github
diff --git a/‎javascript/change-notes/2021-11-08-routing-trees.md
Lines changed: 3 additions & 0 deletions b/‎javascript/change-notes/2021-11-08-routing-trees.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎javascript/ql/lib/javascript.qll
Lines changed: 1 addition & 0 deletions b/‎javascript/ql/lib/javascript.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎javascript/ql/lib/semmle/javascript/ApiGraphs.qll
Lines changed: 22 additions & 0 deletions b/‎javascript/ql/lib/semmle/javascript/ApiGraphs.qll
Lines changed: 22 additions & 0 deletions
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`.
+* `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.
@@ -50,6 +50,7 @@ import semmle.javascript.Promises
 import semmle.javascript.CanonicalNames
 import semmle.javascript.RangeAnalysis
 import semmle.javascript.Regexp
+import semmle.javascript.Routing
 import semmle.javascript.SSA
 import semmle.javascript.StandardLibrary
 import semmle.javascript.Stmt
 
@@ -388,6 +388,23 @@ module API {
     API::Node getNode() { result = root().getASuccessor(Label::entryPoint(this)) }
   }
 
+  /**
+   * A class for contributing new steps for tracking uses of an API.
+   */
+  class AdditionalUseStep extends Unit {
+    /**
+     * Holds if use nodes should flow from `pred` to `succ`.
+     */
+    predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ) { none() }
+  }
+
+  private module AdditionalUseStep {
+    pragma[nomagic]
+    predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {
+      any(AdditionalUseStep st).step(pred, succ)
+    }
+  }
+
   /**
    * Provides the actual implementation of API graphs, cached for performance.
    *
@@ -751,6 +768,11 @@ module API {
         boundArgs in [0 .. 10]
       )
       or
+      exists(DataFlow::SourceNode mid |
+        mid = trackUseNode(nd, promisified, boundArgs, prop, t) and
+        AdditionalUseStep::step(pragma[only_bind_out](mid), result)
+      )
+      or
       exists(DataFlow::Node pred, string preprop |
         trackUseNode(nd, promisified, boundArgs, preprop, t.continue()).flowsTo(pred) and
         promisified = false and
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`.
	`3`	+* `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.