Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3566

2025-12-16 16:53:25 +01:00 · 2020-05-27 12:21:14 +00:00
parent d05a61c745 3cfc1e553c
commit 33da82d884
9 changed files with 292 additions and 0 deletions
--- a/change-notes/1.25/analysis-javascript.md
+++ b/change-notes/1.25/analysis-javascript.md
@@ -36,6 +36,7 @@

 | **Query**                      | **Expected impact**          | **Change**                                                                |
 |--------------------------------|------------------------------|---------------------------------------------------------------------------|
+| Client-side cross-site scripting (`js/xss`) | Fewer results | This query no longer flags optionally sanitized values. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
 | Client-side cross-site scripting (`js/xss`) | Fewer results | This query now recognizes additional safe patterns of constructing HTML. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
--- a/javascript/ql/src/semmle/javascript/HtmlSanitizers.qll
+++ b/javascript/ql/src/semmle/javascript/HtmlSanitizers.qll
@@ -48,6 +48,11 @@ private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
      or
      callee = LodashUnderscore::member("escape")
      or
+      exists(DataFlow::PropRead read | read = callee |
+        read.getPropertyName() = "sanitize" and
+        read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
+      )
+      or
      exists(string name | name = "encode" or name = "encodeNonUTF" |
        callee =
          DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -827,6 +827,28 @@ module TaintTracking {
    override predicate appliesTo(Configuration cfg) { any() }
  }

+  /**
+   * A test of form `x.length === "0"`, preventing `x` from being tainted.
+   */
+  class IsEmptyGuard extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    override EqualityTest astNode;
+    boolean polarity;
+    Expr operand;
+
+    IsEmptyGuard() {
+      astNode.getPolarity() = polarity and
+      astNode.getAnOperand().(ConstantExpr).getIntValue() = 0 and
+      exists(DataFlow::PropRead read | read.asExpr() = astNode.getAnOperand() |
+        read.getBase().asExpr() = operand and
+        read.getPropertyName() = "length"
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) { polarity = outcome and e = operand }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
  /** DEPRECATED. This class has been renamed to `InclusionSanitizer`. */
  deprecated class StringInclusionSanitizer = InclusionSanitizer;

--- a/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll
@@ -51,6 +51,10 @@ module DomBasedXss {
        prop = urlSuffixPseudoProperty()
      )
    }
+
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      DomBasedXss::isOptionallySanitizedEdge(pred, succ)
+    }
  }

  private string urlSuffixPseudoProperty() { result = "$UrlSuffix$" }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -329,6 +329,36 @@ module DomBasedXss {
  private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }

  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
+
+  /**
+   * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`.
+   */
+  predicate isOptionallySanitizedEdge(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(HtmlSanitizerCall sanitizer |
+      // sanitized = sanitize ? sanitizer(source) : source;
+      exists(ConditionalExpr branch, Variable var, VarAccess access |
+        branch = succ.asExpr() and access = var.getAnAccess()
+      |
+        branch.getABranch() = access and
+        pred.getEnclosingExpr() = access and
+        sanitizer = branch.getABranch().flow() and
+        sanitizer.getAnArgument().getEnclosingExpr() = var.getAnAccess()
+      )
+      or
+      // sanitized = source; if (sanitize) {sanitized = sanitizer(source)};
+      exists(SsaPhiNode phi, SsaExplicitDefinition a, SsaDefinition b |
+        a = phi.getAnInput().getDefinition() and
+        b = phi.getAnInput().getDefinition() and
+        count(phi.getAnInput()) = 2 and
+        not a = b and
+        sanitizer = DataFlow::valueNode(a.getDef().getSource()) and
+        sanitizer.getAnArgument().asExpr().(VarAccess).getVariable() = b.getSourceVariable()
+      |
+        pred = DataFlow::ssaDefinitionNode(b) and
+        succ = DataFlow::ssaDefinitionNode(phi)
+      )
+    )
+  }
 }

 /** Provides classes and predicates for the reflected XSS query. */
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XssThroughDom.qll
@@ -34,6 +34,10 @@ module XssThroughDom {
      guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
      guard instanceof DomBasedXss::SanitizerGuard
    }
+
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      DomBasedXss::isOptionallySanitizedEdge(pred, succ)
+    }
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
@@ -36,6 +36,47 @@ nodes
 | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message |
 | nodemailer.js:13:50:13:66 | req.query.message |
+| optionalSanitizer.js:2:7:2:39 | target |
+| optionalSanitizer.js:2:16:2:32 | document.location |
+| optionalSanitizer.js:2:16:2:32 | document.location |
+| optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:8:7:8:22 | tainted |
+| optionalSanitizer.js:8:17:8:22 | target |
+| optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:15:9:15:14 | target |
+| optionalSanitizer.js:16:18:16:18 | x |
+| optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:26:7:26:39 | target |
+| optionalSanitizer.js:26:16:26:32 | document.location |
+| optionalSanitizer.js:26:16:26:32 | document.location |
+| optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:31:7:31:23 | tainted2 |
+| optionalSanitizer.js:31:18:31:23 | target |
+| optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 |
+| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
+| optionalSanitizer.js:34:28:34:35 | tainted2 |
+| optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 |
+| optionalSanitizer.js:38:18:38:23 | target |
+| optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 |
+| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
+| optionalSanitizer.js:41:28:41:35 | tainted3 |
+| optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
+| optionalSanitizer.js:45:41:45:46 | target |
+| optionalSanitizer.js:45:51:45:56 | target |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -422,6 +463,51 @@ edges
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:15:9:15:14 | target |
+| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:2:7:2:39 | target |
+| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:8:17:8:22 | target | optionalSanitizer.js:8:7:8:22 | tainted |
+| optionalSanitizer.js:15:9:15:14 | target | optionalSanitizer.js:16:18:16:18 | x |
+| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:31:18:31:23 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:38:18:38:23 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:41:45:46 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:51:45:56 | target |
+| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:26:7:26:39 | target |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:34:28:34:35 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:31:18:31:23 | target | optionalSanitizer.js:31:7:31:23 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | optionalSanitizer.js:34:5:34:36 | tainted2 |
+| optionalSanitizer.js:34:28:34:35 | tainted2 | optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:41:28:41:35 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:38:18:38:23 | target | optionalSanitizer.js:38:7:38:23 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | optionalSanitizer.js:41:5:41:36 | tainted3 |
+| optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
+| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
@@ -738,6 +824,14 @@ edges
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value |
+| optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
+| optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
+| optionalSanitizer.js:17:20:17:20 | x | optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:17:20:17:20 | x | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:32 | document.location | user-provided value |
+| optionalSanitizer.js:32:18:32:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:32:18:32:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
+| optionalSanitizer.js:36:18:36:25 | tainted2 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:36:18:36:25 | tainted2 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
+| optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
+| optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
+| optionalSanitizer.js:45:18:45:56 | sanitiz ...  target | optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:32 | document.location | user-provided value |
 | react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | stored-xss.js:5:20:5:52 | session ... ssion') | stored-xss.js:2:39:2:55 | document.location | stored-xss.js:5:20:5:52 | session ... ssion') | Cross-site scripting vulnerability due to $@. | stored-xss.js:2:39:2:55 | document.location | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected
@@ -36,6 +36,47 @@ nodes
 | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message |
 | nodemailer.js:13:50:13:66 | req.query.message |
+| optionalSanitizer.js:2:7:2:39 | target |
+| optionalSanitizer.js:2:16:2:32 | document.location |
+| optionalSanitizer.js:2:16:2:32 | document.location |
+| optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:8:7:8:22 | tainted |
+| optionalSanitizer.js:8:17:8:22 | target |
+| optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:15:9:15:14 | target |
+| optionalSanitizer.js:16:18:16:18 | x |
+| optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:26:7:26:39 | target |
+| optionalSanitizer.js:26:16:26:32 | document.location |
+| optionalSanitizer.js:26:16:26:32 | document.location |
+| optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:31:7:31:23 | tainted2 |
+| optionalSanitizer.js:31:18:31:23 | target |
+| optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 |
+| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
+| optionalSanitizer.js:34:28:34:35 | tainted2 |
+| optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 |
+| optionalSanitizer.js:38:18:38:23 | target |
+| optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 |
+| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
+| optionalSanitizer.js:41:28:41:35 | tainted3 |
+| optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
+| optionalSanitizer.js:45:41:45:46 | target |
+| optionalSanitizer.js:45:51:45:56 | target |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -426,6 +467,51 @@ edges
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
 | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target |
+| optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:15:9:15:14 | target |
+| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:2:16:2:32 | document.location | optionalSanitizer.js:2:16:2:39 | documen ... .search |
+| optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:2:7:2:39 | target |
+| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:8:7:8:22 | tainted | optionalSanitizer.js:9:18:9:24 | tainted |
+| optionalSanitizer.js:8:17:8:22 | target | optionalSanitizer.js:8:7:8:22 | tainted |
+| optionalSanitizer.js:15:9:15:14 | target | optionalSanitizer.js:16:18:16:18 | x |
+| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:16:18:16:18 | x | optionalSanitizer.js:17:20:17:20 | x |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:31:18:31:23 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:38:18:38:23 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:41:45:46 | target |
+| optionalSanitizer.js:26:7:26:39 | target | optionalSanitizer.js:45:51:45:56 | target |
+| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:26:16:26:32 | document.location | optionalSanitizer.js:26:16:26:39 | documen ... .search |
+| optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:26:7:26:39 | target |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:32:18:32:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:34:28:34:35 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:31:7:31:23 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:31:18:31:23 | target | optionalSanitizer.js:31:7:31:23 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:34:5:34:36 | tainted2 | optionalSanitizer.js:36:18:36:25 | tainted2 |
+| optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) | optionalSanitizer.js:34:5:34:36 | tainted2 |
+| optionalSanitizer.js:34:28:34:35 | tainted2 | optionalSanitizer.js:34:16:34:36 | sanitiz ... inted2) |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:39:18:39:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:41:28:41:35 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:38:7:38:23 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:38:18:38:23 | target | optionalSanitizer.js:38:7:38:23 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:41:5:41:36 | tainted3 | optionalSanitizer.js:43:18:43:25 | tainted3 |
+| optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | optionalSanitizer.js:41:5:41:36 | tainted3 |
+| optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
+| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:9:27:9:33 | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-079/optionalSanitizer.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/optionalSanitizer.js
@@ -0,0 +1,46 @@
+function test() {
+  var target = document.location.search
+
+  $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); // OK
+
+  $('myId').html(target); // NOT OK
+
+  var tainted = target;
+  $('myId').html(tainted); // NOT OK
+  if (sanitize) {
+    tainted = DOMPurify.sanitize(tainted);
+  }
+  $('myId').html(tainted); // OK
+
+  inner(target);
+  function inner(x) {
+    $('myId').html(x); // NOT OK
+    if (sanitize) {
+      x = DOMPurify.sanitize(x);
+    }
+    $('myId').html(x); // OK
+  }
+}
+
+function badSanitizer() {
+  var target = document.location.search
+
+  function sanitizeBad(x) {
+    return x; // No sanitization;
+  }
+  var tainted2 = target;
+  $('myId').html(tainted2); // NOT OK
+  if (sanitize) {
+    tainted2 = sanitizeBad(tainted2);
+  }
+  $('myId').html(tainted2); // NOT OK
+
+  var tainted3 = target;
+  $('myId').html(tainted3); // NOT OK
+  if (sanitize) {
+    tainted3 = sanitizeBad(tainted3);
+  }
+  $('myId').html(tainted3); // NOT OK
+
+  $('myId').html(sanitize ? sanitizeBad(target) : target); // NOT OK
+}