Module javascript

Gets a definite abstract value with the given type.

Gets the capitalization of s.

Holds if the definition of v in def reaches use along some control flow path without crossing another definition of v. DEPRECATED: Use the SSA.qll library instead.

Gets a string that describes e.

DEPRECATED: Use DOM::documentRef() instead. Gets a reference to the ‘document’ object.

Holds if nodeModules is a folder of the form <prefix>/node_modules, where <prefix> is a (not necessarily proper) prefix of f and does not end in /node_modules, and distance is the number of path elements of f that are missing from <prefix>.

Gets a log level name that is used in RFC5424, npm, console.

DEPRECATED: Use DOM::documentRef() instead. Holds if e could refer to the document object.

DEPRECATED: Use DOM::locationSource() instead. Holds if e could refer to the document URL.

Holds if e could hold a value that comes from the DOM.

Holds if tp is one of the roots of the DOM type hierarchy.

DEPRECATED: Use isDomNode instead. Holds if e could hold a value that comes from the DOM.

Holds if source may be interpreted as a regular expression.

DEPRECATED: Use isLocationNode instead. Holds if e could refer to the location property of a DOM node.

Holds if e could refer to the location property of a DOM node.

DEPRECATED. In most cases, a sanitizer based on this predicate can be removed, as taint tracking no longer step through the properties of the location object by default.

Holds if the later definition of v could overwrite its earlier definition.

Holds if the definition of local variable v in def reaches use along some control flow path without crossing another definition of v. DEPRECATED: Use the SSA.qll library instead.

Gets the pluralization for n occurrences of noun.

Gets a reference to the ‘React’ object.

Gets str or a truncated version of str with explanation appended if its length exceeds maxLength.

An abstract value representing an arguments object.

An abstract value representing a Boolean value.

An abstract value representing a function or class.

An abstract value representing an individual class.

An abstract value representing a Date object.

An abstract value representing the empty string.

An abstract value representing a CommonJS exports object.

An abstract value representing an individual function.

An abstract value representing the global object.

An abstract value representing all instances of a class or function F, as well as the default prototype of F (that is, the initial value of F.prototype).

An abstract value representing a CommonJS module object.

An abstract value representing a non-zero number.

An abstract value representing null.

An abstract value representing a numeric string, that is, a string s such that +s is not NaN.

An abstract value representing all objects arising from an object literal expression (allocation site abstraction).

An abstract value representing an object not covered by the other abstract values.

An abstract value representing a non-empty, non-numeric string.

An abstract representation of a set of concrete properties, characterized by a base object (which is an abstract value for which properties are tracked) and a property name.

An abstract representation of the __proto__ property of a function or class instance.

An abstract value representing a regular expression.

An abstract value representing undefined.

An abstract value inferred by the flow analysis, representing a set of concrete values.

An abstract value representing the number zero.

An accessor method declaration in a class or interface, either a concrete definition or a signature without a body.

A concrete accessor method definition in a class, that is, an accessor method with a function body.

An accessor method signature declared in a class or interface, that is, an accessor method without a function body.

An addition or string-concatenation expression.

An aggregated promise produced either by Promise.all, Promise.race, or Promise.any.

An AMD-style module.

An AMD define call.

A refinement node where the guard is a condition.

A special TypeScript require call in an import-assignment, interpreted as an implicit of the module.exports property of the imported module.

A function for which analysis results are available.

A module for which analysis results are available.

A refinement for a condition guard with an outcome of false.

A data flow node for which analysis results are available.

A refinement for a condition guard with an outcome of true.

An analyzed property read, either explicitly (x.p or x[e]) or implicitly.

An analyzed property write, including exports (which are modeled as assignments to module.exports).

An analyzed refinement node.

A call to require, interpreted as an implicit read of the module.exports property of the imported module.

An SSA definitions that has been analyzed.

A value node for which analysis results are available.

A vardef with helper predicates for flow analysis.

An anonymous interface type, such as { x: number }.

A step through the ansi-colors library.

A step through the ansi-to-html library.

The predefined any type.

An arguments variable of a function.

A binary arithmetic expression using +, -, /, % or **.

An array comprehension expression.

An array literal.

The externs definition for the Array object.

An array pattern.

A type that describes a JavaScript Array object.

An array type, such as number[], or in general T[] where T is a type.

An arrow function expression.

A type assertion specifically of the form E as T (as opposed to the <T> E syntax).

An asm.js directive.

A compound add-assign expression.

A compound bitwise-‘and’-assign expression.

A compound divide-assign expression.

A compound exponentiate-assign expression.

A simple assignment expression.

A compound left-shift-assign expression.

A logical-‘and’-assign expression.

A logical-‘or’-assign expression.

A compound modulo-assign expression.

A compound multiply-assign expression.

A ‘nullish-coalescing’-assign expression.

A compound bitwise-‘or’-assign expression.

A compound right-shift-assign expression.

A compound subtract-assign expression.

A compound unsigned-right-shift-assign expression.

A compound exclusive-‘or’-assign expression.

An assignment expression, either compound or simple.

A program element corresponding to JavaScript code, such as an expression or a statement.

A call that may perform authorization.

An await expression.

A Babel directive.

A basic block, that is, a maximal straight-line sequence of control flow nodes without branches or joins.

A BigInt literal.

A bigint literal as a static type.

A bigint literal used as a TypeScript type annotation.

The predefined bigint type.

An expression with a binary operator.

A binding pattern, that is, either an identifier or a destructuring pattern.

A bitwise ‘and’ expression.

A bitwise negation expression.

A bitwise ‘or’ expression.

A bitwise binary expression, that is, either a bitwise ‘and’, a bitwise ‘or’, or an exclusive ‘or’ expression.

A bitwise expression using &, |, ^, ~, <<, >>, or >>>.

A block comment (which may be a JSDoc comment).

A scope induced by a block of statements.

A block of statements.

The boolean, true, or false type.

A Boolean literal, that is, either true or false.

A Boolean literal token.

The boolean literal type true or false.

A boolean literal used as a type.

The boolean type, internally represented as the union type true | false.

A break or continue statement.

A break statement.

A representation of bug tracker information for an NPM package.

A bulk import that imports an entire module as a namespace.

A bulk re-export declaration of the form export * from 'a', which re-exports all exports of another module.

A bundle directive.

A function call expression.

A call signature declared in an interface.

A function or constructor signature in a TypeScript type.

A call to Object.defineProperty.

A call with inter-procedural type inference for the return value.

A call with inter-procedural type inference for the return value.

The canonical name for a function.

A fully qualified name relative to a specific root, usually referring to a TypeScript namespace or type.

A type that refers to a type variable declared on a class, interface or function.

A case or default clause in a switch statement.

A catch clause.

A scope induced by a catch clause.

A step through the chalk library.

A call to the library chokidar, where a call to on receives file names.

A scope induced by a class declaration with type parameters.

A class declaration statement.

An ECMAScript 2015 or TypeScript class definition, that is, either a class declaration statement or a class expression.

A class expression.

A scope induced by a named class expression or class expression with type parameters.

An ECMAScript 2015/TypeScript class definition or a TypeScript interface definition, including both declarations and expressions.

A type that refers to a class, possibly with type arguments.

An expression that might contain a clear-text password.

A step through the cli-color library.

A step through the cli-highlight library.

A call that performs a request to a URL.

A type of remote flow source that is specific to the browser environment.

A source of remote input in a web browser environment.

A code snippet originating from an HTML attribute value.

A step through the colorette library.

A step through the colors library. This step ignores the String.prototype modifying part of the colors library.

A JavaScript source-code comment.

A comparison expression, that is, either an equality test (==, !=, ===, !==) or a relational expression (<, <=, >=, >).

A compound assign expression.

A comprehension block in a comprehension expression.

A scope induced by a comprehension block.

A comprehension expression, that is, either an array comprehension expression or a generator expression.

A CFG node corresponding to a program element, that is, a CFG node that is not a SyntheticControlFlowNode.

A guard node recording that some condition is known to be truthy or falsy at this point in the program.

A conditional expression.

A conditional type annotation, such as T extends any[] ? A : B.

A scope induced by a conditional type expression whose extends type contains infer types.

A const declaration statement.

An expression that evaluates to a constant primitive value.

An expression that evaluates to a constant string.

A constructor defined in a class.

A constructor call signature declared in an interface.

A constructor call signature in a type, that is, a signature with the new keyword.

A constructor declaration in a class, either a concrete definition or a signature without a body.

The concrete constructor definition of a class, possibly a synthetic constructor if the class did not declare any constructors.

A constructor signature declared in a class, that is, a constructor without a function body.

A @constructor tag.

A constructor type, such as new (x: string) => Object.

A file or folder.

A continue statement.

A representation of contributor information for an NPM package.

A synthetic CFG node marking the entry point of a function or toplevel script.

A synthetic CFG node marking the exit of a function or toplevel script.

A node in the control flow graph, which is an expression, a statement, or a synthetic node.

A control statement, that is, is a loop, an if statement, a switch statement, a with statement, a try statement, or a catch clause.

DEPRECATED: Use CredentialsNode instead. An expression whose value is used to supply credentials such as a user name, a password, or a key.

A method that might return sensitive data, based on the name.

An expression whose value is used to supply credentials such as a user name, a password, or a key.

A key used in a cryptographic algorithm.

The creation of a cryptographic key.

A key used in a cryptographic algorithm, viewed as a CredentialsNode.

A data-flow node that is an application of a cryptographic algorithm. For example, encryption, decryption, signature-validation.

A custom abstract value corresponding to an abstract value tag.

A data-flow node that induces an analysis-specific abstract value.

An abstract representation of an analysis-specific value.

Flow analysis for custom abstract values.

A string tag corresponding to a custom abstract value.

A data flow node that performs a database access.

A debugger statement.

A (pre or post) decrement expression.

A declaration statement, that is, a var, const or let declaration (including legacy ‘let’ statements).

A string representing one of the three TypeScript declaration spaces: variable, type, or namespace.

A program element to which decorators can be applied, that is, a class, a property or a member definition.

A decorator applied to a class, property or member definition.

A definite abstract value, that is, an abstract value that is not affected by analysis incompleteness.

A delete expression.

A destructuring pattern, that is, either an array pattern or an object pattern.

A direct call to eval.

A directive: string literal expression statement in the beginning of a statement container.

A division expression.

A do-while loop.

A JSDoc comment.

A program element that can have a JSDoc comment.

A global variable whose declared type extends a DOM root type.

DEPRECATED: Use DomMethodCallNode instead. A call to a DOM method.

A call to a DOM method.

DEPRECATED: Use DomPropertyWrite instead. An assignment to a property of a DOM object.

An assignment to a property of a DOM object.

A dot expression.

A dynamic import expression.

An end-of-file token.

A React component implemented as a class

An ECMAScript 2015 module.

An aggregated promise created using Promise.all().

A legacy React component implemented using React.createClass or create-react-class.

An operation that sends an email.

An empty statement.

A for-in, for-of or for each-in loop.

An entry basic block, that is, a basic block whose first node is the entry node of a statement container.

A TypeScript enum declaration, such as the following declaration: enum Color { red = 1, green, blue }

A type that refers to the value of an enum member.

A member of a TypeScript enum declaration, such as red in the following declaration: enum Color { red = 1, green, blue }

A scope induced by an enum declaration, containing the names of its enum members.

A type that refers to an enum.

An equality test using ==.

An equality test using ==, !=, === or !==.

An error encountered during extraction.

A dispatch of an event on an EventEmitter.

An EventEmitter instance that implements the EventEmitter API. Extend EventEmitter::Range to mark something as being an EventEmitter.

A code snippet originating from an event handler attribute.

A registration of an event handler on an EventEmitter.

An exponentiation expression.

A TypeScript export of form export as namespace X where X is an identifier.

A TypeScript “export-assign” declaration.

An export declaration.

A default export declaration.

A default export specifier.

A named export declaration. * Examples:

A namespace export specifier, that is * or * as x occurring in an export declaration.

An export specifier in an export declaration.

An identifier that occurs in a named export declaration.

An expression.

A program element that is either an expression or a statement.

A program element that is either an expression or a type annotation.

An expression or a variable declaration statement.

An expression statement.

An expression with type arguments, occurring as the super-class expression of a class, for example: class StringList extends List<string> In the above example, List is a concrete expression, string is a type annotation, and List<string> is thus an expression with type arguments.

A call to an extend-like function, which copies properties from one or more objects into another object, and returns the result.

An @extends tag.

A constructor function defined in an externs file.

A declaration in an externs file.

A function or object defined in an externs file.

A function defined in an externs file.

A global declaration of a function or variable in an externs file.

A global function declaration in an externs file.

A global variable declaration in an externs file.

An instance member variable declaration in an externs file.

An interface function defined in an externs file.

A member variable declaration in an externs file.

A TypeScript declaration of form declare module "X" {...} where X is the name of an external module.

A require() call in a TypeScript import-equals declaration, such as require("foo") in: import foo = require("foo");

A scope induced by a declaration of form declare module "X" {...}.

A stand-alone file or an external script originating from an HTML <script> element.

A static member variable declaration in an externs file.

A constructor or interface function defined in an externs file.

A @type tag.

A typedef declaration in an externs file.

A variable or function declaration in an externs file.

A toplevel syntactic entity containing Closure-style externs definitions.

A field declaration in a class or interface, either a concrete definition or an abstract or ambient field signature.

A concrete field definition in a class.

A constructor parameter that induces a field in its class.

A field signature declared in a class or interface, that is, an abstract or ambient field declaration.

A file.

A data flow node that contains a file name or an array of file names from the local file system.

A data flow node that performs a file system access (read, write, copy, permissions, stats, etc).

A data flow node that reads data from the file system.

A data flow node that writes data to the file system.

A file type.

A folder.

A for each-in loop.

A for-in comprehension block in a comprehension expression.

A scope induced by a for-in or for-of statement.

A for-in loop.

A for-of comprehension block in a comprehension expression.

A for-of loop.

A scope induced by a for statement.

A for loop.

A SystemJS format register directive.

A function as defined either by a function declaration or a function expression.

A function-bind expression.

A function call signature declared in an interface.

A function call signature in a type, that is, a signature without the new keyword.

A call to a function that constructs a function composition f(g(h(...))) from a series of functions f, g, h, ....

A function declaration statement.

A (non-arrow) function expression.

The externs definition for the Function object.

A scope induced by a function.

A function.sent expression.

A TypeScript function type, such as (x: string) => number or a constructor type such as new (x: string) => Object.

A function with inter-procedural type inference for its parameters.

A React component implemented as a plain function.

A greater-than-or-equal expression.

A greater-than expression.

A placeholder for some code generated by a templating engine, speculatively parsed as an expression.

A generator expression.

A type consisting of a name and at least one type argument, such as Array<number>.

A getter method declaration in a class or interface, either a concrete definition or a signature without a function body.

A concrete getter method definition in a class, that is, a getter method with a function body.

A getter method signature declared in a class or interface, that is, a getter method without a function body.

A TypeScript declaration of form declare global {...}.

The global scope.

An identifier that refers to a global variable.

An identifier that declares a global variable.

A global variable.

A synthetic CFG node recording that some condition is known to hold at this point in the program.

A call to Object.prototype.hasOwnProperty, Object.hasOwn, or a library that implements the same functionality.

An HTML comment end token interpreted as a line comment.

An HTML comment start token interpreted as a line comment.

An HTML comment start/end token interpreted as a line comment.

A call that sanitizes HTML in a string, either by replacing meta characters with their HTML entities, or by removing certain HTML tags entirely.

An identifier.

An identifier token.

An if statement.

An immediately invoked function expression (IIFE).

An @implements tag.

An import in a module, which may be an ECMAScript 2015-style import statement, a CommonJS-style require import, or an AMD dependency.

An import declaration.

A default import specifier.

A TypeScript “import-equals” declaration.

An import.meta expression.

An import used in the context of a namespace inside a type annotation, such as in let x: import("http").ServerRequest.

A namespace import specifier.

An import specifier in an import declaration.

An import used in the context of a type, such as in let x: import("foo").

An import inside a type annotation, such as in import("http").ServerRequest.

An import used in the context of a variable type, such as in let x: typeof import("fs").

An in expression.

A (pre or post) increment expression.

An expression that checks if an element is contained in an array or is a substring of another string.

An indefinite abstract value representing an unknown value.

An indefinite abstract value representing an unknown function or class.

An indefinite abstract value representing an unknown object.

An index expression (also known as computed property access).

An index signature declared in an interface.

A type of form T[K] where T and K are types.

A type annotation of form infer R.

A regular expression term that permits unlimited repetitions.

A script embedded inline in an HTML <script> element.

An instanceof expression.

A TypeScript interface declaration.

A TypeScript interface declaration, inline interface type, or function type.

A scope induced by an interface declaration, containing the type parameters declared on the interface.

A type that refers to an interface, possibly with type arguents.

An inline TypeScript interface type, such as {x: number; y: number}.

An intersection type, such as T & {x: number}.

A type of form S&T, denoting the intersection of type S and type T.

An invocation expression, that is, either a function call or a new expression.

A function return type of form x is T or asserts x is T.

A JSDoc comment.

An any type expression.

An applied type expression.

An array type expression.

An error encountered while parsing a JSDoc comment.

A function type expression.

A type expression referring to a named type.

A non-nullable type expression.

A null type expression.

A nullable type expression.

An optional parameter type.

A @param tag.

A record type expression.

A rest parameter type.

A JSDoc tag.

A JSDoc type expression.

A syntactic element that a JSDoc type expression may be nested in, that is, either a JSDoc tag or another JSDoc type expression.

A type expression representing the type of undefined.

A union type expression.

A type expression representing an unknown type.

A type expression representing the void type.

A JSLint directive.

A JSLint global directive.

A JSLint directive declaring global variables.

A JSLint options directive.

A JSLint properties directive.

A JavaScript parse error encountered during extraction.

A code snippet originating from a URL with the javascript: URL scheme.

A taint step through the json2csv library.

A JSON-encoded array.

A JSON-encoded Boolean value.

A JSON-encoded null value.

A JSON-encoded number.

A JSON-encoded object.

An error reported by the JSON parser.

A call to a JSON parser such as JSON.parse.

A JSON-encoded primitive value.

A JSON-encoded string value.

A call to a JSON stringifier such as JSON.stringify or require("util").inspect.

A JSON-encoded value, which may be a primitive value, an array or an object.

An attribute of a JSX element, including spread attributes.

A JSX element.

An interpolating expression that interpolates nothing.

A JSX fragment.

A name of an JSX element or attribute (which is always an identifier, a dot expression, or a qualified namespace name).

A JSX element or fragment.

A legacy @jsx pragma.

A namespace-qualified name such as n:a.

A spread attribute of a JSX element.

A statement that disrupts structured control flow, that is, a continue statement, a break statement, a throw statement, or a return statement.

A type of form keyof T where T is a type.

A keyword token.

A step through the kleur library.

A known directive, such as a strict mode declaration.

A less-than-or-equal expression.

A left-shift expression using <<.

A less-than expression.

A variable reference or property access that is written to.

A statement or property label, that is, an identifier that does not refer to a variable.

A labeled statement.

An old-style let expression of the form let(vardecls) expr.

A legacy let statement, that is, a statement of the form let(vardecls) stmt.

A let declaration statement.

An identifier that refers to a variable, type, or namespace, or a combination of these, in a non-declaring position.

An identifier that declares a variable, type, or namespace, or a combination of these.

A name that is declared in a particular scope.

An identifier that refers to a variable, type, or namespace, or a combination of these.

A type that refers to a type variable without a canonical name.

A line of text (code, comment, or whitespace) in a source file.

A line comment, that is, either an HTML comment or a // comment.

A literal.

A boolean, number, or string literal type.

A string, number, or boolean literal used as a type.

A function that only is used locally, making it amenable to type inference.

An identifier that refers to a namespace from inside a type annotation.

An identifier that declares a local name for a namespace, that is, the name of an actual namespace declaration or the local name of an import.

The local name for a namespace in a particular scope.

A local scope, that is, a scope that is not the global scope.

An identifier that is used as part of a type, such as Date.

The local name for a type in a particular scope.

An identifier that refers to a variable from inside a type.

A local variable or a parameter.

A program element with a location.

A location as given by a file, a start line, a start column, an end line, and an end column.

A logical ‘and’ expression.

A logical negation expression.

A logical ‘or’ expression.

A call to a logging mechanism.

A short-circuiting logical binary expression, that is, a logical ‘or’ expression, a logical ‘and’ expression, or a nullish-coalescing expression.

A logical expression using &&, ||, or !.

A loop, that is, a while loop, a do-while loop, a for loop, or a for-in loop.

A type of form { [K in C]: T } where K in C declares a type parameter with C as the bound, and T is a type that may refer to K.

A scope induced by a mapped type expression, containing the type parameter declared as part of the type.

A member declaration in a class or interface, that is, either a method declaration or a field declaration.

A concrete member of a class, that is, a non-abstract, non-ambient field or method with a body.

A member signature declared in a class or interface, that is, an abstract or ambient field or method without a function body.

An expression that is tested for membership of a collection.

A method defined in a class or object expression.

A method call expression.

A method declaration in a class or interface, either a concrete definition or a signature without a body.

A concrete method definition in a class.

A method signature declared in a class or interface, that is, a method without a function body.

A modulo expression.

A module, which may either be an ECMAScript 2015-style module, a CommonJS module, or an AMD module.

A reference to the special module variable.

A scope induced by a Node.js or ES2015 module

A multiplication expression.

An inequality test using !=.

A named export specifier.

A named import specifier.

The canonical name for a namespace.

A possibly qualified name that refers to a namespace from inside a type annotation.

A TypeScript namespace declaration.

A statement that defines a namespace, that is, a namespace declaration or enum declaration.

A possibly qualified identifier that refers to or declares a local name for a namespace.

The lexical scope induced by a TypeScript namespace declaration.

An arithmetic negation expression (also known as unary minus).

The never type.

A new expression.

A new.target expression.

A ngInject or ngNoInject directive.

A Node.js module.

A TypeScript expression of form E!, asserting that E is not null.

A non-strict equality test using != or ==.

An NPM package.

A null literal.

A null literal token.

The null type.

A nullish coalescing ‘??’ expression.

The number type or a number literal type.

A numeric literal.

A number literal as a static type.

A number literal used as a type.

The predefined number type.

A numeric literal token.

An object literal, containing zero or more property definitions.

The externs definition for the Object object.

The object type.

An object pattern.

INTERNAL: This class should not be used by queries.

An optional type element in a tuple type, such as number? in [string, number?].

A call or member access that evaluates to undefined if its base operand evaluates to undefined or null.

An export declaration that exports zero or more declarations from the module it appears in.

A representation of package dependencies for an NPM package.

A package.json configuration object.

A parenthesized expression.

A parameter declaration in a function or catch clause.

A field induced by an initializing constructor parameter.

A program element that declares parameters, that is, either a function or a catch clause.

A type expression enclosed in parentheses.

An absolute file system path referenced in the program, which may (but does not have to) correspond to a file or folder included in the snapshot.

An expression whose value represents a (relative or absolute) file system path.

An expression that appears in a syntactic position where it may represent a path.

A string value that represents a (relative or absolute) file system path.

A data flow node that reads persistent data.

A data flow node that writes persistent data.

An array type such as Array<string>, or equivalently, string[].

A function type that is not a constructor type, such as (x: string) => number.

The symbol type.

A unary plus expression.

A postfix decrement expression.

A postfix increment expression.

An event handler that handles postMessage events.

A prefix decrement expression.

A prefix increment expression.

A Preact component.

A use of the predefined type any, string, number, boolean, null, undefined, void, never, symbol, or object.

A function return type that refines the type of one of its parameters or this.

A type assertion specifically of the form <T> E (as opposed to the E as T syntax).

A step through the prettyjson library. This is not quite a JSON.stringify call, as it e.g. does not wrap keys in double quotes. It’s therefore modeled as a taint-step rather than as a JSON.stringify call.

A definite abstract value that represents only primitive concrete values.

A printf-style call that substitutes the embedded format specifiers of a format string for the format arguments.

A promise that is created using a Promise.all(array) call.

A call that looks like a Promise.

A promise that is created and resolved with one or more value.

A definition of a Promise object.

A type such as Promise<T>, describing a promise or promise-like object.

A property access, that is, either a dot expression of the form e.f or an index expression of the form e[p].

A property definition in an object literal, which may be either a value property, a property getter, or a property setter.

A property getter or setter in an object literal.

A property getter in an object literal.

A property pattern in an object pattern.

A property projection call such as _.get(o, 'a.b'), which is equivalent to o.a.b.

A property setter in an object literal.

A call to a function whose name suggests that it encodes or encrypts its arguments.

A punctuator token.

A local variable that is not captured.

A qualified name that refers to a namespace from inside a type annotation.

A qualified name that is used as part of a type, such as http.ServerRequest.

A qualified name that refers to a variable from inside a type.

A right-shift expression using >>.

A variable reference or property access that is read from.

An export declaration that re-exports declarations from another module.

A default export specifier in a re-export declaration.

A basic block that is reachable from an entry basic block.

A reachable basic block with more than one predecessor.

An object that implements the React component interface.

A DOM element created by a React function.

A read-only array type such as ReadonlyArray<string>.

A type of form readonly T, such as readonly number[].

An expression that can be evaluated to a reference, that is, a variable reference or a property access.

A TypeScript comment of one of the two forms: /// <reference path="FILE.d.ts"/> /// <reference types="NAME"/>

A TypeScript comment of the form: /// <reference path="FILE.d.ts"/>

A TypeScript comment of the form: /// <reference types="NAME" />

An alternative term, that is, a term of the form a|b.

A dollar $ or caret assertion ^ matching the beginning or end of a line.

A back reference, that is, a term of the form \i or \k<name> in a regular expression.

A caret assertion ^ matching the beginning of a line.

A character escape in a regular expression.

A character class in a regular expression.

A character class escape in a regular expression.

A character range in a character class in a regular expression.

A constant regular expression term, that is, a regular expression term matching a single string.

A control character escape in a regular expression.

A decimal character escape in a regular expression.

A dollar assertion $ matching the end of a line.

A dot regular expression.

An escaped regular expression term, that is, a regular expression term starting with a backslash.

A grouped regular expression.

A hexadecimal character escape in a regular expression.

An identity escape, that is, an escaped character in a regular expression that just represents itself.

A regular expression literal.

A zero-width lookahead assertion.

A zero-width lookbehind assertion.

A negative-lookahead assertion.

A negative-lookbehind assertion.

A non-word boundary assertion.

A sequence of normal characters without special meaning in a regular expression.

An octal character escape in a regular expression.

An optional term.

An element containing a regular expression term, that is, either a regular expression literal, a string literal (parsed as a regular expression), or another regular expression term.

A parse error encountered while processing a regular expression literal.

A node whose value may flow to a position where it is interpreted as a part of a regular expression.

A plus-quantified term.

A positive-lookahead assertion.

A positive-lookbehind assertion.

A quantified regular expression term.

A range-quantified term

A sequence term.

A star-quantified term.

A zero-width lookahead or lookbehind assertion.

A regular expression term, that is, a syntactic part of a regular expression.

A unicode character escape in a regular expression.

A Unicode property escape in a regular expression.

A word boundary assertion.

A regular expression literal token.

A relational comparison using <, <=, >=, or >.

A data flow source of remote user input.

A representation of repository information for an NPM package.

A require import.

A resolved promise created by the standard ECMAScript 2015 Promise.resolve function.

A promise that is created using a .resolve() call.

A rest element in a tuple type, such as ...string[] in [number, ...string[]].

A return statement.

A satisfies type asserion of the form E satisfies T where E is an expression and T is a type.

A scope in which variables can be declared.

A program element that induces a scope.

A stand-alone file or script originating from an HTML <script> element.

A selective import that imports zero or more declarations.

A named export declaration that re-exports symbols imported from another module.

A sensitive action, such as transfer of sensitive data.

A function call that might produce sensitive data.

A classification of different kinds of sensitive data:

A function name that suggests it may produce sensitive data.

DEPRECATED: Use SensitiveNode instead. An expression that might contain sensitive data.

A function name that suggests it may be sensitive.

An expression that might contain sensitive data.

An access to a variable or property that might contain sensitive data.

A write to a location that might contain sensitive data.

A sequence expression (also known as comma expression).

A setter method declaration in a class or interface, either a concrete definition or a signature without a body.

A concrete setter method definition in a class, that is, a setter method with a function body

A setter method signature declared in a class or interface, that is, a setter method without a function body.

A shift expression.

A value indicating if a signature is a function or constructor signature.

A parameter declaration that is not an object or array pattern.

A legacy 6to5 directive.

A // comment.

A C-style block comment which is not a JSDoc comment.

A step through the slice-ansi library.

A spread element.

A spread property in an object literal.

An SSA definition.

An SSA definition that corresponds to an explicit assignment or other variable definition.

An SSA definition that does not correspond to an explicit variable definition.

An SSA definition representing the implicit initialization of a variable at the beginning of its scope.

An SSA phi node, that is, a pseudo-definition for a variable at a point in the flow graph where otherwise two or more definitions for the variable would be visible.

An SSA definition that has no actual semantics, but simply serves to merge or filter data flow.

A refinement node, that is, a pseudo-definition for a variable at a point in the flow graph where additional information about this variable becomes available that may restrict its possible set of values.

A variable that can be SSA converted, that is, a local variable.

An SSA variable.

An SSA definition representing the capturing of an SSA-convertible variable in the closure of a nested function.

A static initializer in a class.

A statement.

A program element that contains statements, but isn’t itself a statement, in other words a toplevel or a function.

A strict equality test using ===.

A strict equality test using !== or ===.

A strict mode declaration.

A strict inequality test using !==.

The string type or a string literal type.

A string literal, either single-quoted or double-quoted.

A string literal token.

A string literal as a static type.

A string literal used as a type.

A call to String.prototype.replace.

A call to String.prototype.split.

The predefined string type.

A step through the strip-ansi library.

A subtraction expression.

A super(...) call.

A super expression.

A property access on super.

A switch statement.

The symbol type or a specific unique symbol type.

A function generated by the extractor to implement a synthetic default constructor.

A synthetic CFG node that does not correspond to a statement or expression; examples include guard nodes and entry/exit nodes.

A data flow node that executes an operating system command, for instance by spawning a new process.

A SystemJS deps directive.

A SystemJS format directive.

A reference to a global variable for which there is a TypeScript type annotation suggesting that it contains the namespace object of a module.

A tagged template literal expression.

A constant template element.

A template literal.

A template literal used as a type.

A this expression.

A this type in a specific class or interface.

A use of the this type.

A this keyword used as the first operand to an is type.

A throw statement.

A token occurring in a piece of JavaScript source code.

A toplevel syntactic unit; that is, a stand-alone script, an inline script embedded in an HTML <script> tag, a code snippet assigned to an HTML event handler attribute, or a javascript: URL.

A try statement.

A tuple type, such as [number, string].

A tuple type such as [number, string].

A static type in the TypeScript type system.

A possibly qualified name that is used as part of a type, such as Date or http.ServerRequest.

A type alias declaration, that is, a statement of form type A = T.

A type that refers to a type alias.

A scope induced by a type alias declaration, containing the type parameters declared the the alias.

A type annotation, either in the form of a TypeScript type or a JSDoc comment.

A type assertion, also known as an unchecked type cast, is a TypeScript expression of form E as T or <T> E where E is an expression and T is a type.

An identifier declaring a type name, that is, the name of a class, interface, type parameter, or import.

A statement that defines a named type, that is, a class, interface, type alias, or enum declaration.

A type expression, that is, an AST node that is part of a TypeScript type annotation.

The canonical name for a type.

A type parameter declared on a class, interface, function, or type alias.

A program element that supports type parameters, that is, a function, class, interface, type alias, mapped type, or infer type.

A possibly qualified identifier that declares or refers to a type.

A type that refers to a class, interface, enum, or enum member.

A folder where TypeScript finds declaration files for imported modules.

A type that refers to a type variable.

A typeof expression.

The type of a named value, typeof X, typically denoting the type of a class constructor, namespace object, enum object, or module object.

A type of form typeof E where E is a possibly qualified name referring to a variable, function, class, or namespace.

An unsigned right-shift expression using >>>.

An expression with a unary operator.

The undefined type.

A union type or intersection type, such as string | number or T & U.

A union or intersection type, such as string|number|boolean or A & B.

A union type, such as string | number.

A union type, such as string|number|boolean.

A unique symbol type.

The trivial type with a single element.

The predefined unknown type.

An unreachable basic block, that is, a basic block whose first node is unreachable.

An update expression, that is, an increment or decrement expression.

A value property definition in an object literal.

An identifier that refers to a variable in a non-declaring position.

An identifier that declares a variable.

A var declaration statement.

A ControlFlowNode that defines (that is, initializes or updates) variables or properties.

An identifier that refers to a variable, either in a declaration or in a variable access.

A possibly qualified name that refers to a variable from inside a type.

A ControlFlowNode that uses (that is, reads from) a single variable.

A variable declared in a scope.

A variable declarator declaring a local or global variable.

A void expression.

The void type.

A value written to web storage, like localStorage or sessionStorage.

A while loop.

A with statement.

A step through the wrap-ansi library.

An exclusive ‘or’ expression.

An xUnit.js annotation, such as [Fixture] or [Data(23)] annotating a target declaration or definition.

An xUnit.js attribute appearing in an annotation.

An xUnit.js fact.

An xUnit.js Fact annotation.

An xUnit.js fixture.

An xUnit.js Fixture annotation.

A declaration or definition that can serve as the target of an xUnit.js annotation: a function declaration, a variable declaration, or an assignment.

An attribute that occurs inside an XML element.

A sequence of characters that occurs between opening and closing tags of an XML element, excluding other elements.

A comment in an XML file.

An XML document type definition (DTD).

An XML element in an XML file.

An XML file.

An XML element that has a location.

A namespace used in an XML file.

An XmlParent is either an XmlElement or an XmlFile, both of which can contain other elements.

A yield expression.

A YUI compressor directive.

An abstract value inferred by the flow analysis.

Provides classes and predicates for working with the API boundary between the current codebase and external libraries.

Provides a class ValueNode encompassing all program elements that evaluate to a value at runtime.

Provides predicates for associating access paths with data flow nodes.

Provides classes for working with Angular (also known as Angular 2.x) applications.

Provides classes for working with AngularJS (also known as Angular 1.x) applications.

Classes and predicates for modeling TaintTracking steps for arrays.

Provides classes for working with the bluebird library (http://bluebirdjs.com).

Provides predicates for reasoning about sanitization via the class-validator library.

Provides classes that model WebSockets clients.

Classes and predicates for reasoning about writes to cookies.

Companion module to the CredentialsExpr class.

Provides models for cryptographic things.

Provides classes and predicates modeling aspects of the d3 library.

Module containing the DeclarationSpace constants.

Provides classes for working with Fastify applications.

Provides classes for working with the express-fileupload package (https://github.com/richardgirges/express-fileupload);

Companion module to the FunctionCompositionCall class.

Provides classes modeling concepts of GraphQL connectors.

INTERNAL: Do not use.

Provides classes modeling the history library.

Provides classes and predicates for working with JSON schema libraries.

Provides classes and predicates for working with knex.

A module providing sinks and sanitizers for LDAP injection.

Provides a unified model of lodash and underscore.

A module providing taint-steps for common markdown parsers and generators.

Provides classes for recognizing membership candidates.

Classes and predicates for working with MooTools code.

Provides classes and predicates for reasoning about Nest.

Provides classes and predicates modeling Next.js.

Provides classes for modeling NoSql query sinks.

Provides classes for working with parse-torrent code.

Provides heuristics for classifying passwords.

This module defines how data-flow propagates into and out of a Promise. The data-flow is based on pseudo-properties rather than tainting the Promise object (which is what PromiseTaintStep does).

A module for supporting promises in type-tracking predicates. The PromiseTypeTracking::promiseStep predicate is used for type tracking in and out of promises, and is included in the standard type-tracking steps (SourceNode::track). The TypeTracker::startInPromise() predicate can be used to initiate a type-tracker where the tracked value is a promise.

Common predicates shared between type-tracking and data-flow for promises.

Provides classes modeling libraries implementing promisify functions. That is, functions that convert callback style functions to functions that return a promise.

Provides classes for working with punycode code.

Classes and predicates modeling the puppeteer library.

Provides classes for working with the q library (https://github.com/kriskowal/q) and the compatible kew library (https://github.com/Medium/kew).

Provides classes for working with query-string code.

Provides classes for working with querystring code.

Provides classes for working with querystringify code.

Contains predicates for reasoning about the relative numeric value of expressions.

Provides classes and predicates for reasoning about data flow through the redux package.

Provides utility predicates related to regular expressions.

Provides classes for working with Restify servers.

A model of routing trees, describing the composition of route handlers and middleware functions in a web server application. See Routing::Node for more details.

Provides predicates to select the different kinds of sensitive data we support.

Provides classes that model WebSocket servers.

Provides classes for working with server-side socket.io code (npm package socket.io).

Provides classes for working with client-side socket.io code (npm package socket.io-client).

Provides classes for working with Spife applications.

Provides classes for expressions that evaluate to constant values according to a bottom-up syntactic analysis.

Provides classes for modeling taint propagation.

Module for working with uses of the Trusted Types API.

Provides classes for working with uri-js code.

Provides classes for working with urijs code.

Provides classes for working with url code.

Provides classes for working with url-parse code.

Provides classes and predicates for working with the vuex library.

DEPRECATED: Alias for AsmJSDirective

DEPRECATED: Alias for AstNode

A bitwise ‘and’ expression.

A logical ‘and’ expression.

An index expression (also known as computed property access).

A compound assign expression.

A cryptographic block cipher mode of operation. This can be used to encrypt data of arbitrary length using a block encryption algorithm.

A Boolean literal, that is, either true or false.

A case or default clause in a switch statement.

A comparison expression, that is, either an equality test (==, !=, ===, !==) or a relational expression (<, <=, >=, >).

A cryptographic algorithm.

Provides classes for modeling new applications of a cryptographic algorithms.

DEPRECATED: Alias for DomGlobalVariable

A do-while loop.

An encryption algorithm such as DES or AES512.

An equality test using ==, !=, === or !==.

A dot expression.

DEPRECATED: Alias for Http

A hashing algorithm such as MD5 or SHA512.

An instanceof expression.

DEPRECATED: Alias for Json2CsvTaintStep

DEPRECATED: Alias for JsonArray

DEPRECATED: Alias for JsonBoolean

DEPRECATED: Alias for JsonNull

DEPRECATED: Alias for JsonNumber

DEPRECATED: Alias for JsonObject

DEPRECATED: Alias for JsonParseError

DEPRECATED: Alias for JsonPrimitiveValue

DEPRECATED: Alias for JsonString

DEPRECATED: Alias for JsonValue

DEPRECATED: Alias for JsxAttribute

DEPRECATED: Alias for JsxElement

DEPRECATED: Alias for JsxEmptyExpr

DEPRECATED: Alias for JsxFragment

DEPRECATED: Alias for JsxName

DEPRECATED: Alias for JsxNode

DEPRECATED: Alias for JsxPragma

DEPRECATED: Alias for JsxQualifiedName

DEPRECATED: Alias for JsxSpreadAttribute

DEPRECATED: Alias for JavaScriptUrl

A labeled statement.

A logical ‘and’ expression.

A logical negation expression.

A logical ‘or’ expression.

A loop, that is, a while loop, a do-while loop, a for loop, or a for-in loop.

Module containing hooks for providing input data to be interpreted as a model.

Module providing access to the imported models in terms of API graph nodes.

A block comment (which may be a JSDoc comment).

DEPRECATED: Alias for NpmPackage

DEPRECATED: Alias for NoSql

A bitwise ‘or’ expression.

A logical ‘or’ expression.

DEPRECATED: Alias for PackageJson

A parenthesized expression.

A parenthesized expression.

A password hashing algorithm such as PBKDF2 or SCRYPT.

DEPRECATED: Alias for PrettyJsonTaintStep

Provides default sources, sinks and sanitizers for reasoning about request forgery, as well as extension points for adding your own.

A relational comparison using <, <=, >=, or >.

A modulo expression.

DEPRECATED: Alias for Ssa

A line comment, that is, either an HTML comment or a // comment.

A super expression.

A case or default clause in a switch statement.

A this expression.

An identifier that refers to a variable in a non-declaring position.

DEPRECATED: Alias for XmlAttribute

DEPRECATED: Alias for XmlCharacters

DEPRECATED: Alias for XmlComment

DEPRECATED: Alias for XmlDtd

DEPRECATED: Alias for XmlElement

DEPRECATED: Alias for XmlFile

DEPRECATED: Alias for XmlLocatable

DEPRECATED: Alias for XmlNamespace

DEPRECATED: Alias for XmlParent

An exclusive ‘or’ expression.

DEPRECATED: Alias for YamlAliasNode

DEPRECATED: Alias for YamlBool

DEPRECATED: Alias for YamlCollection

DEPRECATED: Alias for YamlDocument

DEPRECATED: Alias for YamlFloat

DEPRECATED: Alias for YamlInclude

DEPRECATED: Alias for YamlInteger

DEPRECATED: Alias for YamlMapping

DEPRECATED: Alias for YamlMappingLikeNode

DEPRECATED: Alias for YamlMergeKey

DEPRECATED: Alias for YamlNode

DEPRECATED: Alias for YamlNull

DEPRECATED: Alias for YamlParseError

DEPRECATED: Alias for YamlScalar

DEPRECATED: Alias for YamlSequence

DEPRECATED: Alias for YamlString

DEPRECATED: Alias for YamlTimestamp

DEPRECATED: Alias for YamlValue

DEPRECATED: Alias for isDocumentUrl

Gets a data flow node that may refer to the jQuery $ function.

DEPRECATED: Alias for Punycode

DEPRECATED: Alias for Querydashstring

DEPRECATED: Alias for Querystring

DEPRECATED: Alias for Querystringify

DEPRECATED: Alias for Uridashjs

DEPRECATED: Alias for Urijs

DEPRECATED: Alias for Url

DEPRECATED: Alias for UrlParse