JS: Update type usage in ClassValidator model

asgerf · asgerf · commit 3d19a9d14ce3 · 2025-06-10T10:33:36.000+02:00
diff --git a/javascript/ql/lib/javascript.qll b/javascript/ql/lib/javascript.qll
@@ -47,7 +47,7 @@ import semmle.javascript.NodeJS
 import semmle.javascript.NPM
 import semmle.javascript.Paths
 import semmle.javascript.Promises
-import semmle.javascript.CanonicalNames
+deprecated import semmle.javascript.CanonicalNames
 import semmle.javascript.RangeAnalysis
 import semmle.javascript.Regexp
 import semmle.javascript.Routing
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ClassValidator.qll b/javascript/ql/lib/semmle/javascript/frameworks/ClassValidator.qll
@@ -3,6 +3,9 @@
  */
 
 import javascript
+private import semmle.javascript.internal.NameResolution
+private import semmle.javascript.internal.TypeResolution
+private import semmle.javascript.internal.UnderlyingTypes
 
 /**
  * Provides predicates for reasoning about sanitization via the `class-validator` library.
@@ -50,7 +53,10 @@ module ClassValidator {
 
   pragma[noinline]
   private ClassDefinition getClassReferencedByPropRead(DataFlow::PropRead read) {
-    read.getBase().asExpr().getType().unfold().(ClassType).getClass() = result
+    exists(NameResolution::Node type |
+      TypeResolution::valueHasType(read.getBase().asExpr(), type) and
+      UnderlyingTypes::nodeHasUnderlyingClassType(type, result.flow())
+    )
   }
 
   /**
