Merge pull request #19078 from asgerf/js/name-resolution

JS: QL-side type/name resolution for TypeScript and JSDoc
2026-04-28 18:25:24 +02:00 · 2025-06-11 14:17:11 +02:00
parent f038e2f809 e848aa747b
commit 423ffc78db
79 changed files with 3729 additions and 2180 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -62,6 +62,8 @@
 | dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
 | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:6:15:6:33 | req.param("wobble") | user-provided value |
+| jquery-declare-any.ts:6:7:6:17 | window.name | jquery-declare-any.ts:6:7:6:17 | window.name | jquery-declare-any.ts:6:7:6:17 | window.name | Cross-site scripting vulnerability due to $@. | jquery-declare-any.ts:6:7:6:17 | window.name | user-provided value |
+| jquery-declare-type.ts:6:7:6:17 | window.name | jquery-declare-type.ts:6:7:6:17 | window.name | jquery-declare-type.ts:6:7:6:17 | window.name | Cross-site scripting vulnerability due to $@. | jquery-declare-type.ts:6:7:6:17 | window.name | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value |
@@ -954,6 +956,8 @@ nodes
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | semmle.label | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href |
 | express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") |
+| jquery-declare-any.ts:6:7:6:17 | window.name | semmle.label | window.name |
+| jquery-declare-type.ts:6:7:6:17 | window.name | semmle.label | window.name |
 | jquery.js:2:7:2:40 | tainted | semmle.label | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:5:4:11 | tainted | semmle.label | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -182,6 +182,8 @@ nodes
 | hana.js:85:35:85:54 | tableRows[0].comment | semmle.label | tableRows[0].comment |
 | hana.js:90:33:90:34 | rs | semmle.label | rs |
 | hana.js:90:33:90:45 | rs[0].comment | semmle.label | rs[0].comment |
+| jquery-declare-any.ts:6:7:6:17 | window.name | semmle.label | window.name |
+| jquery-declare-type.ts:6:7:6:17 | window.name | semmle.label | window.name |
 | jquery.js:2:7:2:40 | tainted | semmle.label | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:5:4:11 | tainted | semmle.label | tainted |
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery-declare-any.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery-declare-any.ts
@@ -0,0 +1,7 @@
+import 'dummy';
+
+declare var $: any;
+
+function t() {
+    $(window.name); // $ Alert
+}
--- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery-declare-type.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery-declare-type.ts
@@ -0,0 +1,7 @@
+import 'dummy';
+
+declare var $: JQueryStatic;
+
+function t() {
+    $(window.name); // $ Alert
+}
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -22,7 +22,6 @@
 | main.js:111:37:111:37 | x | main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | This markdown rendering which depends on $@ might later allow $@. | main.js:98:43:98:43 | x | library input | main.js:112:24:112:26 | svg | cross-site scripting |
 | main.js:117:34:117:34 | s | main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | This markdown rendering which depends on $@ might later allow $@. | main.js:116:47:116:47 | s | library input | main.js:118:53:118:56 | html | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
-| typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | This HTML construction which depends on $@ might later allow $@. | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
 edges
 | jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | provenance |  |
 | jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options | provenance |  |
@@ -69,7 +68,6 @@ edges
 | main.js:98:43:98:43 | x | main.js:111:37:111:37 | x | provenance |  |
 | main.js:116:47:116:47 | s | main.js:117:34:117:34 | s | provenance |  |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | provenance |  |
-| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | provenance |  |
 nodes
 | jquery-plugin.js:11:27:11:31 | stuff | semmle.label | stuff |
 | jquery-plugin.js:11:34:11:40 | options | semmle.label | options |
@@ -128,6 +126,4 @@ nodes
 | main.js:117:34:117:34 | s | semmle.label | s |
 | typed.ts:1:39:1:39 | s | semmle.label | s |
 | typed.ts:2:29:2:29 | s | semmle.label | s |
-| typed.ts:6:43:6:43 | s | semmle.label | s |
-| typed.ts:8:40:8:40 | s | semmle.label | s |
 subpaths
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
@@ -3,9 +3,9 @@ export function basicHtmlConstruction(s: string) { // $ Source
    document.body.innerHTML = html;
 }

-export function insertIntoCreatedDocument(s: string) { // $ Source
+export function insertIntoCreatedDocument(s: string) {
    const newDoc = document.implementation.createHTMLDocument("");
-    newDoc.body.innerHTML = "<span>" + s + "</span>"; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM.
+    newDoc.body.innerHTML = "<span>" + s + "</span>"; // OK - inserted into document disconnected from the main DOM.
 }

 export function id(s: string) {
@@ -17,4 +17,3 @@ export function notVulnerable() {
    const html = "<span>" + s + "</span>";
    document.body.innerHTML = html;
 }
-