Adapt Webix modeling to support HTML use-cases

2026-04-26 09:15:12 +02:00 · 2023-06-28 15:26:30 +02:00
parent 1e663b8889
commit 2ac334bf15
14 changed files with 148 additions and 65 deletions
--- a/javascript/ql/lib/javascript.qll
+++ b/javascript/ql/lib/javascript.qll
@@ -134,6 +134,7 @@ import semmle.javascript.frameworks.TrustedTypes
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
+import semmle.javascript.frameworks.Webix
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
--- a/javascript/ql/lib/semmle/javascript/Extend.qll
+++ b/javascript/ql/lib/semmle/javascript/Extend.qll
@@ -97,7 +97,9 @@ private class ExtendCallDeep extends ExtendCall {
      callee = LodashUnderscore::member("mergeWith") or
      callee = LodashUnderscore::member("defaultsDeep") or
      callee = AngularJS::angular().getAPropertyRead("merge") or
-      callee = DataFlow::moduleImport("webix").getAPropertyRead(["extend", "copy"])
+      callee =
+        [DataFlow::moduleImport("webix"), DataFlow::globalVarRef("webix")]
+            .getAPropertyRead(["extend", "copy"])
    )
  }

--- a/javascript/ql/lib/semmle/javascript/frameworks/Webix.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Webix.qll
@@ -0,0 +1,24 @@
+/**
+ * Provides classes and predicates for working with the `webix` library.
+ */
+
+private import javascript
+
+/**
+ * Provides classes and predicates for working with the `webix` library.
+ */
+module Webix {
+  /** The global variable `webix` as an entry point for API graphs. */
+  private class WebixGlobalEntry extends API::EntryPoint {
+    WebixGlobalEntry() { this = "WebixGlobalEntry" }
+
+    override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("webix") }
+  }
+
+  /** Gets a reference to the Webix package. */
+  API::Node webix() {
+    result = API::moduleImport("webix") or
+    result.asSource() = DataFlow::moduleImport("webix") or
+    result = any(WebixGlobalEntry w).getANode()
+  }
+}
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -316,7 +316,7 @@ module CodeInjection {
   * A value interpreted as code by the `webix` library.
   */
  class WebixExec extends Sink {
-    WebixExec() { this = API::moduleImport("webix").getMember("exec").getParameter(0).asSink() }
+    WebixExec() { this = Webix::webix().getMember("exec").getParameter(0).asSink() }
  }

  /** A sink for code injection via template injection. */
@@ -431,16 +431,10 @@ module CodeInjection {
   */
  class WebixTemplateSink extends TemplateSink {
    WebixTemplateSink() {
-      this =
-        API::moduleImport("webix").getMember("ui").getParameter(0).getMember("template").asSink()
+      this = Webix::webix().getMember("ui").getParameter(0).getMember("template").asSink()
      or
      this =
-        API::moduleImport("webix")
-            .getMember("ui")
-            .getParameter(0)
-            .getMember("template")
-            .getReturn()
-            .asSink()
+        Webix::webix().getMember("ui").getParameter(0).getMember("template").getReturn().asSink()
    }
  }

--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
@@ -173,7 +173,7 @@ module PrototypePollution {
    id = "angular"
    or
    call.isDeep() and
-    call = DataFlow::moduleImport("webix").getAMemberCall(["extend", "copy"]) and
+    call = Webix::webix().getMember(["extend", "copy"]).getACall() and
    id = "webix"
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -143,10 +143,6 @@ nodes
 | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:33:17:33:23 | tainted |
 | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:35:47:35:53 | tainted |
-| template-sinks.js:35:47:35:53 | tainted |
 | tst.js:2:6:2:27 | documen ... on.href |
 | tst.js:2:6:2:27 | documen ... on.href |
 | tst.js:2:6:2:83 | documen ... t=")+8) |
@@ -185,9 +181,24 @@ nodes
 | tst.js:35:28:35:33 | source |
 | tst.js:37:33:37:38 | source |
 | tst.js:37:33:37:38 | source |
-| webix.js:3:12:3:33 | documen ... on.hash |
-| webix.js:3:12:3:33 | documen ... on.hash |
-| webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
 edges
 | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
 | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -281,10 +292,6 @@ edges
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:35:47:35:53 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:35:47:35:53 | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
@@ -317,7 +324,12 @@ edges
 | tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
-| webix.js:3:12:3:33 | documen ... on.hash | webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash |
 #select
 | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | This code execution depends on a $@. | NoSQLCodeInjection.js:18:24:18:31 | req.body | user-provided value |
 | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value |
@@ -366,8 +378,6 @@ edges
 | template-sinks.js:31:19:31:25 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:31:19:31:25 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:32:16:32:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:32:16:32:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:33:17:33:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:33:17:33:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
-| template-sinks.js:34:26:34:32 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:34:26:34:32 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
-| template-sinks.js:35:47:35:53 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:35:47:35:53 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:2:6:2:27 | documen ... on.href | user-provided value |
 | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:5:12:5:33 | documen ... on.hash | user-provided value |
 | tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:14:10:14:33 | documen ... .search | user-provided value |
@@ -379,4 +389,9 @@ edges
 | tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value |
 | tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value |
 | tst.js:37:33:37:38 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:37:33:37:38 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value |
-| webix.js:3:12:3:33 | documen ... on.hash | webix.js:3:12:3:33 | documen ... on.hash | webix.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | webix.js:3:12:3:33 | documen ... on.hash | user-provided value |
+| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | This code execution depends on a $@. | webix/webix.html:3:16:3:37 | documen ... on.hash | user-provided value |
+| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:4:26:4:47 | documen ... on.hash | user-provided value |
+| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:5:47:5:68 | documen ... on.hash | user-provided value |
+| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | webix/webix.js:3:12:3:33 | documen ... on.hash | user-provided value |
+| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:4:22:4:43 | documen ... on.hash | user-provided value |
+| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.js:5:43:5:64 | documen ... on.hash | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -147,10 +147,6 @@ nodes
 | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:33:17:33:23 | tainted |
 | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:35:47:35:53 | tainted |
-| template-sinks.js:35:47:35:53 | tainted |
 | tst.js:2:6:2:27 | documen ... on.href |
 | tst.js:2:6:2:27 | documen ... on.href |
 | tst.js:2:6:2:83 | documen ... t=")+8) |
@@ -189,9 +185,24 @@ nodes
 | tst.js:35:28:35:33 | source |
 | tst.js:37:33:37:38 | source |
 | tst.js:37:33:37:38 | source |
-| webix.js:3:12:3:33 | documen ... on.hash |
-| webix.js:3:12:3:33 | documen ... on.hash |
-| webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash |
 edges
 | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
 | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
@@ -289,10 +300,6 @@ edges
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:34:26:34:32 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:35:47:35:53 | tainted |
-| template-sinks.js:18:9:18:31 | tainted | template-sinks.js:35:47:35:53 | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted |
 | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
@@ -325,6 +332,11 @@ edges
 | tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") |
 | tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source |
-| webix.js:3:12:3:33 | documen ... on.hash | webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash |
+| webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash |
+| webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash |
+| webix/webix.js:3:12:3:33 | documen ... on.hash | webix/webix.js:3:12:3:33 | documen ... on.hash |
+| webix/webix.js:4:22:4:43 | documen ... on.hash | webix/webix.js:4:22:4:43 | documen ... on.hash |
+| webix/webix.js:5:43:5:64 | documen ... on.hash | webix/webix.js:5:43:5:64 | documen ... on.hash |
 #select
 | eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js
@@ -31,6 +31,4 @@ app.get('/some/path', function (req, res) {
    Hogan.compile(tainted); // NOT OK
    Eta.render(tainted); // NOT OK
    Sqrl.render(tainted); // NOT OK
-    webix.ui({ template: tainted }); // NOT OK
-    webix.ui({ template: function () { return tainted } }); // NOT OK
 });
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix.js
@@ -1,3 +0,0 @@
-import * as webix from 'webix';
-
-webix.exec(document.location.hash); // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html
@@ -0,0 +1,6 @@
+<script src="path/to/webix.js" type="text/javascript" charset="utf-8"></script>
+<script>
+    webix.exec(document.location.hash); // NOT OK
+    webix.ui({ template: document.location.hash }); // NOT OK
+    webix.ui({ template: function () { return document.location.hash } }); // NOT OK
+</script>
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js
@@ -0,0 +1,5 @@
+import * as webix from 'webix';
+
+webix.exec(document.location.hash); // NOT OK
+webix.ui({ template: document.location.hash }); // NOT OK
+webix.ui({ template: function () { return document.location.hash } }); // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected
@@ -17,16 +17,26 @@ nodes
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
-| webix.js:3:30:3:34 | event |
-| webix.js:3:30:3:34 | event |
-| webix.js:4:22:4:43 | JSON.pa ... t.data) |
-| webix.js:4:22:4:43 | JSON.pa ... t.data) |
-| webix.js:4:33:4:37 | event |
-| webix.js:4:33:4:42 | event.data |
-| webix.js:5:19:5:40 | JSON.pa ... t.data) |
-| webix.js:5:19:5:40 | JSON.pa ... t.data) |
-| webix.js:5:30:5:34 | event |
-| webix.js:5:30:5:39 | event.data |
+| webix/webix.html:3:34:3:38 | event |
+| webix/webix.html:3:34:3:38 | event |
+| webix/webix.html:4:26:4:47 | JSON.pa ... t.data) |
+| webix/webix.html:4:26:4:47 | JSON.pa ... t.data) |
+| webix/webix.html:4:37:4:41 | event |
+| webix/webix.html:4:37:4:46 | event.data |
+| webix/webix.html:5:24:5:45 | JSON.pa ... t.data) |
+| webix/webix.html:5:24:5:45 | JSON.pa ... t.data) |
+| webix/webix.html:5:35:5:39 | event |
+| webix/webix.html:5:35:5:44 | event.data |
+| webix/webix.js:3:30:3:34 | event |
+| webix/webix.js:3:30:3:34 | event |
+| webix/webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix/webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix/webix.js:4:33:4:37 | event |
+| webix/webix.js:4:33:4:42 | event.data |
+| webix/webix.js:5:20:5:41 | JSON.pa ... t.data) |
+| webix/webix.js:5:20:5:41 | JSON.pa ... t.data) |
+| webix/webix.js:5:31:5:35 | event |
+| webix/webix.js:5:31:5:40 | event.data |
 edges
 | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
 | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
@@ -42,20 +52,32 @@ edges
 | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
-| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
-| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
-| webix.js:3:30:3:34 | event | webix.js:5:30:5:34 | event |
-| webix.js:3:30:3:34 | event | webix.js:5:30:5:34 | event |
-| webix.js:4:33:4:37 | event | webix.js:4:33:4:42 | event.data |
-| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
-| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
-| webix.js:5:30:5:34 | event | webix.js:5:30:5:39 | event.data |
-| webix.js:5:30:5:39 | event.data | webix.js:5:19:5:40 | JSON.pa ... t.data) |
-| webix.js:5:30:5:39 | event.data | webix.js:5:19:5:40 | JSON.pa ... t.data) |
+| webix/webix.html:3:34:3:38 | event | webix/webix.html:4:37:4:41 | event |
+| webix/webix.html:3:34:3:38 | event | webix/webix.html:4:37:4:41 | event |
+| webix/webix.html:3:34:3:38 | event | webix/webix.html:5:35:5:39 | event |
+| webix/webix.html:3:34:3:38 | event | webix/webix.html:5:35:5:39 | event |
+| webix/webix.html:4:37:4:41 | event | webix/webix.html:4:37:4:46 | event.data |
+| webix/webix.html:4:37:4:46 | event.data | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) |
+| webix/webix.html:4:37:4:46 | event.data | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) |
+| webix/webix.html:5:35:5:39 | event | webix/webix.html:5:35:5:44 | event.data |
+| webix/webix.html:5:35:5:44 | event.data | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) |
+| webix/webix.html:5:35:5:44 | event.data | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) |
+| webix/webix.js:3:30:3:34 | event | webix/webix.js:4:33:4:37 | event |
+| webix/webix.js:3:30:3:34 | event | webix/webix.js:4:33:4:37 | event |
+| webix/webix.js:3:30:3:34 | event | webix/webix.js:5:31:5:35 | event |
+| webix/webix.js:3:30:3:34 | event | webix/webix.js:5:31:5:35 | event |
+| webix/webix.js:4:33:4:37 | event | webix/webix.js:4:33:4:42 | event.data |
+| webix/webix.js:4:33:4:42 | event.data | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix/webix.js:4:33:4:42 | event.data | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix/webix.js:5:31:5:35 | event | webix/webix.js:5:31:5:40 | event.data |
+| webix/webix.js:5:31:5:40 | event.data | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) |
+| webix/webix.js:5:31:5:40 | event.data | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) |
 #select
 | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | user-controlled value | angularmerge.js:2:3:2:43 | angular ... .data)) | angular |
 | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
 | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
-| webix.js:4:22:4:43 | JSON.pa ... t.data) | webix.js:3:30:3:34 | event | webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix.js:3:30:3:34 | event | user-controlled value | webix.js:4:5:4:44 | webix.e ... .data)) | webix |
-| webix.js:5:19:5:40 | JSON.pa ... t.data) | webix.js:3:30:3:34 | event | webix.js:5:19:5:40 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix.js:3:30:3:34 | event | user-controlled value | webix.js:5:5:5:41 | webix.c ... .data)) | webix |
+| webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:4:26:4:47 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:4:9:4:48 | webix.e ... .data)) | webix |
+| webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | webix/webix.html:3:34:3:38 | event | webix/webix.html:5:24:5:45 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.html:3:34:3:38 | event | user-controlled value | webix/webix.html:5:9:5:46 | webix.c ... .data)) | webix |
+| webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:4:5:4:44 | webix.e ... .data)) | webix |
+| webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | webix/webix.js:3:30:3:34 | event | webix/webix.js:5:20:5:41 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix/webix.js:3:30:3:34 | event | user-controlled value | webix/webix.js:5:5:5:42 | webix.c ... .data)) | webix |
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html
@@ -0,0 +1,7 @@
+<script src="path/to/webix.js" type="text/javascript" charset="utf-8"></script>
+<script>
+    addEventListener("message", (event) => {
+        webix.extend({}, JSON.parse(event.data)); // NOT OK
+        webix.copy({}, JSON.parse(event.data)); // NOT OK
+    });
+</script>
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js