JS: Add tests for the examples used in the docs

2026-05-05 05:35:13 +02:00 · 2022-12-09 13:29:07 +01:00
parent ba1364a4cb
commit 6b15839221
9 changed files with 78 additions and 0 deletions
--- a/javascript/ql/test/library-tests/DataExtensions/Test.expected
+++ b/javascript/ql/test/library-tests/DataExtensions/Test.expected
@@ -0,0 +1,7 @@
+commandInjectionSinks
+| execa.example.js:2:7:2:9 | cmd |
+sqlInjectionSinks
+| connection.example.ts:4:20:4:20 | q |
+| connection.example.ts:9:18:9:18 | q |
+remoteFlowSources
+| message.example.js:1:46:1:50 | event |
--- a/javascript/ql/test/library-tests/DataExtensions/Test.ql
+++ b/javascript/ql/test/library-tests/DataExtensions/Test.ql
@@ -0,0 +1,11 @@
+import javascript
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+
+query predicate commandInjectionSinks(DataFlow::Node node) {
+  node instanceof CommandInjection::Sink
+}
+
+query predicate sqlInjectionSinks(DataFlow::Node node) { node instanceof SqlInjection::Sink }
+
+query predicate remoteFlowSources(RemoteFlowSource node) { any() }
--- a/javascript/ql/test/library-tests/DataExtensions/connection.example.ts
+++ b/javascript/ql/test/library-tests/DataExtensions/connection.example.ts
@@ -0,0 +1,9 @@
+import { Connection } from "@example/mysql";
+
+function submit(connection: Connection, q: string) {
+  connection.query(q); // <-- add 'q' as a SQL injection sink
+}
+
+import { getConnection } from "@example/db";
+let connection = getConnection();
+connection.query(q); // <-- add 'q' as a SQL injection sink
--- a/javascript/ql/test/library-tests/DataExtensions/connection.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/connection.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - [
+          "@example/mysql.Connection",
+          "Member[query].Argument[0]",
+          "sql-injection",
+        ]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - [
+          "@example/mysql.Connection",
+          "@example/db",
+          "Member[getConnection].ReturnValue",
+        ]
--- a/javascript/ql/test/library-tests/DataExtensions/execa.example.js
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.example.js
@@ -0,0 +1,2 @@
+import { shell } from "@example/execa";
+shell(cmd);
--- a/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - [
+          "@example/execa",
+          "Member[shell].Argument[0]",
+          "command-line-injection",
+        ]
--- a/javascript/ql/test/library-tests/DataExtensions/message.example.js
+++ b/javascript/ql/test/library-tests/DataExtensions/message.example.js
@@ -0,0 +1,7 @@
+window.addEventListener("message", function (event) {
+    let data = event.data; // <-- add 'event.data' as a taint source
+});
+
+window.addEventListener("onclick", function (event) {
+    let data = event.data; // <-- 'event.data' should not be a taint source
+});
--- a/javascript/ql/test/library-tests/DataExtensions/message.model.yml
+++ b/javascript/ql/test/library-tests/DataExtensions/message.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - [
+          "global",
+          "Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
+          "remote-flow",
+        ]
--- a/javascript/ql/test/qlpack.yml
+++ b/javascript/ql/test/qlpack.yml
@@ -5,3 +5,5 @@ dependencies:
  codeql/javascript-queries: ${workspace}
 extractor: javascript
 tests: .
+dataExtensions:
+  - library-tests/DataExtensions/*.model.yml