Merge remote-tracking branch 'origin/main' into js/quality/loop_shift

2026-04-25 00:35:20 +02:00 · 2025-06-19 10:21:52 +02:00
parent 10d10286f7 2e5d52e7e8
commit 53cae4fa97
737 changed files with 98256 additions and 20372 deletions
--- a/javascript/ql/test/query-tests/Declarations/SuspiciousMethodNameDeclaration/SuspiciousMethodNameDeclaration.expected
+++ b/javascript/ql/test/query-tests/Declarations/SuspiciousMethodNameDeclaration/SuspiciousMethodNameDeclaration.expected
@@ -2,3 +2,14 @@
 | tst.ts:16:3:16:21 | function(): number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
 | tst.ts:37:3:37:21 | function(): number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
 | tst.ts:48:3:48:13 | new(): Quz; | The member name 'new' does not declare a constructor, but 'constructor' does in class declarations. |
+| tst.ts:60:3:60:21 | function(): number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:64:3:64:24 | constru ... number; | The member name 'constructor' does not declare a constructor in interfaces, but it does in classes. |
+| tst.ts:74:3:74:30 | functio ... string; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:75:3:75:30 | functio ... number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:76:3:76:24 | functio ... ): any; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:80:3:80:23 | abstrac ... : void; | The member name 'new' does not declare a constructor, but 'constructor' does in class declarations. |
+| tst.ts:84:3:84:30 | abstrac ... number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:93:5:93:21 | function(): void; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:98:3:98:21 | function(): number; | The member name 'function' does not declare a function, it declares a method named 'function'. |
+| tst.ts:110:3:110:24 | constru ... number; | The member name 'constructor' does not declare a constructor in interfaces, but it does in classes. |
+| tst.ts:116:3:116:24 | constru ... number; | The member name 'constructor' does not declare a constructor in interfaces, but it does in classes. |
--- a/javascript/ql/test/query-tests/Declarations/SuspiciousMethodNameDeclaration/tst.ts
+++ b/javascript/ql/test/query-tests/Declarations/SuspiciousMethodNameDeclaration/tst.ts
@@ -50,3 +50,70 @@ declare class Quz {

 var bla = new Foo();
 var blab = new Baz();
+
+
+interface X {
+  constructor: () => string; // Just a property, not a method.
+}
+
+type A = {
+  function(): number; // $ Alert
+};
+
+type B = {
+  constructor(): number; // $ Alert
+  new(): number;
+};
+
+class StaticMethods {
+  static function(): void {}
+  static new(): void {}
+}
+
+interface Overloaded {
+  function(x: string): string; // $Alert
+  function(x: number): number; // $Alert
+  function(x: any): any; // $Alert
+}
+
+abstract class AbstractFoo {
+  abstract new(): void; // $Alert
+}
+
+abstract class AbstractFooFunction {
+  abstract function(): number; // $Alert
+}
+
+abstract class AbstractFooConstructor {
+  constructor(){}
+}
+
+declare module "some-module" {
+  interface ModuleInterface {
+    function(): void;  // $Alert
+  }
+}
+
+type Intersection = {
+  function(): number; // $Alert
+} & {
+  other(): string;
+};
+
+type Union = {
+  new(): number;
+} | {
+  valid(): string;
+};
+
+type Union2 = {
+  constructor(): number; // $Alert
+} | {
+  valid(): string;
+};
+
+type Intersection2 = {
+  constructor(): number; // $Alert
+} & {
+  other(): string;
+};
--- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js
@@ -40,4 +40,30 @@ function foo1() {
    writer.emit("Name: ${name}, Date: ${date}.", data);

    writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // $ Alert - `foobar` is not in `data`.
-}
+}
+
+function a(actual, expected, description) {
+    assert(false, "a", description, "expected (" +
+        typeof expected + ") ${expected} but got (" + typeof actual + ") ${actual}", {
+            expected: expected,
+            actual: actual
+        });
+}
+
+function replacer(str, name) {
+    return str.replace("${name}", name);
+}
+
+function replacerAll(str, name) {
+    return str.replaceAll("${name}", name);
+}
+
+function manualInterpolation(name) {
+    let str = "Name: ${name}";
+    let result1 = replacer(str, name);
+    console.log(result1); 
+
+    str = "Name: ${name} and again: ${name}";
+    let result2 = replacerAll(str, name);
+    console.log(result2);
+}
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -70,6 +70,8 @@
 | tst2.js:76:12:76:18 | other.p | tst2.js:69:9:69:9 | p | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:69:9:69:9 | p | user-provided value |
 | tst2.js:88:12:88:12 | p | tst2.js:82:9:82:9 | p | tst2.js:88:12:88:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value |
 | tst2.js:89:12:89:18 | other.p | tst2.js:82:9:82:9 | p | tst2.js:89:12:89:18 | other.p | Cross-site scripting vulnerability due to a $@. | tst2.js:82:9:82:9 | p | user-provided value |
+| tst2.js:101:12:101:17 | unsafe | tst2.js:93:9:93:9 | p | tst2.js:101:12:101:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:93:9:93:9 | p | user-provided value |
+| tst2.js:113:12:113:17 | unsafe | tst2.js:105:9:105:9 | p | tst2.js:113:12:113:17 | unsafe | Cross-site scripting vulnerability due to a $@. | tst2.js:105:9:105:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to a $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to a $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
 edges
@@ -239,6 +241,22 @@ edges
 | tst2.js:86:15:86:27 | sortKeys(obj) [p] | tst2.js:86:7:86:27 | other [p] | provenance |  |
 | tst2.js:86:24:86:26 | obj [p] | tst2.js:86:15:86:27 | sortKeys(obj) [p] | provenance |  |
 | tst2.js:89:12:89:16 | other [p] | tst2.js:89:12:89:18 | other.p | provenance |  |
+| tst2.js:93:7:93:24 | p | tst2.js:99:51:99:51 | p | provenance |  |
+| tst2.js:93:9:93:9 | p | tst2.js:93:7:93:24 | p | provenance |  |
+| tst2.js:99:7:99:69 | unsafe | tst2.js:101:12:101:17 | unsafe | provenance |  |
+| tst2.js:99:16:99:69 | seriali ...  true}) | tst2.js:99:7:99:69 | unsafe | provenance |  |
+| tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | tst2.js:99:16:99:69 | seriali ...  true}) | provenance |  |
+| tst2.js:99:51:99:51 | p | tst2.js:99:16:99:69 | seriali ...  true}) | provenance |  |
+| tst2.js:99:51:99:51 | p | tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | provenance |  |
+| tst2.js:105:7:105:24 | p | tst2.js:110:28:110:28 | p | provenance |  |
+| tst2.js:105:9:105:9 | p | tst2.js:105:7:105:24 | p | provenance |  |
+| tst2.js:110:7:110:29 | obj [someProperty] | tst2.js:111:36:111:38 | obj [someProperty] | provenance |  |
+| tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | tst2.js:110:7:110:29 | obj [someProperty] | provenance |  |
+| tst2.js:110:28:110:28 | p | tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | provenance |  |
+| tst2.js:110:28:110:28 | p | tst2.js:111:16:111:55 | seriali ...  true}) | provenance |  |
+| tst2.js:111:7:111:55 | unsafe | tst2.js:113:12:113:17 | unsafe | provenance |  |
+| tst2.js:111:16:111:55 | seriali ...  true}) | tst2.js:111:7:111:55 | unsafe | provenance |  |
+| tst2.js:111:36:111:38 | obj [someProperty] | tst2.js:111:16:111:55 | seriali ...  true}) | provenance |  |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p | provenance |  |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p | provenance |  |
 | tst3.js:11:9:11:74 | code | tst3.js:12:12:12:15 | code | provenance |  |
@@ -457,6 +475,22 @@ nodes
 | tst2.js:88:12:88:12 | p | semmle.label | p |
 | tst2.js:89:12:89:16 | other [p] | semmle.label | other [p] |
 | tst2.js:89:12:89:18 | other.p | semmle.label | other.p |
+| tst2.js:93:7:93:24 | p | semmle.label | p |
+| tst2.js:93:9:93:9 | p | semmle.label | p |
+| tst2.js:99:7:99:69 | unsafe | semmle.label | unsafe |
+| tst2.js:99:16:99:69 | seriali ...  true}) | semmle.label | seriali ...  true}) |
+| tst2.js:99:36:99:52 | {someProperty: p} [someProperty] | semmle.label | {someProperty: p} [someProperty] |
+| tst2.js:99:51:99:51 | p | semmle.label | p |
+| tst2.js:101:12:101:17 | unsafe | semmle.label | unsafe |
+| tst2.js:105:7:105:24 | p | semmle.label | p |
+| tst2.js:105:9:105:9 | p | semmle.label | p |
+| tst2.js:110:7:110:29 | obj [someProperty] | semmle.label | obj [someProperty] |
+| tst2.js:110:13:110:29 | {someProperty: p} [someProperty] | semmle.label | {someProperty: p} [someProperty] |
+| tst2.js:110:28:110:28 | p | semmle.label | p |
+| tst2.js:111:7:111:55 | unsafe | semmle.label | unsafe |
+| tst2.js:111:16:111:55 | seriali ...  true}) | semmle.label | seriali ...  true}) |
+| tst2.js:111:36:111:38 | obj [someProperty] | semmle.label | obj [someProperty] |
+| tst2.js:113:12:113:17 | unsafe | semmle.label | unsafe |
 | tst3.js:5:7:5:24 | p | semmle.label | p |
 | tst3.js:5:9:5:9 | p | semmle.label | p |
 | tst3.js:6:12:6:12 | p | semmle.label | p |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -68,5 +68,7 @@
 | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:69:9:69:9 | p | user-provided value |
 | tst2.js:88:12:88:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:82:9:82:9 | p | user-provided value |
 | tst2.js:89:12:89:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:82:9:82:9 | p | user-provided value |
+| tst2.js:101:12:101:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:93:9:93:9 | p | user-provided value |
+| tst2.js:113:12:113:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:105:9:105:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
@@ -87,4 +87,28 @@ app.get('/baz', function(req, res) {

  res.send(p); // $ Alert
  res.send(other.p); // $ Alert
-});
+});
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params; // $ Source
+
+  var serialized = serializeJavaScript(p);
+
+  res.send(serialized);
+  
+  var unsafe = serializeJavaScript({someProperty: p}, {unsafe: true});
+
+  res.send(unsafe); // $ Alert
+});
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params; // $ Source
+
+  var serialized = serializeJavaScript(p);
+
+  res.send(serialized);
+  let obj = {someProperty: p};
+  var unsafe = serializeJavaScript(obj, {unsafe: true});
+
+  res.send(unsafe); // $ Alert
+});