Merge pull request #698 from asger-semmle/remove-cookie-as-source

Approved by esben-semmle

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.expected

@@ -53,7 +53,7 @@ nodes
 | TaintedPath.js:65:54:65:57 | path |
 | TaintedPath.js:67:29:67:61 | pathMod ... h(path) |
 | TaintedPath.js:67:57:67:60 | path |
-| TaintedPath.js:78:26:78:40 | document.cookie |
+| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") |
 | TaintedPath.js:84:31:84:70 | require ... eq.url) |
 | TaintedPath.js:84:31:84:76 | require ... ).query |
 | TaintedPath.js:84:63:84:69 | req.url |
@@ -64,6 +64,9 @@ nodes
 | TaintedPath.js:86:31:86:73 | require ... ).query |
 | TaintedPath.js:86:60:86:66 | req.url |
 | TaintedPath.js:94:48:94:60 | req.params[0] |
+| TaintedPath.js:102:30:102:31 | ev |
+| TaintedPath.js:103:24:103:25 | ev |
+| TaintedPath.js:103:24:103:30 | ev.data |
 | tainted-array-steps.js:9:7:9:48 | path |
 | tainted-array-steps.js:9:14:9:37 | url.par ... , true) |
 | tainted-array-steps.js:9:14:9:43 | url.par ... ).query |
@@ -143,6 +146,9 @@ edges
 | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:68 | require ... eq.url) |
 | TaintedPath.js:86:31:86:67 | require ... eq.url) | TaintedPath.js:86:31:86:73 | require ... ).query |
 | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:67 | require ... eq.url) |
+| TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:103:24:103:25 | ev |
+| TaintedPath.js:103:24:103:25 | ev | TaintedPath.js:103:24:103:30 | ev.data |
+| TaintedPath.js:103:24:103:30 | ev.data | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") |
 | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:11:40:11:43 | path |
 | tainted-array-steps.js:9:7:9:48 | path | tainted-array-steps.js:13:26:13:29 | path |
 | tainted-array-steps.js:9:14:9:37 | url.par ... , true) | tainted-array-steps.js:9:14:9:43 | url.par ... ).query |
@@ -178,7 +184,7 @@ edges
 | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:63:29:63:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:65:29:65:61 | pathMod ... ath, z) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
 | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | TaintedPath.js:45:20:45:26 | req.url | TaintedPath.js:67:29:67:61 | pathMod ... h(path) | This path depends on $@. | TaintedPath.js:45:20:45:26 | req.url | a user-provided value |
-| TaintedPath.js:78:26:78:40 | document.cookie | TaintedPath.js:78:26:78:40 | document.cookie | TaintedPath.js:78:26:78:40 | document.cookie | This path depends on $@. | TaintedPath.js:78:26:78:40 | document.cookie | a user-provided value |
+| TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | TaintedPath.js:102:30:102:31 | ev | TaintedPath.js:78:26:78:45 | Cookie.get("unsafe") | This path depends on $@. | TaintedPath.js:102:30:102:31 | ev | a user-provided value |
 | TaintedPath.js:84:31:84:76 | require ... ).query | TaintedPath.js:84:63:84:69 | req.url | TaintedPath.js:84:31:84:76 | require ... ).query | This path depends on $@. | TaintedPath.js:84:63:84:69 | req.url | a user-provided value |
 | TaintedPath.js:85:31:85:74 | require ... ).query | TaintedPath.js:85:61:85:67 | req.url | TaintedPath.js:85:31:85:74 | require ... ).query | This path depends on $@. | TaintedPath.js:85:61:85:67 | req.url | a user-provided value |
 | TaintedPath.js:86:31:86:73 | require ... ).query | TaintedPath.js:86:60:86:66 | req.url | TaintedPath.js:86:31:86:73 | require ... ).query | This path depends on $@. | TaintedPath.js:86:60:86:66 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath.js

@@ -75,7 +75,7 @@ angular.module('myApp', [])
     })
     .directive('myCustomer', function() {
         return {
-            templateUrl: document.cookie // NOT OK
+            templateUrl: Cookie.get("unsafe") // NOT OK
         }
     })
 
@@ -98,3 +98,7 @@ var server = http.createServer(function(req, res) {
     application.get('/views/*', views_imported);
 
 })();
+
+addEventListener('message', (ev) => {
+  Cookie.set("unsafe", ev.data);
+});

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection.expected

@@ -1,18 +1,32 @@
 nodes
-| angularjs.js:10:22:10:36 | document.cookie |
-| angularjs.js:13:23:13:37 | document.cookie |
-| angularjs.js:16:28:16:42 | document.cookie |
-| angularjs.js:19:22:19:36 | document.cookie |
-| angularjs.js:22:27:22:41 | document.cookie |
-| angularjs.js:25:23:25:37 | document.cookie |
-| angularjs.js:28:33:28:47 | document.cookie |
-| angularjs.js:31:28:31:42 | document.cookie |
-| angularjs.js:34:18:34:32 | document.cookie |
-| angularjs.js:40:18:40:32 | document.cookie |
-| angularjs.js:44:17:44:31 | document.cookie |
-| angularjs.js:47:16:47:30 | document.cookie |
-| angularjs.js:50:22:50:36 | document.cookie |
-| angularjs.js:53:32:53:46 | document.cookie |
+| angularjs.js:10:22:10:29 | location |
+| angularjs.js:10:22:10:36 | location.search |
+| angularjs.js:13:23:13:30 | location |
+| angularjs.js:13:23:13:37 | location.search |
+| angularjs.js:16:28:16:35 | location |
+| angularjs.js:16:28:16:42 | location.search |
+| angularjs.js:19:22:19:29 | location |
+| angularjs.js:19:22:19:36 | location.search |
+| angularjs.js:22:27:22:34 | location |
+| angularjs.js:22:27:22:41 | location.search |
+| angularjs.js:25:23:25:30 | location |
+| angularjs.js:25:23:25:37 | location.search |
+| angularjs.js:28:33:28:40 | location |
+| angularjs.js:28:33:28:47 | location.search |
+| angularjs.js:31:28:31:35 | location |
+| angularjs.js:31:28:31:42 | location.search |
+| angularjs.js:34:18:34:25 | location |
+| angularjs.js:34:18:34:32 | location.search |
+| angularjs.js:40:18:40:25 | location |
+| angularjs.js:40:18:40:32 | location.search |
+| angularjs.js:44:17:44:24 | location |
+| angularjs.js:44:17:44:31 | location.search |
+| angularjs.js:47:16:47:23 | location |
+| angularjs.js:47:16:47:30 | location.search |
+| angularjs.js:50:22:50:29 | location |
+| angularjs.js:50:22:50:36 | location.search |
+| angularjs.js:53:32:53:39 | location |
+| angularjs.js:53:32:53:46 | location.search |
 | eslint-escope-build.js:20:22:20:22 | c |
 | eslint-escope-build.js:21:16:21:16 | c |
 | express.js:7:24:7:62 | "return ... obble") |
@@ -33,13 +47,28 @@ nodes
 | tst.js:2:6:2:83 | documen ... t=")+8) |
 | tst.js:5:12:5:28 | document.location |
 | tst.js:5:12:5:33 | documen ... on.hash |
-| tst.js:14:10:14:24 | document.cookie |
-| tst.js:14:10:14:65 | documen ... , "$1") |
+| tst.js:14:10:14:26 | document.location |
+| tst.js:14:10:14:33 | documen ... .search |
+| tst.js:14:10:14:74 | documen ... , "$1") |
 | tst.js:17:21:17:37 | document.location |
 | tst.js:17:21:17:42 | documen ... on.hash |
 | tst.js:20:30:20:46 | document.location |
 | tst.js:20:30:20:51 | documen ... on.hash |
 edges
+| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
+| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
+| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
+| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
+| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
+| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
+| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
+| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
+| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
+| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
+| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
+| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
+| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
+| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
 | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
 | express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") |
@@ -53,24 +82,25 @@ edges
 | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
 | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
 | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
-| tst.js:14:10:14:24 | document.cookie | tst.js:14:10:14:65 | documen ... , "$1") |
+| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
+| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
 | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
 | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
 #select
-| angularjs.js:10:22:10:36 | document.cookie | angularjs.js:10:22:10:36 | document.cookie | angularjs.js:10:22:10:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:36 | document.cookie | User-provided value |
-| angularjs.js:13:23:13:37 | document.cookie | angularjs.js:13:23:13:37 | document.cookie | angularjs.js:13:23:13:37 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:37 | document.cookie | User-provided value |
-| angularjs.js:16:28:16:42 | document.cookie | angularjs.js:16:28:16:42 | document.cookie | angularjs.js:16:28:16:42 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:42 | document.cookie | User-provided value |
-| angularjs.js:19:22:19:36 | document.cookie | angularjs.js:19:22:19:36 | document.cookie | angularjs.js:19:22:19:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:36 | document.cookie | User-provided value |
-| angularjs.js:22:27:22:41 | document.cookie | angularjs.js:22:27:22:41 | document.cookie | angularjs.js:22:27:22:41 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:41 | document.cookie | User-provided value |
-| angularjs.js:25:23:25:37 | document.cookie | angularjs.js:25:23:25:37 | document.cookie | angularjs.js:25:23:25:37 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:37 | document.cookie | User-provided value |
-| angularjs.js:28:33:28:47 | document.cookie | angularjs.js:28:33:28:47 | document.cookie | angularjs.js:28:33:28:47 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:47 | document.cookie | User-provided value |
-| angularjs.js:31:28:31:42 | document.cookie | angularjs.js:31:28:31:42 | document.cookie | angularjs.js:31:28:31:42 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:42 | document.cookie | User-provided value |
-| angularjs.js:34:18:34:32 | document.cookie | angularjs.js:34:18:34:32 | document.cookie | angularjs.js:34:18:34:32 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:32 | document.cookie | User-provided value |
-| angularjs.js:40:18:40:32 | document.cookie | angularjs.js:40:18:40:32 | document.cookie | angularjs.js:40:18:40:32 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:32 | document.cookie | User-provided value |
-| angularjs.js:44:17:44:31 | document.cookie | angularjs.js:44:17:44:31 | document.cookie | angularjs.js:44:17:44:31 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:31 | document.cookie | User-provided value |
-| angularjs.js:47:16:47:30 | document.cookie | angularjs.js:47:16:47:30 | document.cookie | angularjs.js:47:16:47:30 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:30 | document.cookie | User-provided value |
-| angularjs.js:50:22:50:36 | document.cookie | angularjs.js:50:22:50:36 | document.cookie | angularjs.js:50:22:50:36 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:36 | document.cookie | User-provided value |
-| angularjs.js:53:32:53:46 | document.cookie | angularjs.js:53:32:53:46 | document.cookie | angularjs.js:53:32:53:46 | document.cookie | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:46 | document.cookie | User-provided value |
+| angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value |
+| angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:30 | location | User-provided value |
+| angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:35 | location | User-provided value |
+| angularjs.js:19:22:19:36 | location.search | angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:19:22:19:29 | location | User-provided value |
+| angularjs.js:22:27:22:41 | location.search | angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:22:27:22:34 | location | User-provided value |
+| angularjs.js:25:23:25:37 | location.search | angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:25:23:25:30 | location | User-provided value |
+| angularjs.js:28:33:28:47 | location.search | angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:28:33:28:40 | location | User-provided value |
+| angularjs.js:31:28:31:42 | location.search | angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:31:28:31:35 | location | User-provided value |
+| angularjs.js:34:18:34:32 | location.search | angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:34:18:34:25 | location | User-provided value |
+| angularjs.js:40:18:40:32 | location.search | angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:40:18:40:25 | location | User-provided value |
+| angularjs.js:44:17:44:31 | location.search | angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:44:17:44:24 | location | User-provided value |
+| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
+| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
+| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
 | eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |
 | express.js:7:24:7:69 | "return ...  + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
 | express.js:9:34:9:79 | "return ...  + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
@@ -79,6 +109,6 @@ edges
 | react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value |
 | tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:83 | documen ... t=")+8) | $@ flows to here and is interpreted as code. | tst.js:2:6:2:22 | document.location | User-provided value |
 | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:5:12:5:28 | document.location | User-provided value |
-| tst.js:14:10:14:65 | documen ... , "$1") | tst.js:14:10:14:24 | document.cookie | tst.js:14:10:14:65 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:24 | document.cookie | User-provided value |
+| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:26 | document.location | tst.js:14:10:14:74 | documen ... , "$1") | $@ flows to here and is interpreted as code. | tst.js:14:10:14:26 | document.location | User-provided value |
 | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:17:21:17:37 | document.location | User-provided value |
 | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash | $@ flows to here and is interpreted as code. | tst.js:20:30:20:46 | document.location | User-provided value |

javascript/ql/test/query-tests/Security/CWE-094/angularjs.js

@@ -1,66 +1,66 @@
 angular.module('myModule', [])
     .controller('MyController', function($scope) {
-        $scope.$on(document.cookie); // OK
+        $scope.$on(location.search); // OK
     })
     .controller('MyController', function($scope) {
         $scope.$apply('hello'); // OK
     })
     .controller('MyController', function($scope) {
         var scope = $scope;
-        scope.$apply(document.cookie); // BAD
+        scope.$apply(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$apply(document.cookie); // BAD
+        $scope.$apply(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$applyAsync(document.cookie); // BAD
+        $scope.$applyAsync(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$eval(document.cookie); // BAD
+        $scope.$eval(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$evalAsync(document.cookie); // BAD
+        $scope.$evalAsync(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$watch(document.cookie); // BAD
+        $scope.$watch(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$watchCollection(document.cookie); // BAD
+        $scope.$watchCollection(location.search); // BAD
     })
     .controller('MyController', function($scope) {
-        $scope.$watchGroup(document.cookie); // BAD
+        $scope.$watchGroup(location.search); // BAD
     })
     .controller('MyController', function($compile) {
-        $compile(document.cookie); // BAD
+        $compile(location.search); // BAD
     })
     .controller('MyController', function($compile) {
         $compile('hello'); // OK
     })
     .controller('MyController', function($compile) {
-        $compile(document.cookie); // BAD
+        $compile(location.search); // BAD
     })
     .controller('MyController', function($compile) {
         var compile = $compile;
-        compile(document.cookie); // BAD
+        compile(location.search); // BAD
     })
     .controller('MyController', function($parse) {
-        $parse(document.cookie); // BAD
+        $parse(location.search); // BAD
     })
     .controller('MyController', function($interpolate) {
-        $interpolate(document.cookie); // BAD
+        $interpolate(location.search); // BAD
     })
     .controller('MyController', function($filter) {
-        $filter('orderBy')([], document.cookie); // BAD
+        $filter('orderBy')([], location.search); // BAD
     })
     .controller('MyController', function($filter) {
         $filter('orderBy')([], 'hello'); // OK
     })
     .controller('MyController', function($filter) {
-        $filter('random')([], document.cookie); // OK
+        $filter('random')([], location.search); // OK
     })
     .controller('MyController', function($someService) {
-        $someService('orderBy')([], document.cookie); // OK
+        $someService('orderBy')([], location.search); // OK
     })
     .controller('MyController', function($someService) {
-        $someService(document.cookie); // OK
-    })
+        $someService(location.search); // OK
+    });

javascript/ql/test/query-tests/Security/CWE-094/tst.js

@@ -11,7 +11,7 @@ setTimeout(document.location.protocol);
 $('. ' + document.location.hostname);
 
 // NOT OK
-Function(document.cookie.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"));
+Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"));
 
 // NOT OK
 WebAssembly.compile(document.location.hash);