github
diff --git a/‎javascript/change-notes/2021-06-30-vuex.md‎
Lines changed: 3 additions & 0 deletions b/‎javascript/change-notes/2021-06-30-vuex.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎javascript/ql/src/javascript.qll‎
Lines changed: 1 addition & 0 deletions b/‎javascript/ql/src/javascript.qll‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/ApiGraphs.qll‎
Lines changed: 36 additions & 1 deletion b/‎javascript/ql/src/semmle/javascript/ApiGraphs.qll‎
Lines changed: 36 additions & 1 deletion
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/Vue.qll‎
Lines changed: 18 additions & 6 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/Vue.qll‎
Lines changed: 18 additions & 6 deletions
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for `vuex` has been added. The security queries can now
+  track taint through the `vuex` state.
@@ -126,6 +126,7 @@ import semmle.javascript.frameworks.TorrentLibraries
 import semmle.javascript.frameworks.Typeahead
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
+import semmle.javascript.frameworks.Vuex
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
 
@@ -10,6 +10,7 @@
  */
 
 import javascript
+private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
 
 /**
  * Provides classes and predicates for working with APIs defined or used in a database.
@@ -747,6 +748,18 @@ module API {
         result = DataFlow::moduleVarNode(imp.getImportedModule()).getAPropertyRead("exports")
       )
       or
+      exists(ObjectExpr obj |
+        obj = trackDefNode(nd, t.continue()).asExpr() and
+        result =
+          obj.getAProperty()
+              .(SpreadProperty)
+              .getInit()
+              .(SpreadElement)
+              .getOperand()
+              .flow()
+              .getALocalSource()
+      )
+      or
       t = defStep(nd, result)
     }
 
@@ -930,16 +943,38 @@ private module Label {
   /** Gets the `member` edge label for the unknown member. */
   string unknownMember() { result = "member *" }
 
+  /**
+   * Gets a property name referred to by the given dynamic property access,
+   * allowing one property flow step in the process (to allow flow through imports).
+   *
+   * This is to support code patterns where the property name is actually constant,
+   * but the property name has been factored into a library.
+   */
+  private string getAnIndirectPropName(DataFlow::PropRef ref) {
+    exists(DataFlow::Node pred |
+      FlowSteps::propertyFlowStep(pred, ref.getPropertyNameExpr().flow()) and
+      result = pred.getStringValue()
+    )
+  }
+
+  /**
+   * Gets unique result of `getAnIndirectPropName` if there is one.
+   */
+  private string getIndirectPropName(DataFlow::PropRef ref) {
+    result = unique(string s | s = getAnIndirectPropName(ref))
+  }
+
   /** Gets the `member` edge label for the given property reference. */
   string memberFromRef(DataFlow::PropRef pr) {
-    exists(string pn | pn = pr.getPropertyName() |
+    exists(string pn | pn = pr.getPropertyName() or pn = getIndirectPropName(pr) |
       result = member(pn) and
       // only consider properties with alphanumeric(-ish) names, excluding special properties
       // and properties whose names look like they are meant to be internal
       pn.regexpMatch("(?!prototype$|__)[\\w_$][\\w\\-.$]*")
     )
     or
     not exists(pr.getPropertyName()) and
+    not exists(getIndirectPropName(pr)) and
     result = unknownMember()
   }
 
 
@@ -656,16 +656,28 @@ module Vue {
   /** Gets a data flow node that refers to a `Route` object from `vue-router`. */
   DataFlow::SourceNode routeObject() { result = routeObject(DataFlow::TypeTracker::end()) }
 
-  private class VueRouterFlowSource extends RemoteFlowSource {
+  private class VueRouterFlowSource extends ClientSideRemoteFlowSource {
+    ClientSideRemoteFlowKind kind;
+
     VueRouterFlowSource() {
-      this = routeObject().getAPropertyRead(["params", "query", "hash", "path", "fullPath"])
-      or
-      exists(Instance i, string prop |
-        this = i.getWatchHandler(prop).getParameter([0, 1]) and
-        prop.regexpMatch("\\$route\\.(params|query|hash|path|fullPath)\\b.*")
+      exists(string name |
+        this = routeObject().getAPropertyRead(name)
+        or
+        exists(string prop |
+          this = any(Instance i).getWatchHandler(prop).getParameter([0, 1]) and
+          name = prop.regexpCapture("\\$route\\.(params|query|hash|path|fullPath)\\b.*", 1)
+        )
+      |
+        name = ["params", "path", "fullPath"] and kind.isPath()
+        or
+        name = "query" and kind.isQuery()
+        or
+        name = "hash" and kind.isFragment()
       )
     }
 
     override string getSourceType() { result = "Vue route parameter" }
+
+    override ClientSideRemoteFlowKind getKind() { result = kind }
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Support for `vuex` has been added. The security queries can now
	`3`	+ track taint through the `vuex` state.