Skip to content

JS: Modeling of underscore.string package #19049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Napalys merged 24 commits into from
Mar 20, 2025
Merged

JS: Modeling of underscore.string package #19049

Napalys merged 24 commits into from
Mar 20, 2025

Conversation

@Napalys
Copy link
Contributor

@Napalys Napalys commented Mar 18, 2025
edited
Loading

This pull request adds package modeling for underscore.string.

Napalys added 18 commits March 17, 2025 12:48
@Napalys
Added test cases underscore.string string to string.
e8b233f
@Napalys
Added modeling of underscore.string string to string functions.
9bca863
@Napalys
Added underscore.string test cases for str to array.
c256b9c
@Napalys
Added modeling of underscore.string for str to array.
30623cd
@Napalys
Added test cases underscore.string array to string.
cd40b6f
@Napalys
Added modeling underscore.string array to string functions.
6b105b2
@Napalys
Added test cases underscore.string with multiple sources.
77e1e17
@Napalys
Added modeling underscore.string of function which contain multiple…
b59b9c8 
… sources points.
@Napalys
Added chaining tests for underscore.string package.
25c6fb5
@Napalys
Added chaining modeling for underscore.string package.
ca9ae8a
@Napalys
Added test for extra chaining function for underscore.string.
cccd863
@Napalys
Added modeling for extra chaining function from underscore.string.
3a83c8d
@Napalys
Added test cases for aliases.
dcc1e88
@Napalys
Added modeling for aliases.
fc6b779
@Napalys
Added test case for tap.
eb18c3c
@Napalys
Added modeling for tap function.
d8e6d76
@Napalys
Removed value from modeling its return value as Wrapper class, sinc…
2c7562d 
…e it return simple string.
@Napalys
Added change note.
8b431dc
@Napalys Napalys force-pushed the js/underscore-string branch 2 times, most recently from b299373 to 3a069f9 Compare March 18, 2025 10:35
@Napalys @asgerf
Added underscore.string clearsContent.
922a07d 
Co-authored-by: Asgerf <asgerf@github.com>
@Napalys Napalys force-pushed the js/underscore-string branch from 3a069f9 to 922a07d Compare March 18, 2025 11:58
@Napalys Napalys marked this pull request as ready for review March 18, 2025 17:20
@Napalys Napalys requested a review from a team as a code owner March 18, 2025 17:20
asgerf
asgerf reviewed Mar 20, 2025
View reviewed changes
javascript/ql/lib/ext/underscore.string.model.yml Outdated
extensible: summaryModel
data:
- ["'underscore.string'", "Member[slugify,capitalize,decapitalize,clean,cleanDiacritics,swapCase,escapeHTML,unescapeHTML,wrap,dedent,reverse,pred,succ,titleize,camelize,classify,underscored,dasherize,humanize,trim,ltrim,rtrim,truncate,sprintf,strRight,strRightBack,strLeft,strLeftBack,stripTags,unquote,map]", "Argument[0]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue", "taint"]
Copy link
Contributor

@asgerf asgerf Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue", "taint"]
- ["'underscore.string'", "Member[chop,chars,words,lines]", "Argument[0]", "ReturnValue.ArrayElement", "taint"]

This is a bit more precise.

If the whole return value is tainted, the analysis thinks all its properties are tainted too, including .length. You could try adding the test:

sink(s.chop(source("s1"), 3).length);

Copy link
Contributor Author

@Napalys Napalys Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like there is still something off with ArrayElement f4ca2dc?

Copy link
Contributor

@asgerf asgerf Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of the tests have a typo, they should access the [0] on the returned array, not on the source string:

sink(s.chars(source("s2")[0])) -> sink(s.chars(source("s2"))[0])

I know why the last test is failing but it's complicated. Would you mind leaving it as MISSING: for now?

@Napalys Napalys requested a review from asgerf March 20, 2025 11:38
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 20, 2025
View reviewed changes
@Napalys Napalys merged commit 730580a into github:main Mar 20, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Napalys @asgerf