JS: Improve lodash model

Author: asgerf

javascript/ql/src/experimental/Security/CWE-94/ServerSideTemplateInjection.ql

@@ -57,6 +57,12 @@ class SSTINunjucksSink extends ServerSideTemplateInjectionSink {
   }
 }
 
+class LodashTemplateSink extends ServerSideTemplateInjectionSink {
+  LodashTemplateSink() {
+    this = LodashUnderscore::member("template").getACall().getArgument(0)
+  }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, ServerSideTemplateInjectionConfiguration c
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,

javascript/ql/src/semmle/javascript/frameworks/LodashUnderscore.qll

@@ -407,7 +407,12 @@ module LodashUnderscore {
             "shuffle", "sample", "toArray", "partition", "compact", "first", "initial", "last",
             "rest", "flatten", "without", "difference", "uniq", "unique", "unzip", "transpose",
             "object", "chunk", "values", "mapObject", "pick", "omit", "defaults", "clone", "tap",
-            "identity"] and
+            "identity",
+            // String category
+            "camelCase", "capitalize", "deburr", "kebabCase", "lowerCase", "lowerFirst", "pad",
+            "padEnd", "padStart", "repeat", "replace", "snakeCase", "split", "startCase", "toLower",
+            "toUpper", "trim", "trimEnd", "trimStart", "truncate", "unescape", "upperCase",
+            "upperFirst", "words"] and
       pred = call.getArgument(0) and
       succ = call
       or