add tests for dominating writes

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -429,6 +429,30 @@ nodes
 | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:380:18:380:23 | target |
 | tst.js:380:18:380:23 | target |
+| tst.js:387:7:387:39 | target |
+| tst.js:387:16:387:32 | document.location |
+| tst.js:387:16:387:32 | document.location |
+| tst.js:387:16:387:39 | documen ... .search |
+| tst.js:390:18:390:23 | target |
+| tst.js:390:18:390:23 | target |
+| tst.js:392:18:392:23 | target |
+| tst.js:392:18:392:29 | target.taint |
+| tst.js:392:18:392:29 | target.taint |
+| tst.js:397:19:397:35 | document.location |
+| tst.js:397:19:397:35 | document.location |
+| tst.js:397:19:397:42 | documen ... .search |
+| tst.js:398:18:398:30 | target.taint3 |
+| tst.js:398:18:398:30 | target.taint3 |
+| tst.js:403:18:403:23 | target |
+| tst.js:403:18:403:30 | target.taint5 |
+| tst.js:403:18:403:30 | target.taint5 |
+| tst.js:412:18:412:23 | target |
+| tst.js:412:18:412:30 | target.taint7 |
+| tst.js:412:18:412:30 | target.taint7 |
+| tst.js:414:19:414:24 | target |
+| tst.js:414:19:414:31 | target.taint8 |
+| tst.js:415:18:415:30 | target.taint8 |
+| tst.js:415:18:415:30 | target.taint8 |
 | typeahead.js:20:13:20:45 | target |
 | typeahead.js:20:22:20:38 | document.location |
 | typeahead.js:20:22:20:38 | document.location |
@@ -835,6 +859,29 @@ edges
 | tst.js:377:16:377:32 | document.location | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:377:16:377:32 | document.location | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:377:16:377:39 | documen ... .search | tst.js:377:7:377:39 | target |
+| tst.js:387:7:387:39 | target | tst.js:390:18:390:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:390:18:390:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:392:18:392:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:403:18:403:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:412:18:412:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:414:19:414:24 | target |
+| tst.js:387:16:387:32 | document.location | tst.js:387:16:387:39 | documen ... .search |
+| tst.js:387:16:387:32 | document.location | tst.js:387:16:387:39 | documen ... .search |
+| tst.js:387:16:387:39 | documen ... .search | tst.js:387:7:387:39 | target |
+| tst.js:392:18:392:23 | target | tst.js:392:18:392:29 | target.taint |
+| tst.js:392:18:392:23 | target | tst.js:392:18:392:29 | target.taint |
+| tst.js:397:19:397:35 | document.location | tst.js:397:19:397:42 | documen ... .search |
+| tst.js:397:19:397:35 | document.location | tst.js:397:19:397:42 | documen ... .search |
+| tst.js:397:19:397:42 | documen ... .search | tst.js:398:18:398:30 | target.taint3 |
+| tst.js:397:19:397:42 | documen ... .search | tst.js:398:18:398:30 | target.taint3 |
+| tst.js:403:18:403:23 | target | tst.js:403:18:403:30 | target.taint5 |
+| tst.js:403:18:403:23 | target | tst.js:403:18:403:30 | target.taint5 |
+| tst.js:412:18:412:23 | target | tst.js:412:18:412:30 | target.taint7 |
+| tst.js:412:18:412:23 | target | tst.js:412:18:412:30 | target.taint7 |
+| tst.js:414:19:414:24 | target | tst.js:414:19:414:31 | target.taint8 |
+| tst.js:414:19:414:31 | target.taint8 | tst.js:414:19:414:31 | target.taint8 |
+| tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
+| tst.js:414:19:414:31 | target.taint8 | tst.js:415:18:415:30 | target.taint8 |
 | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
 | typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
 | typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
@@ -956,6 +1003,12 @@ edges
 | tst.js:366:21:366:26 | target | tst.js:361:19:361:35 | document.location | tst.js:366:21:366:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.location | user-provided value |
 | tst.js:369:18:369:23 | target | tst.js:361:19:361:35 | document.location | tst.js:369:18:369:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:361:19:361:35 | document.location | user-provided value |
 | tst.js:380:18:380:23 | target | tst.js:377:16:377:32 | document.location | tst.js:380:18:380:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:377:16:377:32 | document.location | user-provided value |
+| tst.js:390:18:390:23 | target | tst.js:387:16:387:32 | document.location | tst.js:390:18:390:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
+| tst.js:392:18:392:29 | target.taint | tst.js:387:16:387:32 | document.location | tst.js:392:18:392:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
+| tst.js:398:18:398:30 | target.taint3 | tst.js:397:19:397:35 | document.location | tst.js:398:18:398:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:397:19:397:35 | document.location | user-provided value |
+| tst.js:403:18:403:30 | target.taint5 | tst.js:387:16:387:32 | document.location | tst.js:403:18:403:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
+| tst.js:412:18:412:30 | target.taint7 | tst.js:387:16:387:32 | document.location | tst.js:412:18:412:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
+| tst.js:415:18:415:30 | target.taint8 | tst.js:387:16:387:32 | document.location | tst.js:415:18:415:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:387:16:387:32 | document.location | user-provided value |
 | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

@@ -429,6 +429,23 @@ nodes
 | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:380:18:380:23 | target |
 | tst.js:380:18:380:23 | target |
+| tst.js:387:7:387:39 | target |
+| tst.js:387:16:387:32 | document.location |
+| tst.js:387:16:387:32 | document.location |
+| tst.js:387:16:387:39 | documen ... .search |
+| tst.js:390:18:390:23 | target |
+| tst.js:390:18:390:23 | target |
+| tst.js:392:18:392:23 | target |
+| tst.js:392:18:392:29 | target.taint |
+| tst.js:392:18:392:29 | target.taint |
+| tst.js:397:19:397:35 | document.location |
+| tst.js:397:19:397:35 | document.location |
+| tst.js:397:19:397:42 | documen ... .search |
+| tst.js:398:18:398:30 | target.taint3 |
+| tst.js:398:18:398:30 | target.taint3 |
+| tst.js:403:18:403:23 | target |
+| tst.js:403:18:403:30 | target.taint5 |
+| tst.js:403:18:403:30 | target.taint5 |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:9:28:9:30 | loc |
 | typeahead.js:10:16:10:18 | loc |
@@ -839,6 +856,21 @@ edges
 | tst.js:377:16:377:32 | document.location | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:377:16:377:32 | document.location | tst.js:377:16:377:39 | documen ... .search |
 | tst.js:377:16:377:39 | documen ... .search | tst.js:377:7:377:39 | target |
+| tst.js:387:7:387:39 | target | tst.js:390:18:390:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:390:18:390:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:392:18:392:23 | target |
+| tst.js:387:7:387:39 | target | tst.js:403:18:403:23 | target |
+| tst.js:387:16:387:32 | document.location | tst.js:387:16:387:39 | documen ... .search |
+| tst.js:387:16:387:32 | document.location | tst.js:387:16:387:39 | documen ... .search |
+| tst.js:387:16:387:39 | documen ... .search | tst.js:387:7:387:39 | target |
+| tst.js:392:18:392:23 | target | tst.js:392:18:392:29 | target.taint |
+| tst.js:392:18:392:23 | target | tst.js:392:18:392:29 | target.taint |
+| tst.js:397:19:397:35 | document.location | tst.js:397:19:397:42 | documen ... .search |
+| tst.js:397:19:397:35 | document.location | tst.js:397:19:397:42 | documen ... .search |
+| tst.js:397:19:397:42 | documen ... .search | tst.js:398:18:398:30 | target.taint3 |
+| tst.js:397:19:397:42 | documen ... .search | tst.js:398:18:398:30 | target.taint3 |
+| tst.js:403:18:403:23 | target | tst.js:403:18:403:30 | target.taint5 |
+| tst.js:403:18:403:23 | target | tst.js:403:18:403:30 | target.taint5 |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |
 | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc |

javascript/ql/test/query-tests/Security/CWE-079/tst.js

@@ -381,4 +381,40 @@ function test() {
 
   // OK
   $('myid').html(document.location.href.split("?")[0]);
-}
+}
+
+function test() {
+  var target = document.location.search
+
+  
+  $('myId').html(target); // NOT OK
+
+  $('myId').html(target.taint); // NOT OK
+
+  target.taint2 = 2;
+  $('myId').html(target.taint2); // OK
+
+  target.taint3 = document.location.search;
+  $('myId').html(target.taint3); // NOT OK
+
+  target.sub.taint4 = 2
+  $('myId').html(target.sub.taint4); // OK
+
+  $('myId').html(target.taint5); // NOT OK
+  target.taint5 = "safe";
+
+  target.taint6 = 2;
+  if (random()) {return;}
+  $('myId').html(target.taint6); // OK
+
+  
+  if (random()) {target.taint7 = "safe";}
+  $('myId').html(target.taint7); // NOT OK
+
+  target.taint8 = target.taint8;
+  $('myId').html(target.taint8); // NOT OK
+
+  target.taint9 = (target.taint9 = "safe");
+  $('myId').html(target.taint9); // OK
+}
+