add tests

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,4 +1,14 @@
 typeInferenceMismatch
+| call-apply.js:25:14:25:21 | source() | call-apply.js:1:1:3:1 | the arguments object of function foo1 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:5:1:7:1 | the arguments object of function foo2 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:10:10:10:30 | reflective call |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:14:10:14:40 | reflective call |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:21:1:23:1 | the arguments object of function foo1_sink |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:27:6:27:32 | reflective call |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:30:6:30:35 | reflective call |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:62:3:64:3 | the arguments object of function sinkArguments1 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:65:3:67:3 | the arguments object of function sinkArguments0 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:69:3:72:3 | the arguments object of function fowardArguments |
 | destruct.js:20:7:20:14 | source() | destruct.js:13:14:13:19 | [a, b] |
 #select
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
@@ -12,6 +22,19 @@ typeInferenceMismatch
 | array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
 | array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
 | array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:27:8:27:13 | arr[0] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:28:8:28:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:33:8:33:13 | arr[0] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:34:8:34:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:35:8:35:13 | arr[2] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:36:8:36:13 | arr[3] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:37:8:37:13 | arr[4] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:38:8:38:13 | arr[5] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:43:10:43:15 | arr[i] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:55:10:55:15 | arr[i] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:61:10:61:13 | item |
 | arrays.js:2:15:2:22 | source() | arrays.js:5:10:5:20 | arrify(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:8:10:8:22 | arrayIfy(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:11:10:11:28 | union(["bla"], foo) |
@@ -28,6 +51,14 @@ typeInferenceMismatch
 | bound-function.js:45:10:45:17 | source() | bound-function.js:45:6:45:18 | id3(source()) |
 | bound-function.js:49:12:49:19 | source() | bound-function.js:54:6:54:14 | source0() |
 | bound-function.js:49:12:49:19 | source() | bound-function.js:55:6:55:14 | source1() |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:22:8:22:11 | arg1 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:27:6:27:32 | foo1.ca ... ce, "") |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:30:6:30:35 | foo1.ap ... e, ""]) |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:44:6:44:28 | foo1_ca ... e, ""]) |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:45:6:45:28 | foo1_ca ... ource]) |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:63:10:63:21 | arguments[1] |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:66:10:66:21 | arguments[0] |
+| call-apply.js:85:17:85:24 | source() | call-apply.js:82:8:82:11 | this |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
 | callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -1,5 +1,12 @@
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:17:8:17:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:22:8:22:13 | arr[6] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:28:8:28:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:34:8:34:13 | arr[1] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:43:10:43:15 | arr[i] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:55:10:55:15 | arr[i] |
+| arrays-init.js:2:16:2:23 | source() | arrays-init.js:61:10:61:13 | item |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:7:10:7:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:10:10:10:10 | x |
@@ -12,6 +19,12 @@
 | bound-function.js:45:10:45:17 | source() | bound-function.js:45:6:45:18 | id3(source()) |
 | bound-function.js:49:12:49:19 | source() | bound-function.js:54:6:54:14 | source0() |
 | bound-function.js:49:12:49:19 | source() | bound-function.js:55:6:55:14 | source1() |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:22:8:22:11 | arg1 |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:27:6:27:32 | foo1.ca ... ce, "") |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:30:6:30:35 | foo1.ap ... e, ""]) |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:44:6:44:28 | foo1_ca ... e, ""]) |
+| call-apply.js:25:14:25:21 | source() | call-apply.js:66:10:66:21 | arguments[0] |
+| call-apply.js:85:17:85:24 | source() | call-apply.js:82:8:82:11 | this |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
 | callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |

javascript/ql/test/library-tests/TaintTracking/arrays-init.js

@@ -0,0 +1,63 @@
+(function () {
+  let source = source();
+
+  var str = "FALSE"; 
+
+  console.log("=== access by index (init by ctor) ===");
+  var arr = new Array(2);
+  arr[0] = str;
+  arr[1] = source;
+  arr[2] = 'b';
+  arr[3] = 'c';
+  arr[4] = 'd';
+  arr[5] = 'e';
+  arr[6] = source;
+
+  sink(arr[0]);       // OK
+  sink(arr[1]);       // NOT OK
+  sink(arr[2]);       // OK
+  sink(arr[3]);       // OK
+  sink(arr[4]);       // OK
+  sink(arr[5]);       // OK
+  sink(arr[6]);       // NOT OK
+  sink(str);          // OK
+
+  console.log("=== access by index (init by [...]) ===");
+  var arr = [str, source];
+  sink(arr[0]);       // OK
+  sink(arr[1]);       // NOT OK
+  sink(str);          // OK
+
+  console.log("=== access by index (init by [...], array.lenght > 5) ===");
+  var arr = [str, source, 'b', 'c', 'd', source];
+  sink(arr[0]);      // OK
+  sink(arr[1]);      // NOT OK
+  sink(arr[2]);      // OK
+  sink(arr[3]);      // OK
+  sink(arr[4]);      // OK
+  sink(arr[5]);      // NOT OK - but not flagged [INCONSISTENCY]
+
+  console.log("=== access in for (init by [...]) ===");
+  var arr = [str, source];
+  for (let i = 0; i < arr.length; i++) {
+    sink(arr[i]);    // NOT OK
+  }
+
+  console.log("=== access in for (init by [...]) w/o source ===");
+  var arr = [str, 'a'];
+  for (let i = 0; i < arr.length; i++) {
+    sink(arr[i]);    // OK
+  }
+
+  console.log("=== access in for (init by [...], array.lenght > 5) ===");
+  var arr = [str, 'a', 'b', 'c', 'd', source];
+  for (let i = 0; i < arr.length; i++) {
+    sink(arr[i]);    // NOT OK
+  }
+
+  console.log("=== access in forof (init by [...]) ===");
+  var arr = [str, source];
+  for (const item of arr) {
+    sink(item);       // NOT OK    
+  }
+}());

javascript/ql/test/library-tests/TaintTracking/call-apply.js

@@ -0,0 +1,85 @@
+function foo1(arg1, arg2) {
+  return arg1;
+}
+
+function foo2(arg1, arg2) {
+  return arg2;
+}
+
+function foo1_apply(arr) {
+  return foo1.apply(this, arr);
+}
+
+function foo1_call(arr) {
+  return foo1.call(this, arr[0], arr[1]);
+}
+
+function foo1_apply_sink(arr) {
+  foo1_sink.apply(this, arr);
+}
+
+function foo1_sink(arg1, arg2) {
+  sink(arg1); // NOT OK
+}
+
+var source = source();
+
+sink(foo1.call(null, source, "")); // NOT OK
+sink(foo2.call(null, source, "")); // OK
+
+sink(foo1.apply(null, [source, ""])); // NOT OK
+sink(foo2.apply(null, [source, ""])); // OK
+
+// doesn't work due to fundamental limitations of our dataflow analysis.
+// exactly (and I mean exactly) the same thing happens in the below `obj.foo` example.
+// in general we don't track flow that first goes through a call, and then a return, unless we can summarize it. 
+// in the other examples we can summarize the flow, because it's quite simple, but here we can't.
+// (try to read the QLDoc in the top of `Configuration.qll`, that might help). 
+sink(foo1_apply([source, ""])); // NOT OK - but not flagged [INCONSISTENCY]
+
+foo1_apply_sink([source, ""]); // This works, because we don't need a return after a call (the sink is inside the called function).
+
+sink(foo1_apply.apply(["", source])); // OK
+
+sink(foo1_call([source, ""])); // NOT OK
+sink(foo1_call(["", source])); // OK
+
+
+var obj = {
+  foo: source(),
+  bar: "safe"
+};
+
+function foo(x) {
+  return bar(x);
+}
+function bar(x) {
+  return x.foo;
+}
+sink(foo(obj)); // NOT OK - but not flagged [INCONSISTENCY]
+
+function argumentsObject() {
+  function sinkArguments1() {
+    sink(arguments[1]); // OK
+  }
+  function sinkArguments0() {
+    sink(arguments[0]); // NOT OK
+  }
+  
+  function fowardArguments() {
+    sinkArguments1.apply(this, arguments);
+    sinkArguments0.apply(this, arguments);
+  }
+  
+  fowardArguments.apply(this, [source, ""]);
+}
+
+function sinksThis() {
+  sinksThis2.apply(this, arguments);
+}
+
+function sinksThis2() {
+  sink(this); // NOT OK
+}
+
+sinksThis.apply(source(), []);