRelay.tsx:94:10:94:20 | fragmentRef | provenance |  |
-| testReactRelay.tsx:123:12:123:15 | data | testReactRelay.tsx:126:35:126:38 | data | provenance |  |
-| testReactRelay.tsx:126:35:126:38 | data | testReactRelay.tsx:126:35:126:43 | data.user | provenance |  |
-| testReactRelay.tsx:135:9:135:39 | data | testReactRelay.tsx:136:50:136:53 | data | provenance |  |
-| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | testReactRelay.tsx:135:9:135:39 | data | provenance |  |
+| testReactRelay.tsx:44:10:44:13 | data | testReactRelay.tsx:44:9:44:70 | data | provenance |  |
+| testReactRelay.tsx:61:9:70:38 | data | testReactRelay.tsx:71:49:71:52 | data | provenance |  |
+| testReactRelay.tsx:62:5:62:8 | data | testReactRelay.tsx:61:9:70:38 | data | provenance |  |
+| testReactRelay.tsx:80:9:80:54 | feedbackText | testReactRelay.tsx:88:50:88:61 | feedbackText | provenance |  |
+| testReactRelay.tsx:80:10:80:21 | feedbackText | testReactRelay.tsx:80:9:80:54 | feedbackText | provenance |  |
+| testReactRelay.tsx:83:17:83:20 | data | testReactRelay.tsx:84:23:84:26 | data | provenance |  |
+| testReactRelay.tsx:84:23:84:26 | data | testReactRelay.tsx:80:10:80:21 | feedbackText | provenance |  |
+| testReactRelay.tsx:95:9:95:50 | fragmentRef | testReactRelay.tsx:113:48:113:58 | fragmentRef | provenance |  |
+| testReactRelay.tsx:95:10:95:20 | fragmentRef | testReactRelay.tsx:95:9:95:50 | fragmentRef | provenance |  |
+| testReactRelay.tsx:100:14:100:16 | res | testReactRelay.tsx:101:22:101:24 | res | provenance |  |
+| testReactRelay.tsx:101:22:101:24 | res | testReactRelay.tsx:95:10:95:20 | fragmentRef | provenance |  |
+| testReactRelay.tsx:124:12:124:15 | data | testReactRelay.tsx:127:35:127:38 | data | provenance |  |
+| testReactRelay.tsx:127:35:127:38 | data | testReactRelay.tsx:127:35:127:43 | data.user | provenance |  |
+| testReactRelay.tsx:136:9:136:39 | data | testReactRelay.tsx:137:50:137:53 | data | provenance |  |
+| testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | testReactRelay.tsx:136:9:136:39 | data | provenance |  |
 nodes
 | test.jsx:5:11:5:63 | response | semmle.label | response |
 | test.jsx:5:22:5:63 | await f ... ntent") | semmle.label | await f ... ntent") |
@@ -71,28 +69,26 @@ nodes
 | testReactRelay.tsx:37:9:37:40 | data | semmle.label | data |
 | testReactRelay.tsx:37:16:37:40 | useClie ... ry, {}) | semmle.label | useClie ... ry, {}) |
 | testReactRelay.tsx:38:49:38:52 | data | semmle.label | data |
-| testReactRelay.tsx:44:9:44:23 | [data, refetch] | semmle.label | [data, refetch] |
 | testReactRelay.tsx:44:9:44:70 | data | semmle.label | data |
-| testReactRelay.tsx:44:27:44:70 | useRefe ... omment) | semmle.label | useRefe ... omment) |
+| testReactRelay.tsx:44:10:44:13 | data | semmle.label | data |
 | testReactRelay.tsx:47:46:47:49 | data | semmle.label | data |
-| testReactRelay.tsx:60:9:69:3 | {\\n    d ... ch,\\n  } | semmle.label | {\\n    d ... ch,\\n  } |
-| testReactRelay.tsx:60:9:69:38 | data | semmle.label | data |
-| testReactRelay.tsx:69:7:69:38 | usePagi ... ry, {}) | semmle.label | usePagi ... ry, {}) |
-| testReactRelay.tsx:70:49:70:52 | data | semmle.label | data |
-| testReactRelay.tsx:79:9:79:54 | feedbackText | semmle.label | feedbackText |
-| testReactRelay.tsx:79:10:79:21 | feedbackText | semmle.label | feedbackText |
-| testReactRelay.tsx:82:17:82:20 | data | semmle.label | data |
-| testReactRelay.tsx:83:23:83:26 | data | semmle.label | data |
-| testReactRelay.tsx:87:50:87:61 | feedbackText | semmle.label | feedbackText |
-| testReactRelay.tsx:94:9:94:50 | fragmentRef | semmle.label | fragmentRef |
-| testReactRelay.tsx:94:10:94:20 | fragmentRef | semmle.label | fragmentRef |
-| testReactRelay.tsx:99:14:99:16 | res | semmle.label | res |
-| testReactRelay.tsx:100:22:100:24 | res | semmle.label | res |
-| testReactRelay.tsx:112:48:112:58 | fragmentRef | semmle.label | fragmentRef |
-| testReactRelay.tsx:123:12:123:15 | data | semmle.label | data |
-| testReactRelay.tsx:126:35:126:38 | data | semmle.label | data |
-| testReactRelay.tsx:126:35:126:43 | data.user | semmle.label | data.user |
-| testReactRelay.tsx:135:9:135:39 | data | semmle.label | data |
-| testReactRelay.tsx:135:16:135:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
-| testReactRelay.tsx:136:50:136:53 | data | semmle.label | data |
+| testReactRelay.tsx:61:9:70:38 | data | semmle.label | data |
+| testReactRelay.tsx:62:5:62:8 | data | semmle.label | data |
+| testReactRelay.tsx:71:49:71:52 | data | semmle.label | data |
+| testReactRelay.tsx:80:9:80:54 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:80:10:80:21 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:83:17:83:20 | data | semmle.label | data |
+| testReactRelay.tsx:84:23:84:26 | data | semmle.label | data |
+| testReactRelay.tsx:88:50:88:61 | feedbackText | semmle.label | feedbackText |
+| testReactRelay.tsx:95:9:95:50 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:95:10:95:20 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:100:14:100:16 | res | semmle.label | res |
+| testReactRelay.tsx:101:22:101:24 | res | semmle.label | res |
+| testReactRelay.tsx:113:48:113:58 | fragmentRef | semmle.label | fragmentRef |
+| testReactRelay.tsx:124:12:124:15 | data | semmle.label | data |
+| testReactRelay.tsx:127:35:127:38 | data | semmle.label | data |
+| testReactRelay.tsx:127:35:127:43 | data.user | semmle.label | data.user |
+| testReactRelay.tsx:136:9:136:39 | data | semmle.label | data |
+| testReactRelay.tsx:136:16:136:39 | readFra ... y, key) | semmle.label | readFra ... y, key) |
+| testReactRelay.tsx:137:50:137:53 | data | semmle.label | data |
 subpaths
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
index 5997b458a845..d40c01934070 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testReactRelay.tsx
@@ -45,6 +45,7 @@ function func5({ query, props }) {
   return (
     <>
       <h1 dangerouslySetInnerHTML={{ __html: data }} /> // $ Alert
+      <h1 dangerouslySetInnerHTML={{ __html: refetch }} />
       <Button
         onClick={() => {
           refetch({ lang: "SPANISH" }, { fetchPolicy: "store-or-network" });
@@ -58,7 +59,7 @@ import { usePaginationFragment } from "react-relay";
 
 function func6({ query }) {
   const {
-    data,
+    data, // $ Source
     loadNext,
     loadPrevious,
     hasNext,
@@ -66,7 +67,7 @@ function func6({ query }) {
     isLoadingNext,
     isLoadingPrevious,
     refetch,
-  } = usePaginationFragment(query, {}); // $ Source
+  } = usePaginationFragment(query, {}); 
   return <h1 dangerouslySetInnerHTML={{ __html: data }} />; // $ Alert
 }