JS: Split CWE-079 tests into their own folders

javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql

@@ -1,8 +0,0 @@
-import javascript
-import testUtilities.ConsistencyChecking
-import semmle.javascript.security.dataflow.DomBasedXss as DomXss
-import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
-import semmle.javascript.security.dataflow.StoredXss as StoredXss
-import semmle.javascript.security.dataflow.XssThroughDom as ThroughDomXss
-import semmle.javascript.security.dataflow.ExceptionXss as ExceptionXss
-import semmle.javascript.security.dataflow.UnsafeJQueryPlugin as UnsafeJqueryPlugin

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.DomBasedXss as DomXss

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -59,11 +59,6 @@ nodes
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
-| exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -577,10 +572,6 @@ edges
 | angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
 | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -1022,7 +1013,6 @@ edges
 | angular2-client.ts:35:44:35:91 | this.ro ... arams.x | angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:89 | this.ro ... .params | user-provided value |
 | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:58 | this.router.url | user-provided value |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | user-provided value |
-| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -59,11 +59,6 @@ nodes
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
-| exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -581,10 +576,6 @@ edges
 | angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
 | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url |
 | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.ExceptionXss as ExceptionXss

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected

@@ -86,16 +86,6 @@ nodes
 | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:182:19:182:23 | error |
-| tst.js:301:9:301:16 | location |
-| tst.js:301:9:301:16 | location |
-| tst.js:302:10:302:10 | e |
-| tst.js:303:20:303:20 | e |
-| tst.js:303:20:303:20 | e |
-| tst.js:308:10:308:17 | location |
-| tst.js:308:10:308:17 | location |
-| tst.js:310:10:310:10 | e |
-| tst.js:311:20:311:20 | e |
-| tst.js:311:20:311:20 | e |
 edges
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -178,14 +168,6 @@ edges
 | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
-| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
-| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
-| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
-| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
-| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
-| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
-| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
-| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
@@ -203,5 +185,3 @@ edges
 | exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:155:18:155:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:175:18:175:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:180:10:180:22 | req.params.id | Exception text |
-| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:301:9:301:16 | location | Exception text |
-| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:308:10:308:17 | location | Exception text |

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -35,9 +35,6 @@ nodes
 | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:11:12:11:19 | response |
 | etherpad.js:11:12:11:19 | response |
-| exception-xss.js:190:12:190:24 | req.params.id |
-| exception-xss.js:190:12:190:24 | req.params.id |
-| exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil |
 | formatting.js:4:16:4:29 | req.query.evil |
 | formatting.js:4:16:4:29 | req.query.evil |
@@ -129,7 +126,6 @@ edges
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
-| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil |
 | formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil |
 | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
@@ -188,7 +184,6 @@ edges
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
-| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -5,7 +5,6 @@
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
-| exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.StoredXss as StoredXss

javascript/ql/test/query-tests/Security/CWE-079/StoredXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.UnsafeJQueryPlugin as UnsafeJqueryPlugin

javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.XssThroughDom as ThroughDomXss

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;