JS: Update test with pipes

2026-04-30 11:15:13 +02:00 · 2020-12-11 20:44:40 +00:00
parent d80313be4f
commit 0da207a5f9
6 changed files with 88 additions and 10 deletions
--- a/javascript/ql/test/library-tests/frameworks/Angular2/TestPipe.ts
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/TestPipe.ts
@@ -0,0 +1,9 @@
+import { Pipe, PipeTransform } from '@angular/core';
+
+@Pipe({name: 'testPipe'})
+export class TestPipe implements PipeTransform {
+  transform(value: string, arg?: string): string {
+    document.body.innerHTML = value;
+    return value + arg;
+  }
+}
--- a/javascript/ql/test/library-tests/frameworks/Angular2/foo.component.html
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/foo.component.html
@@ -1,4 +1,7 @@
 <other-component
-    [prop]="foo | bar"
-    [prop2]="foo | bar:'baz'"
+    [prop1]="foo"
+    [prop2]="foo | unknownPipe"
+    [prop3]="foo | unknownPipe:'safe'"
+    [prop4]="foo | testPipe:'safe'"
+    [prop5]="42 | testPipe:foo"
 ></other-component>
--- a/javascript/ql/test/library-tests/frameworks/Angular2/foo.component.ts
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/foo.component.ts
@@ -8,6 +8,6 @@ export class Foo {
    foo: string;

    constructor() {
-        this.foo = "hello";
+        this.foo = source();
    }
 }
--- a/javascript/ql/test/library-tests/frameworks/Angular2/other.component.ts
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/other.component.ts
@@ -0,0 +1,24 @@
+import { Component } from "@angular/core";
+import { DomSanitizer } from '@angular/platform-browser';
+
+@Component({
+    selector: "other-component",
+    template: "not important"
+})
+export class OtherComponent {
+    prop1: string;
+    prop2: string;
+    prop3: string;
+    prop4: string;
+    prop5: string;
+
+    constructor(private sanitizer: DomSanitizer) {}
+
+    foo() {
+        this.sanitizer.bypassSecurityTrustHtml(this.prop1);
+        this.sanitizer.bypassSecurityTrustHtml(this.prop2);
+        this.sanitizer.bypassSecurityTrustHtml(this.prop3);
+        this.sanitizer.bypassSecurityTrustHtml(this.prop4);
+        this.sanitizer.bypassSecurityTrustHtml(this.prop5);
+    }
+}
--- a/javascript/ql/test/library-tests/frameworks/Angular2/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/test.expected
@@ -1,10 +1,27 @@
 pipeRef
-| foo.component.html:2:19:2:21 | bar |
-| foo.component.html:3:20:3:28 | bar:'baz' |
+| foo.component.html:3:20:3:30 | unknownPipe |
+| foo.component.html:4:20:4:30 | unknownPipe |
+| foo.component.html:5:20:5:27 | testPipe |
+| foo.component.html:6:19:6:26 | testPipe |
 pipeCall
-| foo.component.html:2:13:2:21 | foo \| bar |
-| foo.component.html:3:14:3:28 | foo \| bar:'baz' |
+| foo.component.html:3:14:3:30 | foo \| unknownPipe |
+| foo.component.html:4:14:4:37 | foo \| u ... :'safe' |
+| foo.component.html:5:14:5:34 | foo \| t ... :'safe' |
+| foo.component.html:6:14:6:30 | 42 \| testPipe:foo |
 pipeCallArg
-| 0 | foo.component.html:2:13:2:15 | foo | foo.component.html:2:13:2:21 | foo \| bar |
-| 0 | foo.component.html:3:14:3:16 | foo | foo.component.html:3:14:3:28 | foo \| bar:'baz' |
-| 1 | foo.component.html:3:24:3:28 | 'baz' | foo.component.html:3:14:3:28 | foo \| bar:'baz' |
+| 0 | foo.component.html:3:14:3:16 | foo | foo.component.html:3:14:3:30 | foo \| unknownPipe |
+| 0 | foo.component.html:4:14:4:16 | foo | foo.component.html:4:14:4:37 | foo \| u ... :'safe' |
+| 0 | foo.component.html:5:14:5:16 | foo | foo.component.html:5:14:5:34 | foo \| t ... :'safe' |
+| 0 | foo.component.html:6:14:6:15 | 42 | foo.component.html:6:14:6:30 | 42 \| testPipe:foo |
+| 1 | foo.component.html:4:32:4:37 | 'safe' | foo.component.html:4:14:4:37 | foo \| u ... :'safe' |
+| 1 | foo.component.html:5:29:5:34 | 'safe' | foo.component.html:5:14:5:34 | foo \| t ... :'safe' |
+| 1 | foo.component.html:6:28:6:30 | foo | foo.component.html:6:14:6:30 | 42 \| testPipe:foo |
+pipeClass
+| TestPipe.ts:4:8:9:1 | class T ... ;\\n  }\\n} |
+pipeClassRef
+| TestPipe.ts:4:8:9:1 | class T ... ;\\n  }\\n} | foo.component.html:5:20:5:27 | testPipe |
+| TestPipe.ts:4:8:9:1 | class T ... ;\\n  }\\n} | foo.component.html:6:19:6:26 | testPipe |
+taintFlow
+| foo.component.ts:11:20:11:27 | source() | other.component.ts:18:48:18:57 | this.prop1 |
+| foo.component.ts:11:20:11:27 | source() | other.component.ts:21:48:21:57 | this.prop4 |
+| foo.component.ts:11:20:11:27 | source() | other.component.ts:22:48:22:57 | this.prop5 |
--- a/javascript/ql/test/library-tests/frameworks/Angular2/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/Angular2/test.ql
@@ -1,4 +1,5 @@
 import javascript
+private import semmle.javascript.security.dataflow.Xss

 query Angular2::PipeRefExpr pipeRef() { any() }

@@ -10,3 +11,27 @@ query CallExpr pipeCallArg(int i, Expr arg) {
  result.getCallee() instanceof Angular2::PipeRefExpr and
  result.getArgument(i) = arg
 }
+
+query Angular2::PipeClass pipeClass() { any() }
+
+query DataFlow::Node pipeClassRef(Angular2::PipeClass cls) {
+  result = cls.getAPipeRef()
+}
+
+class TaintConfig extends TaintTracking::Configuration {
+  TaintConfig() {
+    this = "TaintConfig"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.(DataFlow::CallNode).getCalleeName() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof DomBasedXss::Sink
+  }
+}
+
+query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
+  any(TaintConfig c).hasFlow(source, sink)
+}