From 30cc91421d29b3c3de412b7318f1a2b78ba517ce Mon Sep 17 00:00:00 2001
From: eliav <louski.a@gmail.com>
Date: Mon, 17 Nov 2025 00:52:06 +0200
Subject: [PATCH 1/5] javascript: Add support for `document.defaultView` in
 global variable references

Updated the data flow analysis to include `document.defaultView` as a source node for global variable references. Added a new test file `tst4.js` and updated existing tests to verify the inclusion of `defaultView` and its properties in the expected results.
---
 javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll       | 3 +++
 javascript/ql/test/library-tests/Nodes/globalVarRef.expected | 4 ++++
 javascript/ql/test/library-tests/Nodes/tst.js                | 1 +
 javascript/ql/test/library-tests/Nodes/tst4.js               | 1 +
 4 files changed, 9 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/Nodes/tst4.js

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
index 0e6394a6f557..c852d02c8b00 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -383,6 +383,9 @@ DataFlow::SourceNode globalObjectRef() {
   // DOM
   result = globalVariable("window")
   or
+  // DOM alias via `document.defaultView`
+  result = globalVariable("document").getAPropertyReference("defaultView")
+  or
   // Node.js
   result = globalVariable("global")
   or
diff --git a/javascript/ql/test/library-tests/Nodes/globalVarRef.expected b/javascript/ql/test/library-tests/Nodes/globalVarRef.expected
index 507e099b80ae..48d912d3aa72 100644
--- a/javascript/ql/test/library-tests/Nodes/globalVarRef.expected
+++ b/javascript/ql/test/library-tests/Nodes/globalVarRef.expected
@@ -1,15 +1,19 @@
 | Object | tst2.js:8:1:8:13 | global.Object |
 | String | tst2.js:9:1:9:11 | this.String |
 | document | tst2.js:2:1:2:26 | require ... ument") |
+| document | tst4.js:1:1:1:26 | require ... ument") |
 | document | tst.js:3:1:3:15 | window.document |
 | document | tst.js:5:1:5:13 | self.document |
 | document | tst.js:6:1:6:19 | globalThis.document |
+| document | tst.js:7:1:7:8 | document |
 | foo | tst3.js:4:1:4:5 | w.foo |
 | global | tst2.js:7:1:7:6 | global |
 | global | tst2.js:8:1:8:6 | global |
 | globalThis | tst.js:6:1:6:10 | globalThis |
 | goog | tst3.js:1:1:1:4 | goog |
 | goog | tst3.js:3:9:3:12 | goog |
+| history | tst4.js:1:1:1:46 | require ... history |
+| history | tst.js:7:1:7:28 | documen ... history |
 | self | tst.js:5:1:5:4 | self |
 | setTimeout | tst2.js:5:1:5:12 | g.setTimeout |
 | window | tst2.js:3:1:3:24 | require ... indow") |
diff --git a/javascript/ql/test/library-tests/Nodes/tst.js b/javascript/ql/test/library-tests/Nodes/tst.js
index ec660b25580f..395309672d31 100644
--- a/javascript/ql/test/library-tests/Nodes/tst.js
+++ b/javascript/ql/test/library-tests/Nodes/tst.js
@@ -4,3 +4,4 @@ window.document;
 window.window.document;
 self.document;
 globalThis.document;
+document.defaultView.history;
diff --git a/javascript/ql/test/library-tests/Nodes/tst4.js b/javascript/ql/test/library-tests/Nodes/tst4.js
new file mode 100644
index 000000000000..087a780629e9
--- /dev/null
+++ b/javascript/ql/test/library-tests/Nodes/tst4.js
@@ -0,0 +1 @@
+require("global/document").defaultView.history;

From bd18e862eb50e960e76171b9f1f80df3cb859388 Mon Sep 17 00:00:00 2001
From: eliav <louski.a@gmail.com>
Date: Mon, 17 Nov 2025 01:02:21 +0200
Subject: [PATCH 2/5] javascript: add change note

---
 javascript/ql/lib/change-notes/released/2.6.15.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 javascript/ql/lib/change-notes/released/2.6.15.md

diff --git a/javascript/ql/lib/change-notes/released/2.6.15.md b/javascript/ql/lib/change-notes/released/2.6.15.md
new file mode 100644
index 000000000000..8054e8efa22f
--- /dev/null
+++ b/javascript/ql/lib/change-notes/released/2.6.15.md
@@ -0,0 +1,5 @@
+## 2.6.15
+
+### Minor Analysis Improvements
+
+- JavaScript `DataFlow::globalVarRef` now recognizes `document.defaultView` as an alias of `window`, allowing flows such as `document.defaultView.history.pushState(...)` to be modeled and found by queries relying on `globalVarRef("history")`.

From 80474506689a644d863c7008e3370994c5bbad78 Mon Sep 17 00:00:00 2001
From: eliav <louski.a@gmail.com>
Date: Mon, 17 Nov 2025 01:05:58 +0200
Subject: [PATCH 3/5] javascript: Update property access for
 `document.defaultView as getAPropertyRead

Changed the method for accessing `defaultView` from `getAPropertyReference` to `getAPropertyRead` to improve accuracy in data flow analysis for global variable references.
---
 javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
index c852d02c8b00..8cec8734ad86 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll
@@ -384,7 +384,7 @@ DataFlow::SourceNode globalObjectRef() {
   result = globalVariable("window")
   or
   // DOM alias via `document.defaultView`
-  result = globalVariable("document").getAPropertyReference("defaultView")
+  result = globalVariable("document").getAPropertyRead("defaultView")
   or
   // Node.js
   result = globalVariable("global")

From 08dfb9515541f185c2b1a7ad3e9324af73e39c3e Mon Sep 17 00:00:00 2001
From: eliav <louski.a@gmail.com>
Date: Thu, 20 Nov 2025 00:17:14 +0200
Subject: [PATCH 4/5] javascript: Add change note for `document.defaultView`
 aliasing `window`

Introduced a new change note detailing that `DataFlow::globalVarRef` now recognizes `document.defaultView` as an alias of `window`, enhancing the modeling of data flows involving `history` in queries.
---
 .../{released/2.6.15.md => 2025-11-19-default-view.md}      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename javascript/ql/lib/change-notes/{released/2.6.15.md => 2025-11-19-default-view.md} (85%)

diff --git a/javascript/ql/lib/change-notes/released/2.6.15.md b/javascript/ql/lib/change-notes/2025-11-19-default-view.md
similarity index 85%
rename from javascript/ql/lib/change-notes/released/2.6.15.md
rename to javascript/ql/lib/change-notes/2025-11-19-default-view.md
index 8054e8efa22f..1dd42c2697e1 100644
--- a/javascript/ql/lib/change-notes/released/2.6.15.md
+++ b/javascript/ql/lib/change-notes/2025-11-19-default-view.md
@@ -1,5 +1,5 @@
-## 2.6.15
-
-### Minor Analysis Improvements
+---
+category: minorAnalysis
+---
 
 - JavaScript `DataFlow::globalVarRef` now recognizes `document.defaultView` as an alias of `window`, allowing flows such as `document.defaultView.history.pushState(...)` to be modeled and found by queries relying on `globalVarRef("history")`.

From 91451b73ef798eeff4d0f75ba346e05a279e7587 Mon Sep 17 00:00:00 2001
From: eliav <louski.a@gmail.com>
Date: Thu, 20 Nov 2025 15:15:06 +0200
Subject: [PATCH 5/5] javascript: Update expected results for global variable
 references

---
 .../ql/test/library-tests/Nodes/globalObjectRef.expected       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected b/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected
index 0c35fe87b268..d3a779eb5970 100644
--- a/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected
+++ b/javascript/ql/test/library-tests/Nodes/globalObjectRef.expected
@@ -5,9 +5,12 @@
 | tst2.js:8:1:8:6 | global |
 | tst3.js:1:1:1:0 | this |
 | tst3.js:3:9:3:19 | goog.global |
+| tst4.js:1:1:1:0 | this |
+| tst4.js:1:1:1:38 | require ... ultView |
 | tst.js:1:1:1:0 | this |
 | tst.js:1:1:1:6 | window |
 | tst.js:3:1:3:6 | window |
 | tst.js:4:1:4:6 | window |
 | tst.js:5:1:5:4 | self |
 | tst.js:6:1:6:10 | globalThis |
+| tst.js:7:1:7:20 | document.defaultView |