Merge branch 'main' into js-use-shared-cryptography

2026-05-05 13:45:19 +02:00 · 2023-02-15 17:13:53 +00:00
parent 1958b9dcd5 c72dbc49fc
commit 1556b1a728
774 changed files with 129170 additions and 17057 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml
@@ -1,6 +1,6 @@
 name: codeql/javascript-experimental-atm-lib
 description: CodeQL libraries for the experimental ML-powered queries
-version: 0.4.7
+version: 0.4.8
 extractor: javascript
 library: true
 groups:
--- a/javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
+++ b/javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml
@@ -1,7 +1,7 @@
 name: codeql/javascript-experimental-atm-queries
 description: Experimental ML-powered queries for JavaScript
 language: javascript
-version: 0.4.7
+version: 0.4.8
 suites: codeql-suites
 defaultSuiteFile: codeql-suites/javascript-atm-code-scanning.qls
 groups:
--- a/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
+++ b/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
--- a/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
+++ b/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
@@ -147,7 +147,9 @@ module MembershipCandidate {
        child instanceof RegExpConstant or
        child instanceof RegExpAlt or
        child instanceof RegExpGroup
-      )
+      ) and
+      // exclude "length matches" that match every string
+      not this.getAChild*() instanceof RegExpDot
    }

    /**
--- a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -120,6 +120,13 @@ private File resolveMainPath(PackageJson pkg, string mainPath, int priority) {
          priority - 999) // very high priority, to make sure everything else is tried first
    )
  )
+  or
+  not exists(MainModulePath::of(pkg, _)) and
+  exists(Folder parent |
+    parent = pkg.getFile().getParentContainer() and
+    result = tryExtensions(parent, "index", priority) and
+    mainPath = "."
+  )
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -45,6 +45,9 @@ private DataFlow::Node getAValueExportedByPackage() {
  // module.exports = new Foo();
  exists(DataFlow::SourceNode callee |
    callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
+    or
+    callee.(DataFlow::ClassNode).getConstructor() =
+      getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getAFunctionValue()
  |
    result = callee.getAPropertyRead("prototype").getAPropertyWrite(publicPropertyName()).getRhs()
    or
--- a/javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll
@@ -214,7 +214,13 @@ module ServerWebSocket {
  class ServerSocket extends EventEmitter::Range, DataFlow::SourceNode {
    LibraryName library;

-    ServerSocket() { this = getAConnectionCall(library).getCallback(1).getParameter(0) }
+    ServerSocket() {
+      this = getAConnectionCall(library).getCallback(1).getParameter(0)
+      or
+      // support for the express-ws library: https://www.npmjs.com/package/express-ws
+      library = ws() and
+      this = Express::appCreation().getAMemberCall("ws").getABoundCallbackParameter(1, 0)
+    }

    /**
     * Gets the name of the library that created this server socket.
--- a/javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll
@@ -89,7 +89,14 @@ module Cryptography {
   * data of arbitrary length using a block encryption algorithm.
   */
  class BlockMode extends string {
-    BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
+    BlockMode() {
+      this =
+        [
+          "ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP",
+          "XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final
+          "EAX" // https://en.wikipedia.org/wiki/EAX_mode
+        ]
+    }

    /** Holds if this block mode is considered to be insecure. */
    predicate isWeak() { this = "ECB" }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -287,6 +287,8 @@ module DomBasedXss {

  private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }

+  private class HtmlSanitizerAsSanitizer extends Sanitizer instanceof HtmlSanitizerCall { }
+
  /**
   * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -81,4 +81,14 @@ module RequestForgery {

    override string getKind() { result = "endpoint" }
  }
+
+  private import Xss as Xss
+
+  /**
+   * A call to `encodeURI` or `encodeURIComponent`, viewed as a sanitizer for request forgery.
+   * These calls will escape "/" to "%2F", which is not a problem for request forgery.
+   * The result from calling `encodeURI` or `encodeURIComponent` is not a valid URL, and only makes sense
+   * as a part of a URL.
+   */
+  class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { }
 }
--- a/javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll
+++ b/javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll
@@ -14,8 +14,20 @@
 predicate isStrongHashingAlgorithm(string name) {
  name =
    [
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#blake2
+      // and https://www.blake2.net/
+      "BLAKE2", "BLAKE2B", "BLAKE2S",
+      // see https://github.com/BLAKE3-team/BLAKE3
+      "BLAKE3",
+      //
      "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
-      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
+      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.SHAKE128
+      "SHAKE128", "SHAKE256",
+      // see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sm3
+      "SM3",
+      // see https://security.stackexchange.com/a/216297
+      "WHIRLPOOL",
    ]
 }

--- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
+++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -15,20 +15,10 @@ nodes
 | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted |
 | check-path.js:19:27:19:43 | req.query.tainted |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:27:22:63 | encodeU ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted |
-| check-path.js:22:46:22:62 | req.query.tainted |
 | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted |
 | check-path.js:23:27:23:43 | req.query.tainted |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) |
-| check-path.js:24:46:24:62 | req.query.tainted |
-| check-path.js:24:46:24:62 | req.query.tainted |
 | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted |
@@ -41,6 +31,10 @@ nodes
 | check-path.js:45:13:45:44 | `${base ... inted}` |
 | check-path.js:45:26:45:42 | req.query.tainted |
 | check-path.js:45:26:45:42 | req.query.tainted |
+| check-regex.js:16:15:16:45 | "test.c ... tainted |
+| check-regex.js:16:15:16:45 | "test.c ... tainted |
+| check-regex.js:16:29:16:45 | req.query.tainted |
+| check-regex.js:16:29:16:45 | req.query.tainted |
 | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted |
@@ -97,18 +91,10 @@ edges
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
 | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted |
-| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:27:22:63 | encodeU ... ainted) | check-path.js:22:13:22:63 | 'test.c ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
-| check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:27:22:63 | encodeU ... ainted) |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
 | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:27:24:63 | encodeU ... ainted) | check-path.js:24:13:24:65 | `/addre ... nted)}` |
-| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
-| check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:27:24:63 | encodeU ... ainted) |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
 | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted |
@@ -121,6 +107,10 @@ edges
 | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
 | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
 | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` |
+| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
+| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
+| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
+| check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
 | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted |
@@ -167,12 +157,11 @@ edges
 | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | check-domain.js:26:15:26:27 | req.query.url | The URL of this request depends on a user-provided value. |
 | check-middleware.js:9:13:9:43 | "test.c ... tainted | check-middleware.js:9:27:9:43 | req.query.tainted | check-middleware.js:9:13:9:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:19:13:19:43 | 'test.c ... tainted | check-path.js:19:27:19:43 | req.query.tainted | check-path.js:19:13:19:43 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
-| check-path.js:22:13:22:63 | 'test.c ... ainted) | check-path.js:22:46:22:62 | req.query.tainted | check-path.js:22:13:22:63 | 'test.c ... ainted) | The URL of this request depends on a user-provided value. |
 | check-path.js:23:13:23:45 | `/addre ... inted}` | check-path.js:23:27:23:43 | req.query.tainted | check-path.js:23:13:23:45 | `/addre ... inted}` | The URL of this request depends on a user-provided value. |
-| check-path.js:24:13:24:65 | `/addre ... nted)}` | check-path.js:24:46:24:62 | req.query.tainted | check-path.js:24:13:24:65 | `/addre ... nted)}` | The URL of this request depends on a user-provided value. |
 | check-path.js:33:15:33:45 | 'test.c ... tainted | check-path.js:33:29:33:45 | req.query.tainted | check-path.js:33:15:33:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:37:15:37:45 | 'test.c ... tainted | check-path.js:37:29:37:45 | req.query.tainted | check-path.js:37:15:37:45 | 'test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-path.js:45:13:45:44 | `${base ... inted}` | check-path.js:45:26:45:42 | req.query.tainted | check-path.js:45:13:45:44 | `${base ... inted}` | The URL of this request depends on a user-provided value. |
+| check-regex.js:16:15:16:45 | "test.c ... tainted | check-regex.js:16:29:16:45 | req.query.tainted | check-regex.js:16:15:16:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:24:15:24:42 | baseURL ... tainted | check-regex.js:24:25:24:42 | req.params.tainted | check-regex.js:24:15:24:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
--- a/javascript/ql/test/experimental/Security/CWE-918/check-path.js
+++ b/javascript/ql/test/experimental/Security/CWE-918/check-path.js
@@ -19,9 +19,9 @@ app.get('/check-with-axios', req => {
  axios.get('test.com/' + req.query.tainted); // SSRF
  axios.get('test.com/' + Number(req.query.tainted)); // OK
  axios.get('test.com/' + req.user.id); // OK
-  axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // SSRF
+  axios.get('test.com/' + encodeURIComponent(req.query.tainted)); // OK
  axios.get(`/addresses/${req.query.tainted}`); // SSRF
-  axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // SSRF
+  axios.get(`/addresses/${encodeURIComponent(req.query.tainted)}`); // OK
  
  if (Number.isInteger(req.query.tainted)) {
    axios.get('test.com/' + req.query.tainted); // OK
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
@@ -293,6 +293,14 @@ nodes
 | lib/lib.js:555:25:555:37 | ["-rf", name] |
 | lib/lib.js:555:33:555:36 | name |
 | lib/lib.js:555:33:555:36 | name |
+| lib/lib.js:558:41:558:44 | name |
+| lib/lib.js:558:41:558:44 | name |
+| lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:566:26:566:29 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name |
 | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -683,6 +691,18 @@ edges
 | lib/lib.js:551:33:551:36 | args | lib/lib.js:552:23:552:26 | args |
 | lib/lib.js:555:25:555:37 | ["-rf", name] | lib/lib.js:551:33:551:36 | args |
 | lib/lib.js:555:33:555:36 | name | lib/lib.js:555:25:555:37 | ["-rf", name] |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -803,6 +823,9 @@ edges
 | lib/lib.js:545:11:545:26 | "rm -rf " + name | lib/lib.js:509:39:509:42 | name | lib/lib.js:545:23:545:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:509:39:509:42 | name | library input | lib/lib.js:545:3:545:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:552:23:552:26 | args | lib/lib.js:550:39:550:42 | name | lib/lib.js:552:23:552:26 | args | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command |
 | lib/lib.js:555:33:555:36 | name | lib/lib.js:550:39:550:42 | name | lib/lib.js:555:33:555:36 | name | This shell argument which depends on $@ is later used in a $@. | lib/lib.js:550:39:550:42 | name | library input | lib/lib.js:552:9:552:38 | cp.spaw ... wnOpts) | shell command |
+| lib/lib.js:560:14:560:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:560:9:560:30 | exec("r ... + name) | shell command |
+| lib/lib.js:562:14:562:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:562:9:562:30 | exec("r ... + name) | shell command |
+| lib/lib.js:566:14:566:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:566:9:566:30 | exec("r ... + name) | shell command |
 | lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
 | lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
@@ -553,4 +553,18 @@ module.exports.shellThing = function (name) {
    }
    
    indirectShell("rm", ["-rf", name], {shell: true});
-}
+}
+
+module.exports.badSanitizer = function (name) {
+    if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer
+        exec("rm -rf " + name); // NOT OK
+    } else {
+        exec("rm -rf " + name); // NOT OK
+    }
+
+    if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer
+        exec("rm -rf " + name); // NOT OK
+    } else {
+        exec("rm -rf " + name); // OK
+    }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -139,4 +139,11 @@ const cashDom = require("cash-dom");
    const src = document.getElementById("#link").src;
 	cash("#id").html(src); // NOT OK.
    cashDom("#id").html(src); // NOT OK
+
+    var DOMPurify = {
+        sanitize: function (src) {
+            return src; // to model spuriously finding an edge. The below is still OK.
+        }
+    };
+    cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK
 })();
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -89,6 +89,10 @@ nodes
 | express.js:34:17:34:35 | req.param("wobble") |
 | express.js:43:15:43:19 | taint |
 | express.js:43:15:43:19 | taint |
+| express.js:49:30:49:32 | msg |
+| express.js:49:30:49:32 | msg |
+| express.js:50:10:50:12 | msg |
+| express.js:50:10:50:12 | msg |
 | module.js:9:16:9:29 | req.query.code |
 | module.js:9:16:9:29 | req.query.code |
 | module.js:9:16:9:29 | req.query.code |
@@ -225,6 +229,10 @@ edges
 | express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
 | express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
 | express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
@@ -321,6 +329,7 @@ edges
 | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value |
 | express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value |
 | express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value |
+| express.js:50:10:50:12 | msg | express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | This code execution depends on a $@. | express.js:49:30:49:32 | msg | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -93,6 +93,10 @@ nodes
 | express.js:34:17:34:35 | req.param("wobble") |
 | express.js:43:15:43:19 | taint |
 | express.js:43:15:43:19 | taint |
+| express.js:49:30:49:32 | msg |
+| express.js:49:30:49:32 | msg |
+| express.js:50:10:50:12 | msg |
+| express.js:50:10:50:12 | msg |
 | module.js:9:16:9:29 | req.query.code |
 | module.js:9:16:9:29 | req.query.code |
 | module.js:9:16:9:29 | req.query.code |
@@ -233,6 +237,10 @@ edges
 | express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint |
 | express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
 | express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
+| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
@@ -42,4 +42,11 @@ app.get('/terminal', function(req, res) {

  shell.write(taint); // NOT OK
 });
-  
+  
+require("express-ws")(app);
+
+app.ws("/socket-thing/", function (ws, req) {
+  ws.on("message", function (msg) {
+    eval(msg); // NOT OK
+  });
+});
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
@@ -44,6 +44,8 @@
 | lib/subLib4/factory.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/subLib5/feature.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/subLib5/main.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
+| lib/subLib5/subclass.js:5:6:5:7 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
+| lib/subLib6/index.js:2:4:2:5 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | polynomial-redos.js:7:24:7:26 | \\s+ | Strings with many repetitions of '\\t' can start matching anywhere after the start of the preceeding \\s+$ |
 | polynomial-redos.js:8:17:8:18 |  * | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding  *, * |
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialReDoS.expected
@@ -78,6 +78,14 @@ nodes
 | lib/subLib5/main.js:1:28:1:31 | name |
 | lib/subLib5/main.js:2:13:2:16 | name |
 | lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name |
+| lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib6/index.js:1:32:1:35 | name |
+| lib/subLib6/index.js:1:32:1:35 | name |
+| lib/subLib6/index.js:2:14:2:17 | name |
+| lib/subLib6/index.js:2:14:2:17 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:12:26:12:29 | name |
 | lib/sublib/factory.js:13:24:13:27 | name |
@@ -315,6 +323,14 @@ edges
 | lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
 | lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
 | lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name | lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name | lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name | lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib5/subclass.js:4:10:4:13 | name | lib/subLib5/subclass.js:5:16:5:19 | name |
+| lib/subLib6/index.js:1:32:1:35 | name | lib/subLib6/index.js:2:14:2:17 | name |
+| lib/subLib6/index.js:1:32:1:35 | name | lib/subLib6/index.js:2:14:2:17 | name |
+| lib/subLib6/index.js:1:32:1:35 | name | lib/subLib6/index.js:2:14:2:17 | name |
+| lib/subLib6/index.js:1:32:1:35 | name | lib/subLib6/index.js:2:14:2:17 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
@@ -488,6 +504,8 @@ edges
 | lib/subLib4/factory.js:8:2:8:17 | /f*g/.test(name) | lib/subLib4/factory.js:7:27:7:30 | name | lib/subLib4/factory.js:8:13:8:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/subLib4/factory.js:8:3:8:4 | f* | regular expression | lib/subLib4/factory.js:7:27:7:30 | name | library input |
 | lib/subLib5/feature.js:2:2:2:17 | /a*b/.test(name) | lib/subLib5/feature.js:1:28:1:31 | name | lib/subLib5/feature.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/subLib5/feature.js:2:3:2:4 | a* | regular expression | lib/subLib5/feature.js:1:28:1:31 | name | library input |
 | lib/subLib5/main.js:2:2:2:17 | /a*b/.test(name) | lib/subLib5/main.js:1:28:1:31 | name | lib/subLib5/main.js:2:13:2:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/subLib5/main.js:2:3:2:4 | a* | regular expression | lib/subLib5/main.js:1:28:1:31 | name | library input |
+| lib/subLib5/subclass.js:5:5:5:20 | /a*b/.test(name) | lib/subLib5/subclass.js:4:10:4:13 | name | lib/subLib5/subclass.js:5:16:5:19 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/subLib5/subclass.js:5:6:5:7 | a* | regular expression | lib/subLib5/subclass.js:4:10:4:13 | name | library input |
+| lib/subLib6/index.js:2:3:2:18 | /f*g/.test(name) | lib/subLib6/index.js:1:32:1:35 | name | lib/subLib6/index.js:2:14:2:17 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/subLib6/index.js:2:4:2:5 | f* | regular expression | lib/subLib6/index.js:1:32:1:35 | name | library input |
 | lib/sublib/factory.js:13:13:13:28 | /f*g/.test(name) | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/sublib/factory.js:13:14:13:15 | f* | regular expression | lib/sublib/factory.js:12:26:12:29 | name | library input |
 | polynomial-redos.js:7:2:7:34 | tainted ... /g, '') | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:7:2:7:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of '\\t'. | polynomial-redos.js:7:24:7:26 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:8:2:8:23 | tainted ...  *, */) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:8:2:8:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:8:17:8:18 |  * | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/main.js
@@ -1,3 +1,6 @@
 module.exports = function (name) {
 	/a*b/.test(name); // NOT OK
 };
+
+const SubClass = require('./subclass');
+module.exports.SubClass = new SubClass();
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib5/subclass.js
@@ -0,0 +1,9 @@
+class Subclass {
+  constructor() {}
+
+  define(name) {
+    /a*b/.test(name); // NOT OK
+  }
+}
+
+module.exports = Subclass;
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/index.js
@@ -0,0 +1,3 @@
+module.exports.foo = function (name) {
+  /f*g/.test(name); // NOT OK
+}
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/package.json
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/subLib6/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "my-sub-lib",
+  "version": "0.0.7"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -88,6 +88,19 @@ nodes
 | serverSide.js:115:25:115:35 | request.url |
 | serverSide.js:117:27:117:29 | url |
 | serverSide.js:117:27:117:29 | url |
+| serverSide.js:123:9:123:52 | tainted |
+| serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:123:19:123:48 | url.par ... ).query |
+| serverSide.js:123:19:123:52 | url.par ... ery.url |
+| serverSide.js:123:29:123:35 | req.url |
+| serverSide.js:123:29:123:35 | req.url |
+| serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:130:9:130:45 | myUrl |
+| serverSide.js:130:17:130:45 | `${some ... inted}` |
+| serverSide.js:130:37:130:43 | tainted |
+| serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:131:15:131:19 | myUrl |
 edges
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted |
@@ -172,6 +185,18 @@ edges
 | serverSide.js:115:17:115:42 | new URL ... , base) | serverSide.js:115:11:115:42 | url |
 | serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
 | serverSide.js:115:25:115:35 | request.url | serverSide.js:115:17:115:42 | new URL ... , base) |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:127:14:127:20 | tainted |
+| serverSide.js:123:9:123:52 | tainted | serverSide.js:130:37:130:43 | tainted |
+| serverSide.js:123:19:123:42 | url.par ... , true) | serverSide.js:123:19:123:48 | url.par ... ).query |
+| serverSide.js:123:19:123:48 | url.par ... ).query | serverSide.js:123:19:123:52 | url.par ... ery.url |
+| serverSide.js:123:19:123:52 | url.par ... ery.url | serverSide.js:123:9:123:52 | tainted |
+| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:123:29:123:35 | req.url | serverSide.js:123:19:123:42 | url.par ... , true) |
+| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl |
+| serverSide.js:130:17:130:45 | `${some ... inted}` | serverSide.js:130:9:130:45 | myUrl |
+| serverSide.js:130:37:130:43 | tainted | serverSide.js:130:17:130:45 | `${some ... inted}` |
 #select
 | serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
@@ -195,3 +220,5 @@ edges
 | serverSide.js:100:5:100:26 | new Web ... ainted) | serverSide.js:98:29:98:35 | req.url | serverSide.js:100:19:100:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:100:19:100:25 | tainted | URL | serverSide.js:98:29:98:35 | req.url | user-provided value |
 | serverSide.js:109:20:109:30 | new ws(url) | serverSide.js:108:17:108:27 | request.url | serverSide.js:109:27:109:29 | url | The $@ of this request depends on a $@. | serverSide.js:109:27:109:29 | url | URL | serverSide.js:108:17:108:27 | request.url | user-provided value |
 | serverSide.js:117:20:117:30 | new ws(url) | serverSide.js:115:25:115:35 | request.url | serverSide.js:117:27:117:29 | url | The $@ of this request depends on a $@. | serverSide.js:117:27:117:29 | url | URL | serverSide.js:115:25:115:35 | request.url | user-provided value |
+| serverSide.js:125:5:128:6 | axios({ ... \\n    }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
+| serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
+++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js
@@ -117,3 +117,19 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
    const socket = new ws(url);
  });
 });
+
+
+var server2 = http.createServer(function(req, res) {
+    var tainted = url.parse(req.url, true).query.url;
+
+    axios({
+        method: 'get',
+        url: tainted // NOT OK
+    })
+
+    var myUrl = `${something}/bla/${tainted}`; 
+    axios.get(myUrl); // NOT OK
+
+    var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
+    axios.get(myEncodedUrl); // OK
+})