From 5e2b1c026a67d698d33faeadcbc88c221cc57567 Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esben@semmle.com>
Date: Mon, 28 Jan 2019 15:40:30 +0100
Subject: [PATCH] JS: introduce HTML::ScriptElement::getScript()

---
 javascript/ql/src/semmle/javascript/HTML.qll  | 34 +++++++++++++++++++
 .../ScriptElement_getScript.expected          |  4 +++
 .../HtmlScript/ScriptElement_getScript.ql     |  5 +++
 .../library-tests/HTML/HtmlScript/tst.html    | 12 +++++++
 .../test/library-tests/HTML/HtmlScript/tst.js |  1 +
 5 files changed, 56 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.expected
 create mode 100644 javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.ql
 create mode 100644 javascript/ql/test/library-tests/HTML/HtmlScript/tst.html
 create mode 100644 javascript/ql/test/library-tests/HTML/HtmlScript/tst.js

diff --git a/javascript/ql/src/semmle/javascript/HTML.qll b/javascript/ql/src/semmle/javascript/HTML.qll
index 064bc813538..d399cde4a84 100644
--- a/javascript/ql/src/semmle/javascript/HTML.qll
+++ b/javascript/ql/src/semmle/javascript/HTML.qll
@@ -159,6 +159,40 @@ module HTML {
      * if it can be determined.
      */
     Script resolveSource() { result.getFile().getAbsolutePath() = resolveSourcePath() }
+
+    /**
+     * Gets the inline script of this script element, if any.
+     */
+    private InlineScript getInlineScript() {
+      exists(string f, Location l1, int sl1, int sc1, int el1, int ec1, Location l2, int sl2, int sc2, int el2, int ec2 |
+        l1 = getLocation() and
+        l2 = result.getLocation() and
+        l1.hasLocationInfo(f, sl1, sc1, el1, ec1) and
+        l2.hasLocationInfo(f, sl2, sc2, el2, ec2)
+        |
+        (
+          sl1 = sl2 and sc1 < sc2
+          or
+          sl1 < sl2
+        ) and
+        (
+          el1 = el2 and ec1 > ec2
+          or
+          el1 > el2
+        )
+      ) and
+      // the src attribute has precedence
+      not exists(getSourcePath())
+    }
+
+    /**
+     * Gets the script of this element, if it can be determined.
+     */
+    Script getScript() {
+      result = getInlineScript() or
+      result = resolveSource()
+    }
+
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.expected b/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.expected
new file mode 100644
index 00000000000..f0d2ecd7fc0
--- /dev/null
+++ b/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.expected
@@ -0,0 +1,4 @@
+| tst.html:2:3:2:32 | <script>...</> | tst.js:1:1:2:0 | <toplevel> |
+| tst.html:5:3:5:38 | <script>...</> | tst.js:1:1:2:0 | <toplevel> |
+| tst.html:8:3:8:25 | <script>...</> | tst.html:8:11:8:16 | <toplevel> |
+| tst.html:9:3:11:11 | <script>...</> | tst.html:9:11:11:2 | <toplevel> |
diff --git a/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.ql b/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.ql
new file mode 100644
index 00000000000..2e1df238261
--- /dev/null
+++ b/javascript/ql/test/library-tests/HTML/HtmlScript/ScriptElement_getScript.ql
@@ -0,0 +1,5 @@
+import javascript
+
+
+from HTML::ScriptElement e
+select e, e.getScript()
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/HTML/HtmlScript/tst.html b/javascript/ql/test/library-tests/HTML/HtmlScript/tst.html
new file mode 100644
index 00000000000..e99c5a74ba0
--- /dev/null
+++ b/javascript/ql/test/library-tests/HTML/HtmlScript/tst.html
@@ -0,0 +1,12 @@
+<html>
+  <script src="tst.js"></script>
+  <script src="does-not-exist.js"></script>
+
+  <script src="tst.js">inline</script>
+  <script src="does-not-exist.js">inline</script>
+
+  <script>inline</script>
+  <script>
+    inline
+  </script>
+</html>
diff --git a/javascript/ql/test/library-tests/HTML/HtmlScript/tst.js b/javascript/ql/test/library-tests/HTML/HtmlScript/tst.js
new file mode 100644
index 00000000000..7be70ef747c
--- /dev/null
+++ b/javascript/ql/test/library-tests/HTML/HtmlScript/tst.js
@@ -0,0 +1 @@
+not_inline