Merge pull request #4450 from asgerf/js/angular

Approved by erik-krogh

javascript/ql/src/javascript.qll

@@ -65,6 +65,7 @@ import semmle.javascript.YAML
 import semmle.javascript.dataflow.DataFlow
 import semmle.javascript.dataflow.TaintTracking
 import semmle.javascript.dataflow.TypeInference
+import semmle.javascript.frameworks.Angular2
 import semmle.javascript.frameworks.AngularJS
 import semmle.javascript.frameworks.AsyncPackage
 import semmle.javascript.frameworks.AWS

javascript/ql/src/semmle/javascript/frameworks/Angular2.qll

@@ -0,0 +1,221 @@
+/**
+ * Provides classes for working with Angular (also known as Angular 2.x) applications.
+ */
+
+private import javascript
+private import semmle.javascript.security.dataflow.Xss
+private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
+private import semmle.javascript.DynamicPropertyAccess
+
+/**
+ * Provides classes for working with Angular (also known as Angular 2.x) applications.
+ */
+module Angular2 {
+  /** Gets a reference to a `Router` object. */
+  DataFlow::SourceNode router() { result.hasUnderlyingType("@angular/router", "Router") }
+
+  /** Gets a reference to a `RouterState` object. */
+  DataFlow::SourceNode routerState() {
+    result.hasUnderlyingType("@angular/router", "RouterState")
+    or
+    result = router().getAPropertyRead("routerState")
+  }
+
+  /** Gets a reference to a `RouterStateSnapshot` object. */
+  DataFlow::SourceNode routerStateSnapshot() {
+    result.hasUnderlyingType("@angular/router", "RouterStateSnapshot")
+    or
+    result = routerState().getAPropertyRead("snapshot")
+  }
+
+  /** Gets a reference to an `ActivatedRoute` object. */
+  DataFlow::SourceNode activatedRoute() {
+    result.hasUnderlyingType("@angular/router", "ActivatedRoute")
+  }
+
+  /** Gets a reference to an `ActivatedRouteSnapshot` object. */
+  DataFlow::SourceNode activatedRouteSnapshot() {
+    result.hasUnderlyingType("@angular/router", "ActivatedRouteSnapshot")
+    or
+    result = activatedRoute().getAPropertyRead("snapshot")
+  }
+
+  /**
+   * Gets a data flow node referring to the value of the route property `name`, accessed
+   * via one of the following patterns:
+   * ```js
+   * route.snapshot.name
+   * route.snapshot.data.name
+   * route.name.subscribe(x => ...)
+   * ```
+   */
+  DataFlow::SourceNode activatedRouteProp(string name) {
+    // this.route.snapshot.foo
+    result = activatedRouteSnapshot().getAPropertyRead(name)
+    or
+    // this.route.snapshot.data.foo
+    result = activatedRouteSnapshot().getAPropertyRead("data").getAPropertyRead(name)
+    or
+    // this.route.foo.subscribe(foo => { ... })
+    result =
+      activatedRoute()
+          .getAPropertyRead(name)
+          .getAMethodCall("subscribe")
+          .getABoundCallbackParameter(0, 0)
+  }
+
+  /** Gets an array of URL segments matched by some route. */
+  private DataFlow::SourceNode urlSegmentArray() { result = activatedRouteProp("url") }
+
+  /** Gets a data flow node referring to a `UrlSegment` object matched by some route. */
+  DataFlow::SourceNode urlSegment() {
+    result = getAnEnumeratedArrayElement(urlSegmentArray())
+    or
+    result = urlSegmentArray().getAPropertyRead(any(string s | exists(s.toInt())))
+  }
+
+  /** Gets a reference to a `ParamMap` object, usually containing values from the URL. */
+  DataFlow::SourceNode paramMap() {
+    result.hasUnderlyingType("@angular/router", "ParamMap")
+    or
+    result = activatedRouteProp(["paramMap", "queryParamMap"])
+    or
+    result = urlSegment().getAPropertyRead("parameterMap")
+  }
+
+  /** Gets a reference to a `Params` object, usually containing values from the URL. */
+  DataFlow::SourceNode paramDictionaryObject() {
+    result.hasUnderlyingType("@angular/router", "Params") and
+    not result instanceof DataFlow::ObjectLiteralNode // ignore object literals found by contextual typing
+    or
+    result = activatedRouteProp(["params", "queryParams"])
+    or
+    result = paramMap().getAPropertyRead("params")
+    or
+    result = urlSegment().getAPropertyRead("parameters")
+  }
+
+  /**
+   * A value from `@angular/router` derived from the URL.
+   */
+  class AngularSource extends RemoteFlowSource {
+    AngularSource() {
+      this = paramMap().getAMethodCall(["get", "getAll"])
+      or
+      this = paramDictionaryObject()
+      or
+      this = activatedRouteProp("fragment")
+      or
+      this = urlSegment().getAPropertyRead("path")
+      or
+      // Note that Router.url and RouterStateSnapshot.url are strings, not UrlSegment[]
+      this = router().getAPropertyRead("url")
+      or
+      this = routerStateSnapshot().getAPropertyRead("url")
+    }
+
+    override string getSourceType() { result = "Angular route parameter" }
+  }
+
+  /** Gets a reference to a `DomSanitizer` object. */
+  DataFlow::SourceNode domSanitizer() {
+    result.hasUnderlyingType("@angular/platform-browser", "DomSanitizer")
+  }
+
+  /** A value that is about to be promoted to a trusted HTML or CSS value. */
+  private class AngularXssSink extends DomBasedXss::Sink {
+    AngularXssSink() {
+      this =
+        domSanitizer()
+            .getAMethodCall(["bypassSecurityTrustHtml", "bypassSecurityTrustStyle"])
+            .getArgument(0)
+    }
+  }
+
+  /** A value that is about to be promoted to a trusted script value. */
+  private class AngularCodeInjectionSink extends CodeInjection::Sink {
+    AngularCodeInjectionSink() {
+      this = domSanitizer().getAMethodCall(["bypassSecurityTrustScript"]).getArgument(0)
+    }
+  }
+
+  /**
+   * A value that is about to be promoted to a trusted URL or resource URL value.
+   */
+  private class AngularUrlSink extends ClientSideUrlRedirect::Sink {
+    // We mark this as a client URL redirect sink for precision reasons, though its description can be a bit confusing.
+    AngularUrlSink() {
+      this =
+        domSanitizer()
+            .getAMethodCall(["bypassSecurityTrustUrl", "bypassSecurityTrustResourceUrl"])
+            .getArgument(0)
+    }
+  }
+
+  private predicate taintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call |
+      call = DataFlow::moduleMember("@angular/router", "convertToParamMap").getACall()
+      or
+      call = router().getAMemberCall(["parseUrl", "serializeUrl"])
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+
+  private class AngularTaintStep extends TaintTracking::AdditionalTaintStep {
+    AngularTaintStep() { taintStep(_, this) }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) { taintStep(pred, succ) }
+  }
+
+  /** Gets a reference to an `HttpClient` object. */
+  DataFlow::SourceNode httpClient() {
+    result.hasUnderlyingType("@angular/common/http", "HttpClient")
+  }
+
+  private class AngularClientRequest extends ClientRequest::Range, DataFlow::MethodCallNode {
+    int argumentOffset;
+
+    AngularClientRequest() {
+      this = httpClient().getAMethodCall("request") and argumentOffset = 1
+      or
+      this = httpClient().getAMethodCall() and
+      not getMethodName() = "request" and
+      argumentOffset = 0
+    }
+
+    override DataFlow::Node getUrl() { result = getArgument(argumentOffset) }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() {
+      getMethodName() = ["patch", "post", "put"] and
+      result = getArgument(argumentOffset + 1)
+      or
+      result = getOptionArgument(argumentOffset + 1, "body")
+    }
+  }
+
+  private string getInternalName(string name) {
+    exists(Identifier id |
+      result = id.getName() and
+      name = result.regexpCapture("\\u0275(DomAdapter|getDOM)", 1)
+    )
+  }
+
+  /** Gets a reference to a `DomAdapter`, which provides acess to raw DOM elements. */
+  private DataFlow::SourceNode domAdapter() {
+    // Note: these are internal properties, prefixed with the "latin small letter barred O (U+0275)" character.
+    // Despite being internal, some codebases do access them.
+    result.hasUnderlyingType("@angular/common", getInternalName("DomAdapter"))
+    or
+    result = DataFlow::moduleImport("@angular/common").getAMemberCall(getInternalName("getDOM"))
+  }
+
+  /** A reference to the DOM location obtained through `DomAdapter.getLocation()`. */
+  private class DomAdapterLocation extends DOM::LocationSource::Range {
+    DomAdapterLocation() { this = domAdapter().getAMethodCall("getLocation") }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll

@@ -14,6 +14,11 @@ import UrlConcatenation
 module ClientSideUrlRedirect {
   import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
 
+  // Materialize flow labels
+  private class ConcreteDocumentUrl extends DocumentUrl {
+    ConcreteDocumentUrl() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unvalidated URL redirections.
    */

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -6,7 +6,6 @@
 
 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources
-private import UrlConcatenation
 
 module ClientSideUrlRedirect {
   private import Xss::DomBasedXss as DomBasedXss
@@ -30,7 +29,7 @@ module ClientSideUrlRedirect {
    * A flow label for values that represent the URL of the current document, and
    * hence are only partially user-controlled.
    */
-  class DocumentUrl extends DataFlow::FlowLabel {
+  abstract class DocumentUrl extends DataFlow::FlowLabel {
     DocumentUrl() { this = "document.url" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll

@@ -14,6 +14,15 @@ import javascript
 module InsecureDownload {
   import InsecureDownloadCustomizations::InsecureDownload
 
+  // Materialize flow labels
+  private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
+    ConcreteSensitiveInsecureURL() { this = this }
+  }
+
+  private class ConcreteInsecureURL extends Label::InsecureURL {
+    ConcreteInsecureURL() { this = this }
+  }
+
   /**
    * A taint tracking configuration for download of sensitive file through insecure connection.
    */

javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStar.qll

@@ -12,6 +12,11 @@ import javascript
 module PostMessageStar {
   import PostMessageStarCustomizations::PostMessageStar
 
+  // Materialize flow labels
+  private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
+    ConcretePartiallyTaintedObject() { this = this }
+  }
+
   /**
    * A taint tracking configuration for cross-window communication with unrestricted origin.
    *

javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStarCustomizations.qll

@@ -26,7 +26,7 @@ module PostMessageStar {
   /**
    * A flow label representing an object with at least one tainted property.
    */
-  class PartiallyTaintedObject extends DataFlow::FlowLabel {
+  abstract class PartiallyTaintedObject extends DataFlow::FlowLabel {
     PartiallyTaintedObject() { this = "partially tainted object" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollution.qll

@@ -15,6 +15,11 @@ import semmle.javascript.dependencies.SemVer
 module PrototypePollution {
   import PrototypePollutionCustomizations::PrototypePollution
 
+  // Materialize flow labels
+  private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper {
+    ConcreteTaintedObjectWrapper() { this = this }
+  }
+
   /**
    * A taint tracking configuration for user-controlled objects flowing into deep `extend` calls,
    * leading to prototype pollution.

javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll

@@ -24,11 +24,13 @@ module PrototypePollution {
    * }
    * ```
    */
-  module TaintedObjectWrapper {
-    private class TaintedObjectWrapper extends DataFlow::FlowLabel {
-      TaintedObjectWrapper() { this = "tainted-object-wrapper" }
-    }
+  abstract class TaintedObjectWrapper extends DataFlow::FlowLabel {
+    TaintedObjectWrapper() { this = "tainted-object-wrapper" }
+  }
 
+  /** Companion module to the `TaintedObjectWrapper` class. */
+  module TaintedObjectWrapper {
+    /** Gets the instance of the `TaintedObjectWrapper` label. */
     TaintedObjectWrapper label() { any() }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll

@@ -6,7 +6,6 @@
 
 import javascript
 import RemoteFlowSources
-private import UrlConcatenation
 
 module ServerSideUrlRedirect {
   /**

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

@@ -12,6 +12,15 @@ import javascript
 module TaintedPath {
   import TaintedPathCustomizations::TaintedPath
 
+  // Materialize flow labels
+  private class ConcretePosixPath extends Label::PosixPath {
+    ConcretePosixPath() { this = this }
+  }
+
+  private class ConcreteSplitPath extends Label::SplitPath {
+    ConcreteSplitPath() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about tainted-path vulnerabilities.
    */

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -55,7 +55,7 @@ module TaintedPath {
      * There are currently four flow labels, representing the different combinations of
      * normalization and absoluteness.
      */
-    class PosixPath extends DataFlow::FlowLabel {
+    abstract class PosixPath extends DataFlow::FlowLabel {
       Normalization normalization;
       Relativeness relativeness;
 
@@ -113,7 +113,7 @@ module TaintedPath {
     /**
      * A flow label representing an array of path elements that may include "..".
      */
-    class SplitPath extends DataFlow::FlowLabel {
+    abstract class SplitPath extends DataFlow::FlowLabel {
       SplitPath() { this = "splitPath" }
     }
   }

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll

@@ -14,6 +14,11 @@ module UnsafeDynamicMethodAccess {
   private import DataFlow::FlowLabel
   import UnsafeDynamicMethodAccessCustomizations::UnsafeDynamicMethodAccess
 
+  // Materialize flow labels
+  private class ConcreteUnsafeFunction extends UnsafeFunction {
+    ConcreteUnsafeFunction() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unsafe dynamic method access.
    */

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll

@@ -43,7 +43,11 @@ module UnsafeDynamicMethodAccess {
    */
   UnsafeFunction unsafeFunction() { any() }
 
-  private class UnsafeFunction extends DataFlow::FlowLabel {
+  /**
+   * Flow label describing values that may refer to an unsafe
+   * function as a result of an attacker-controlled property name.
+   */
+  abstract class UnsafeFunction extends DataFlow::FlowLabel {
     UnsafeFunction() { this = "UnsafeFunction" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll

@@ -17,6 +17,15 @@ module UnvalidatedDynamicMethodCall {
   import UnvalidatedDynamicMethodCallCustomizations::UnvalidatedDynamicMethodCall
   private import DataFlow::FlowLabel
 
+  // Materialize flow labels
+  private class ConcreteMaybeNonFunction extends MaybeNonFunction {
+    ConcreteMaybeNonFunction() { this = this }
+  }
+
+  private class ConcreteMaybeFromProto extends MaybeFromProto {
+    ConcreteMaybeFromProto() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unvalidated dynamic method calls.
    */

javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll

@@ -43,7 +43,7 @@ module UnvalidatedDynamicMethodCall {
    * A flow label describing values read from a user-controlled property that
    * may not be functions.
    */
-  class MaybeNonFunction extends DataFlow::FlowLabel {
+  abstract class MaybeNonFunction extends DataFlow::FlowLabel {
     MaybeNonFunction() { this = "MaybeNonFunction" }
   }
 
@@ -51,7 +51,7 @@ module UnvalidatedDynamicMethodCall {
    * A flow label describing values read from a user-controlled property that
    * may originate from a prototype object.
    */
-  class MaybeFromProto extends DataFlow::FlowLabel {
+  abstract class MaybeFromProto extends DataFlow::FlowLabel {
     MaybeFromProto() { this = "MaybeFromProto" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/ZipSlip.qll

@@ -12,6 +12,15 @@ import javascript
 module ZipSlip {
   import ZipSlipCustomizations::ZipSlip
 
+  // Materialize flow labels
+  private class ConcretePosixPath extends TaintedPath::Label::PosixPath {
+    ConcretePosixPath() { this = this }
+  }
+
+  private class ConcreteSplitPath extends TaintedPath::Label::SplitPath {
+    ConcreteSplitPath() { this = this }
+  }
+
   /** A taint tracking configuration for unsafe archive extraction. */
   class Configuration extends DataFlow::Configuration {
     Configuration() { this = "ZipSlip" }

javascript/ql/test/library-tests/FlowLabels/DefaultFlowLabels.expected

@@ -0,0 +1,2 @@
+| data |
+| taint |

javascript/ql/test/library-tests/FlowLabels/DefaultFlowLabels.ql

@@ -0,0 +1,5 @@
+import javascript
+
+// Check which flow labels are materialized by importing `javascript.qll`.
+// If this increases, it may indicate a performance issue.
+select any(DataFlow::FlowLabel label)

javascript/ql/test/library-tests/FlowLabels/tst.js

@@ -0,0 +1,2 @@
+// The contents of this file don't matter.
+let x = 1;

javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql

@@ -1,8 +0,0 @@
-import javascript
-import testUtilities.ConsistencyChecking
-import semmle.javascript.security.dataflow.DomBasedXss as DomXss
-import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
-import semmle.javascript.security.dataflow.StoredXss as StoredXss
-import semmle.javascript.security.dataflow.XssThroughDom as ThroughDomXss
-import semmle.javascript.security.dataflow.ExceptionXss as ExceptionXss
-import semmle.javascript.security.dataflow.UnsafeJQueryPlugin as UnsafeJqueryPlugin

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.DomBasedXss as DomXss

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -15,11 +15,50 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:86:17:86:19 | foo |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() |
+| angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params |
+| angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams |
+| angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters |
+| angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params |
+| angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -505,10 +544,34 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment | angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') | angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path | angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') | angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -937,7 +1000,19 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
-| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href | angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href | Cross-site scripting vulnerability due to $@. | angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | user-provided value |
+| angular2-client.ts:23:44:23:73 | this.ro ... ams.foo | angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:23:44:23:69 | this.ro ... .params | user-provided value |
+| angular2-client.ts:24:44:24:78 | this.ro ... ams.foo | angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo | Cross-site scripting vulnerability due to $@. | angular2-client.ts:24:44:24:74 | this.ro ... yParams | user-provided value |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment | angular2-client.ts:25:44:25:71 | this.ro ... ragment | angular2-client.ts:25:44:25:71 | this.ro ... ragment | Cross-site scripting vulnerability due to $@. | angular2-client.ts:25:44:25:71 | this.ro ... ragment | user-provided value |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | user-provided value |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | user-provided value |
+| angular2-client.ts:29:46:29:59 | map.get('foo') | angular2-client.ts:29:46:29:59 | map.get('foo') | angular2-client.ts:29:46:29:59 | map.get('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:29:46:29:59 | map.get('foo') | user-provided value |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path | angular2-client.ts:32:44:32:74 | this.ro ... 1].path | angular2-client.ts:32:44:32:74 | this.ro ... 1].path | Cross-site scripting vulnerability due to $@. | angular2-client.ts:32:44:32:74 | this.ro ... 1].path | user-provided value |
+| angular2-client.ts:33:44:33:82 | this.ro ... eters.x | angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:33:44:33:80 | this.ro ... ameters | user-provided value |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') | angular2-client.ts:34:44:34:91 | this.ro ... et('x') | angular2-client.ts:34:44:34:91 | this.ro ... et('x') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:34:44:34:91 | this.ro ... et('x') | user-provided value |
+| angular2-client.ts:35:44:35:91 | this.ro ... arams.x | angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x | Cross-site scripting vulnerability due to $@. | angular2-client.ts:35:44:35:89 | this.ro ... .params | user-provided value |
+| angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:37:44:37:58 | this.router.url | user-provided value |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -15,11 +15,50 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:2:12:2:28 | document.location |
-| exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:86:17:86:19 | foo |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() |
+| angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params |
+| angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams |
+| angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters |
+| angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params |
+| angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -509,10 +548,34 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
-| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:21:44:21:66 | \\u0275getDOM ... ation() | angular2-client.ts:21:44:21:71 | \\u0275getDOM ... ().href |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:23:44:23:69 | this.ro ... .params | angular2-client.ts:23:44:23:73 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:24:44:24:74 | this.ro ... yParams | angular2-client.ts:24:44:24:78 | this.ro ... ams.foo |
+| angular2-client.ts:25:44:25:71 | this.ro ... ragment | angular2-client.ts:25:44:25:71 | this.ro ... ragment |
+| angular2-client.ts:26:44:26:82 | this.ro ... ('foo') | angular2-client.ts:26:44:26:82 | this.ro ... ('foo') |
+| angular2-client.ts:27:44:27:87 | this.ro ... ('foo') | angular2-client.ts:27:44:27:87 | this.ro ... ('foo') |
+| angular2-client.ts:29:46:29:59 | map.get('foo') | angular2-client.ts:29:46:29:59 | map.get('foo') |
+| angular2-client.ts:32:44:32:74 | this.ro ... 1].path | angular2-client.ts:32:44:32:74 | this.ro ... 1].path |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:33:44:33:80 | this.ro ... ameters | angular2-client.ts:33:44:33:82 | this.ro ... eters.x |
+| angular2-client.ts:34:44:34:91 | this.ro ... et('x') | angular2-client.ts:34:44:34:91 | this.ro ... et('x') |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:35:44:35:89 | this.ro ... .params | angular2-client.ts:35:44:35:91 | this.ro ... arams.x |
+| angular2-client.ts:37:44:37:58 | this.router.url | angular2-client.ts:37:44:37:58 | this.router.url |
+| angular2-client.ts:41:44:41:76 | routeSn ... ('foo') | angular2-client.ts:41:44:41:76 | routeSn ... ('foo') |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts

@@ -0,0 +1,43 @@
+import { Component, OnInit } from '@angular/core';
+import { ɵgetDOM } from '@angular/common';
+import { ActivatedRoute, ActivatedRouteSnapshot, Router } from '@angular/router';
+import { DomSanitizer } from '@angular/platform-browser';
+
+@Component({
+  selector: 'app-root',
+  templateUrl: './app.component.html',
+  styleUrls: ['./app.component.css']
+})
+export class AppComponent implements OnInit {
+  title = 'my-app';
+
+  constructor(
+    private route: ActivatedRoute,
+    private sanitizer: DomSanitizer,
+    private router: Router
+  ) {}
+
+  ngOnInit() {
+    this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // NOT OK
+
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // NOT OK
+    this.route.paramMap.subscribe(map => {
+      this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // NOT OK
+    });
+
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // NOT OK - though depends on route config
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // NOT OK
+    this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // NOT OK
+
+    this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK
+  }
+
+  someMethod(routeSnapshot: ActivatedRouteSnapshot) {
+    this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // NOT OK
+  }
+}

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.ExceptionXss as ExceptionXss

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected

@@ -86,16 +86,6 @@ nodes
 | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:182:19:182:23 | error |
-| tst.js:301:9:301:16 | location |
-| tst.js:301:9:301:16 | location |
-| tst.js:302:10:302:10 | e |
-| tst.js:303:20:303:20 | e |
-| tst.js:303:20:303:20 | e |
-| tst.js:308:10:308:17 | location |
-| tst.js:308:10:308:17 | location |
-| tst.js:310:10:310:10 | e |
-| tst.js:311:20:311:20 | e |
-| tst.js:311:20:311:20 | e |
 edges
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -178,14 +168,6 @@ edges
 | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
-| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
-| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
-| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
-| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
-| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
-| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
-| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
-| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
@@ -203,5 +185,3 @@ edges
 | exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:155:18:155:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:175:18:175:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:180:10:180:22 | req.params.id | Exception text |
-| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:301:9:301:16 | location | Exception text |
-| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:308:10:308:17 | location | Exception text |

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -35,9 +35,6 @@ nodes
 | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:11:12:11:19 | response |
 | etherpad.js:11:12:11:19 | response |
-| exception-xss.js:190:12:190:24 | req.params.id |
-| exception-xss.js:190:12:190:24 | req.params.id |
-| exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil |
 | formatting.js:4:16:4:29 | req.query.evil |
 | formatting.js:4:16:4:29 | req.query.evil |
@@ -129,7 +126,6 @@ edges
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
 | etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
-| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id |
 | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil |
 | formatting.js:4:9:4:29 | evil | formatting.js:7:49:7:52 | evil |
 | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
@@ -188,7 +184,6 @@ edges
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
-| exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -5,7 +5,6 @@
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
-| exception-xss.js:190:12:190:24 | req.params.id | Cross-site scripting vulnerability due to $@. | exception-xss.js:190:12:190:24 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.StoredXss as StoredXss

javascript/ql/test/query-tests/Security/CWE-079/StoredXss/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.UnsafeJQueryPlugin as UnsafeJqueryPlugin

javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql

@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.XssThroughDom as ThroughDomXss

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/externs.js

@@ -0,0 +1,48 @@
+// Adapted from the Google Closure externs; original copyright header included below.
+/*
+ * Copyright 2008 The Closure Compiler Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @externs
+ */
+
+/**
+ * @interface
+ */
+function EventTarget() {}
+
+/**
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
+ */
+var document;