Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe

Napalys · Napalys · commit b10a9481f36a · 2025-05-22T18:50:02.000+02:00
diff --git a/javascript/ql/lib/ext/rxjs.model.yml b/javascript/ql/lib/ext/rxjs.model.yml
@@ -5,3 +5,4 @@ extensions:
     data:
       - ["NonNodeStream", "rxjs", "Fuzzy"]
       - ["NonNodeStream", "rxjs/operators", "Fuzzy"]
+      - ["NonNodeStream", "rxjs/testing", "Fuzzy"]
diff --git a/javascript/ql/lib/ext/strapi.model.yml b/javascript/ql/lib/ext/strapi.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["NonNodeStream", "@strapi/utils", "Fuzzy"]
diff --git a/javascript/ql/src/Quality/UnhandledStreamPipe.ql b/javascript/ql/src/Quality/UnhandledStreamPipe.ql
@@ -18,7 +18,7 @@ class PipeCall extends DataFlow::MethodCallNode {
   PipeCall() {
     this.getMethodName() = "pipe" and
     this.getNumArgument() = [1, 2] and
-    not this.getArgument(0).asExpr() instanceof Function and
+    not this.getArgument([0, 1]).asExpr() instanceof Function and
     not this.getArgument(0).asExpr() instanceof ObjectExpr and
     not this.getArgument(0).getALocalSource() = getNonNodeJsStreamType()
   }
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/rxjsStreams.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/rxjsStreams.js
@@ -13,6 +13,6 @@ function f(){
   let testScheduler = new TestScheduler();
   testScheduler.run(({x, y, z}) => {
     const source = x('', {o: [a, b, c]});
-    z(source.pipe(null)).toBe(expected,y,); // $SPURIOUS:Alert
+    z(source.pipe(null)).toBe(expected,y,);
   });
 }
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/strapi.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/strapi.js
@@ -1,5 +1,5 @@
 import { async } from '@strapi/utils';
 
 const f = async () => {
-    const permissionsInDB = await async.pipe(strapi.db.query('x').findMany,map('y'))(); // $SPURIOUS:Alert
+    const permissionsInDB = await async.pipe(strapi.db.query('x').findMany,map('y'))();
 }
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.expected
@@ -1,5 +1,3 @@
-| rxjsStreams.js:16:7:16:23 | source.pipe(null) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| strapi.js:4:35:4:84 | async.p ... p('y')) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:4:5:4:28 | stream. ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:19:5:19:17 | s2.pipe(dest) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:45:5:45:30 | stream2 ... ation2) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
@@ -13,4 +11,3 @@
 | test.js:143:5:143:62 | stream. ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:175:17:175:40 | notStre ... itable) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
 | test.js:185:5:185:32 | copyStr ... nation) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
-| test.js:216:5:216:38 | notStre ... ()=>{}) | Stream pipe without error handling on the source stream. Errors won't propagate downstream and may be silently dropped. |
diff --git a/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js b/javascript/ql/test/query-tests/Quality/UnhandledStreamPipe/test.js
@@ -213,6 +213,6 @@ function test() {
   }
   {
     const notStream = getNotAStream();
-    notStream.pipe(getStream(),()=>{}); // $SPURIOUS:Alert
+    notStream.pipe(getStream(),()=>{});
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class PipeCall extends DataFlow::MethodCallNode {`
`18`	`18`	`PipeCall() {`
`19`	`19`	`this.getMethodName() = "pipe" and`
`20`	`20`	`this.getNumArgument() = [1, 2] and`
`21`		`- not this.getArgument(0).asExpr() instanceof Function and`
	`21`	`+ not this.getArgument([0, 1]).asExpr() instanceof Function and`
`22`	`22`	`not this.getArgument(0).asExpr() instanceof ObjectExpr and`
`23`	`23`	`not this.getArgument(0).getALocalSource() = getNonNodeJsStreamType()`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,6 @@ function f(){`
`13`	`13`	`let testScheduler = new TestScheduler();`
`14`	`14`	`testScheduler.run(({x, y, z}) => {`
`15`	`15`	`const source = x('', {o: [a, b, c]});`
`16`		`- z(source.pipe(null)).toBe(expected,y,); // $SPURIOUS:Alert`
	`16`	`+ z(source.pipe(null)).toBe(expected,y,);`
`17`	`17`	`});`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import { async } from '@strapi/utils';`
`2`	`2`
`3`	`3`	`const f = async () => {`
`4`		`- const permissionsInDB = await async.pipe(strapi.db.query('x').findMany,map('y'))(); // $SPURIOUS:Alert`
	`4`	`+ const permissionsInDB = await async.pipe(strapi.db.query('x').findMany,map('y'))();`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,6 @@ function test() {`
`213`	`213`	`}`
`214`	`214`	`{`
`215`	`215`	`const notStream = getNotAStream();`
`216`		`- notStream.pipe(getStream(),()=>{}); // $SPURIOUS:Alert`
	`216`	`+ notStream.pipe(getStream(),()=>{});`
`217`	`217`	`}`
`218`	`218`	`}`