From 26f3b40d3591ec07806bdf1438df6e95030bd2c3 Mon Sep 17 00:00:00 2001
From: Vasco-jofra <11303847+Vasco-jofra@users.noreply.github.com>
Date: Sat, 14 Jun 2025 00:13:03 +0200
Subject: [PATCH] Add lodash GroupBy as taint step

---
 .../javascript/frameworks/LodashUnderscore.qll       | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll b/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
index 7c2e6aa37a58..202586227375 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
@@ -341,6 +341,18 @@ module LodashUnderscore {
       preservesValue = true
     }
   }
+
+  private class LodashGroupBy extends DataFlow::SummarizedCallable {
+    LodashGroupBy() { this = "_.groupBy" }
+
+    override DataFlow::CallNode getACall() { result = member("groupBy").getACall() }
+
+    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      output = ["Argument[1].Parameter[0]", "ReturnValue"] and
+      preservesValue = false
+    }
+  }
 }
 
 /**