Merge pull request #1278 from xiemaisi/js/symbolic-constants

JavaScript: Generalise `ConstantComparison` sanitisers.

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -39,6 +39,10 @@ nodes
 | tst2.js:6:12:6:15 | q: r |
 | tst2.js:7:12:7:12 | p |
 | tst2.js:8:12:8:12 | r |
+| tst2.js:14:7:14:24 | p |
+| tst2.js:14:9:14:9 | p |
+| tst2.js:18:12:18:12 | p |
+| tst2.js:21:14:21:14 | p |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response |
@@ -77,6 +81,9 @@ edges
 | tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r |
 | tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p |
 | tst2.js:6:12:6:15 | q: r | tst2.js:6:7:6:30 | r |
+| tst2.js:14:7:14:24 | p | tst2.js:18:12:18:12 | p |
+| tst2.js:14:7:14:24 | p | tst2.js:21:14:21:14 | p |
+| tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
@@ -90,3 +97,5 @@ edges
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
+| tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
+| tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected

@@ -8,3 +8,5 @@
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
+| tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
+| tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/tst2.js

@@ -4,6 +4,21 @@ var app = express();
 
 app.get('/user/:id', function(req, res) {
   let { p, q: r } = req.params;
-  res.send(p);
-  res.send(r);
+  res.send(p); // NOT OK
+  res.send(r); // NOT OK
+});
+
+const aKnownValue = "foo";
+
+app.get('/bar', function(req, res) {
+  let { p } = req.params;
+
+  if (p == aKnownValue)
+    res.send(p); // OK
+  res.send(p);   // NOT OK
+
+  if (p != aKnownValue)
+    res.send(p); // NOT OK
+  else
+    res.send(p); // OK
 });