Merge pull request #444 from esben-semmle/js/browser-based-client-requests

JS: add models of $.ajax, $.getJSON and XMLHttpRequst

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

@@ -246,3 +246,14 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
   }
 
 }
+
+/**
+ * A model of a URL request made using the `XMLHttpRequest` browser class.
+ */
+private class XMLHttpRequest extends CustomClientRequest {
+  XMLHttpRequest() { this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation() }
+
+  override DataFlow::Node getUrl() { result = getAMethodCall("open").getArgument(1) }
+
+  override DataFlow::Node getADataNode() { result = getAMethodCall("send").getArgument(0) }
+}

javascript/ql/src/semmle/javascript/frameworks/jQuery.qll

@@ -340,3 +340,24 @@ private class JQueryChainedElement extends DOM::Element {
     )
   }
 }
+
+/**
+ * A model of a URL request made using the `jQuery.ajax` or `jQuery.getJSON`.
+ */
+private class JQueryClientRequest extends CustomClientRequest {
+  JQueryClientRequest() {
+    exists(string name |
+      name = "ajax" or
+      name = "getJSON"
+      |
+      this = jquery().getAMemberCall(name)
+    )
+  }
+
+  override DataFlow::Node getUrl() {
+    result = getArgument(0) or
+    result = getOptionArgument([0 .. 1], "url")
+  }
+
+  override DataFlow::Node getADataNode() { result = getOptionArgument([0 .. 1], "data") }
+}