Merge branch 'js-team-sprint' into https-fix

javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection.expected

@@ -79,6 +79,47 @@ nodes
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() |
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo |
+| command-line-parameter-command-injection.js:47:8:53:12 | args |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} |
+| command-line-parameter-command-injection.js:48:9:50:3 | {\\n\\t\\t\\t...args\\n\\t\\t} |
+| command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
+| command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
+| command-line-parameter-command-injection.js:55:22:55:25 | args |
+| command-line-parameter-command-injection.js:57:6:57:37 | tainted1 |
+| command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv |
+| command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv |
+| command-line-parameter-command-injection.js:58:6:58:40 | tainted2 |
+| command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() |
+| command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() |
+| command-line-parameter-command-injection.js:60:8:63:2 | taint1rest |
+| command-line-parameter-command-injection.js:60:8:63:2 | taint2rest |
+| command-line-parameter-command-injection.js:60:9:60:31 | taint1: ... t1rest} |
+| command-line-parameter-command-injection.js:60:17:60:31 | {...taint1rest} |
+| command-line-parameter-command-injection.js:60:33:60:55 | taint2: ... t2rest} |
+| command-line-parameter-command-injection.js:60:41:60:55 | {...taint2rest} |
+| command-line-parameter-command-injection.js:61:11:61:18 | tainted1 |
+| command-line-parameter-command-injection.js:62:11:62:18 | tainted2 |
+| command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest |
+| command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest |
+| command-line-parameter-command-injection.js:65:22:65:31 | taint1rest |
+| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest |
+| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest |
+| command-line-parameter-command-injection.js:66:22:66:31 | taint2rest |
+| command-line-parameter-command-injection.js:68:6:68:16 | {...taint3} |
+| command-line-parameter-command-injection.js:68:6:68:40 | taint3 |
+| command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv |
+| command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv |
+| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 |
+| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 |
+| command-line-parameter-command-injection.js:69:22:69:27 | taint3 |
+| command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
+| command-line-parameter-command-injection.js:71:6:71:40 | taint4 |
+| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv |
+| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv |
+| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
+| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
+| command-line-parameter-command-injection.js:72:22:72:27 | taint4 |
 edges
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv |
 | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:22:8:36 | process.argv[2] |
@@ -149,6 +190,42 @@ edges
 | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo |
 | command-line-parameter-command-injection.js:43:22:43:62 | require ... e().foo | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo |
+| command-line-parameter-command-injection.js:47:8:53:12 | args | command-line-parameter-command-injection.js:55:22:55:25 | args |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:48:9:50:3 | {\\n\\t\\t\\t...args\\n\\t\\t} |
+| command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:48:9:50:3 | {\\n\\t\\t\\t...args\\n\\t\\t} |
+| command-line-parameter-command-injection.js:48:9:50:3 | {\\n\\t\\t\\t...args\\n\\t\\t} | command-line-parameter-command-injection.js:47:8:53:12 | args |
+| command-line-parameter-command-injection.js:55:22:55:25 | args | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
+| command-line-parameter-command-injection.js:55:22:55:25 | args | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args |
+| command-line-parameter-command-injection.js:57:6:57:37 | tainted1 | command-line-parameter-command-injection.js:61:11:61:18 | tainted1 |
+| command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line-parameter-command-injection.js:57:6:57:37 | tainted1 |
+| command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line-parameter-command-injection.js:57:6:57:37 | tainted1 |
+| command-line-parameter-command-injection.js:58:6:58:40 | tainted2 | command-line-parameter-command-injection.js:62:11:62:18 | tainted2 |
+| command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:58:6:58:40 | tainted2 |
+| command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:58:6:58:40 | tainted2 |
+| command-line-parameter-command-injection.js:60:8:63:2 | taint1rest | command-line-parameter-command-injection.js:65:22:65:31 | taint1rest |
+| command-line-parameter-command-injection.js:60:8:63:2 | taint2rest | command-line-parameter-command-injection.js:66:22:66:31 | taint2rest |
+| command-line-parameter-command-injection.js:60:9:60:31 | taint1: ... t1rest} | command-line-parameter-command-injection.js:60:17:60:31 | {...taint1rest} |
+| command-line-parameter-command-injection.js:60:17:60:31 | {...taint1rest} | command-line-parameter-command-injection.js:60:8:63:2 | taint1rest |
+| command-line-parameter-command-injection.js:60:33:60:55 | taint2: ... t2rest} | command-line-parameter-command-injection.js:60:41:60:55 | {...taint2rest} |
+| command-line-parameter-command-injection.js:60:41:60:55 | {...taint2rest} | command-line-parameter-command-injection.js:60:8:63:2 | taint2rest |
+| command-line-parameter-command-injection.js:61:11:61:18 | tainted1 | command-line-parameter-command-injection.js:60:9:60:31 | taint1: ... t1rest} |
+| command-line-parameter-command-injection.js:62:11:62:18 | tainted2 | command-line-parameter-command-injection.js:60:33:60:55 | taint2: ... t2rest} |
+| command-line-parameter-command-injection.js:65:22:65:31 | taint1rest | command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest |
+| command-line-parameter-command-injection.js:65:22:65:31 | taint1rest | command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest |
+| command-line-parameter-command-injection.js:66:22:66:31 | taint2rest | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest |
+| command-line-parameter-command-injection.js:66:22:66:31 | taint2rest | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest |
+| command-line-parameter-command-injection.js:68:6:68:16 | {...taint3} | command-line-parameter-command-injection.js:68:6:68:40 | taint3 |
+| command-line-parameter-command-injection.js:68:6:68:40 | taint3 | command-line-parameter-command-injection.js:69:22:69:27 | taint3 |
+| command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:68:6:68:16 | {...taint3} |
+| command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:68:6:68:16 | {...taint3} |
+| command-line-parameter-command-injection.js:69:22:69:27 | taint3 | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 |
+| command-line-parameter-command-injection.js:69:22:69:27 | taint3 | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 |
+| command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] | command-line-parameter-command-injection.js:71:6:71:40 | taint4 |
+| command-line-parameter-command-injection.js:71:6:71:40 | taint4 | command-line-parameter-command-injection.js:72:22:72:27 | taint4 |
+| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
+| command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:71:6:71:16 | [...taint4] |
+| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
+| command-line-parameter-command-injection.js:72:22:72:27 | taint4 | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 |
 #select
 | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:4:10:4:21 | process.argv | command-line argument |
 | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line-parameter-command-injection.js:8:10:8:36 | "cmd.sh ... argv[2] | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:8:22:8:33 | process.argv | command-line argument |
@@ -166,3 +243,8 @@ edges
 | command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line-parameter-command-injection.js:33:9:33:48 | "cmd.sh ... rgv.foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:33:21:33:44 | require ... ").argv | command-line argument |
 | command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line-parameter-command-injection.js:41:10:41:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:36:13:39:7 | require ... \\t\\t.argv | command-line argument |
 | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line-parameter-command-injection.js:43:10:43:62 | "cmd.sh ... e().foo | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:43:22:43:58 | require ... parse() | command-line argument |
+| command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line-parameter-command-injection.js:55:10:55:25 | "cmd.sh " + args | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:48:3:50:3 | argv: { ... rgs\\n\\t\\t} | command-line argument |
+| command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line-parameter-command-injection.js:65:10:65:31 | "cmd.sh ... nt1rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:57:17:57:37 | require ... ').argv | command-line argument |
+| command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line-parameter-command-injection.js:66:10:66:31 | "cmd.sh ... nt2rest | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:58:17:58:40 | require ... parse() | command-line argument |
+| command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line-parameter-command-injection.js:69:10:69:27 | "cmd.sh " + taint3 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:68:20:68:40 | require ... ').argv | command-line argument |
+| command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line-parameter-command-injection.js:72:10:72:27 | "cmd.sh " + taint4 | This command depends on an unsanitized $@. | command-line-parameter-command-injection.js:71:20:71:40 | require ... ').argv | command-line argument |

javascript/ql/test/query-tests/Security/CWE-078/command-line-parameter-command-injection.js

@@ -52,6 +52,23 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK
 		.usage('Usage: foo bar')
 		.command();
 
-	cp.exec("cmd.sh " + args); // NOT OK - but not flagged yet. 
+	cp.exec("cmd.sh " + args); // NOT OK
+
+	var tainted1 = require('yargs').argv;
+	var tainted2 = require('yargs').parse()
+	
+	const {taint1: {...taint1rest},taint2: {...taint2rest}} = {
+		taint1: tainted1,
+		taint2: tainted2
+	}
+
+	cp.exec("cmd.sh " + taint1rest); // NOT OK - has flow from tainted1
+	cp.exec("cmd.sh " + taint2rest); // NOT OK - has flow from tianted2
+	
+	var {...taint3} = require('yargs').argv;
+	cp.exec("cmd.sh " + taint3); // NOT OK
+
+	var [...taint4] = require('yargs').argv;
+	cp.exec("cmd.sh " + taint4); // NOT OK
 });
 

javascript/ql/test/query-tests/Security/CWE-079/externs.js

@@ -25,6 +25,24 @@
 function EventTarget() {}
 
 /**
- * @type {!EventTarget}
+ * Stub for the DOM hierarchy.
+ *
+ * @constructor
+ * @extends {EventTarget}
+ */
+function DomObjectStub() {}
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.body;
+
+/**
+ * @type {!DomObjectStub}
+ */
+DomObjectStub.prototype.value;
+
+/**
+ * @type {!DomObjectStub}
  */
 var document;

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -64,6 +64,21 @@ nodes
 | angularjs.js:53:32:53:39 | location |
 | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:46 | location.search |
+| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
+| bad-code-sanitization.js:56:7:56:47 | taint |
+| bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] |
+| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
+| bad-code-sanitization.js:56:16:56:23 | req.body |
+| bad-code-sanitization.js:56:16:56:23 | req.body |
+| bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:58:44:58:48 | taint |
 | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:7:44:7:62 | req.param("wobble") |
@@ -193,6 +208,19 @@ edges
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:56:7:56:47 | taint | bad-code-sanitization.js:58:44:58:48 | taint |
+| bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] | bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
+| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") | bad-code-sanitization.js:56:7:56:47 | taint |
+| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:56:16:56:28 | req.body.name | bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:44:58:48 | taint | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
 | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
 | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" |
@@ -261,6 +289,8 @@ edges
 | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
 | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
 | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
+| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | User-provided value |
+| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:56:16:56:23 | req.body | User-provided value |
 | express.js:7:24:7:69 | "return ...  + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
 | express.js:9:34:9:79 | "return ...  + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
 | express.js:12:8:12:53 | "return ...  + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -64,6 +64,21 @@ nodes
 | angularjs.js:53:32:53:39 | location |
 | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:46 | location.search |
+| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
+| bad-code-sanitization.js:56:7:56:47 | taint |
+| bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] |
+| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
+| bad-code-sanitization.js:56:16:56:23 | req.body |
+| bad-code-sanitization.js:56:16:56:23 | req.body |
+| bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:58:44:58:48 | taint |
 | eslint-escope-build.js:20:22:20:22 | c |
 | eslint-escope-build.js:20:22:20:22 | c |
 | eslint-escope-build.js:21:16:21:16 | c |
@@ -197,6 +212,19 @@ edges
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
 | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:56:7:56:47 | taint | bad-code-sanitization.js:58:44:58:48 | taint |
+| bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] | bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") |
+| bad-code-sanitization.js:56:15:56:47 | [req.bo ... n("\\n") | bad-code-sanitization.js:56:7:56:47 | taint |
+| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:56:16:56:23 | req.body | bad-code-sanitization.js:56:16:56:28 | req.body.name |
+| bad-code-sanitization.js:56:16:56:28 | req.body.name | bad-code-sanitization.js:56:15:56:36 | [req.bo ...  "foo"] |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:14:58:53 | `(funct ... nt)}))` |
+| bad-code-sanitization.js:58:44:58:48 | taint | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
 | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
 | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
 | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected

@@ -0,0 +1,75 @@
+nodes
+| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
+| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
+| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
+| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
+| bad-code-sanitization.js:6:11:6:25 | statements |
+| bad-code-sanitization.js:6:24:6:25 | [] |
+| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
+| bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
+| bad-code-sanitization.js:8:27:8:36 | statements |
+| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
+| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
+| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
+| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
+| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
+| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
+| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
+| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
+| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:63:11:63:55 | assignment |
+| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
+| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
+| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
+| bad-code-sanitization.js:64:27:64:36 | assignment |
+| bad-code-sanitization.js:64:27:64:36 | assignment |
+edges
+| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
+| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
+| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
+| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
+| bad-code-sanitization.js:6:11:6:25 | statements | bad-code-sanitization.js:8:27:8:36 | statements |
+| bad-code-sanitization.js:6:24:6:25 | [] | bad-code-sanitization.js:6:11:6:25 | statements |
+| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:6:24:6:25 | [] |
+| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
+| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
+| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
+| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
+| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
+| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
+| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
+| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
+| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` | bad-code-sanitization.js:63:11:63:55 | assignment |
+| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
+| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
+#select
+| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | $@ flows to here and is used to construct code. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | Improperly sanitized value |
+| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Improperly sanitized value |
+| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Improperly sanitized value |
+| bad-code-sanitization.js:64:27:64:36 | assignment | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:64:27:64:36 | assignment | $@ flows to here and is used to construct code. | bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | Improperly sanitized value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.qlref

@@ -0,0 +1 @@
+Security/CWE-094/ImproperCodeSanitization.ql

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js

@@ -0,0 +1,92 @@
+function safeProp(key) {
+    return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`;
+}
+
+function test1() {
+    const statements = [];
+    statements.push(`${name}${safeProp(key)}=${stringify(thing[key])}`);
+    return `(function(){${statements.join(';')}})` // NOT OK
+}
+
+import htmlescape from 'htmlescape'
+
+function test2(props) {
+    const pathname = props.data.pathname;
+    return `function(){return new Error('${htmlescape(pathname)}')}`; // NOT OK
+}
+
+function test3(input) {
+    return `(function(){${JSON.stringify(input)}))` // NOT OK
+}
+
+function evenSaferProp(key) {
+    return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, '');
+}
+
+function test4(input) {
+    return `(function(){${evenSaferProp(input)}))` // OK
+}
+
+function test4(input) {
+    var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow.
+    setTimeout(foo);
+}
+
+function test5(input) {
+    console.log('methodName() => ' + JSON.stringify(input)); // OK
+}
+
+function test6(input) {
+    return `(() => {${JSON.stringify(input)})` // NOT OK
+}
+
+function test7(input) {
+    return `() => {${JSON.stringify(input)}` // NOT OK
+}
+
+var express = require('express');
+
+var app = express();
+
+app.get('/some/path', function(req, res) {
+  var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink.
+
+  setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection.
+
+  var taint = [req.body.name, "foo"].join("\n");
+   
+  setTimeout(`(function(){${JSON.stringify(taint)}))`); // OK - the source is remote-flow, and the sink is code-injection.
+});
+
+// Bad documentation example: 
+function createObjectWrite() {
+    const assignment = `obj[${JSON.stringify(key)}]=42`;
+    return `(function(){${assignment}})` // NOT OK
+}
+
+// Good documentation example: 
+function good() {
+    const charMap = {
+        '<': '\\u003C',
+        '>' : '\\u003E',
+        '/': '\\u002F',
+        '\\': '\\\\',
+        '\b': '\\b',
+        '\f': '\\f',
+        '\n': '\\n',
+        '\r': '\\r',
+        '\t': '\\t',
+        '\0': '\\0',
+        '\u2028': '\\u2028',
+        '\u2029': '\\u2029'
+    };
+    
+    function escapeUnsafeChars(str) {
+        return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x])
+    }
+    
+    function createObjectWrite() {
+        const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;
+        return `(function(){${assignment}})` // OK
+    }
+}

javascript/ql/test/query-tests/Security/CWE-094/tmp.html

@@ -0,0 +1,9 @@
+<html>
+
+<body>
+    <script>
+        var foo ="bla</script onload=\"\">";
+    </script>
+</body>
+
+</html>

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected

@@ -0,0 +1,33 @@
+| tst-multi-character-sanitization.js:3:13:3:57 | content ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:3:30:3:49 | <.*cript.*\\/scrip.*> | <.*cript.*\\/scrip.*> |
+| tst-multi-character-sanitization.js:4:13:4:47 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:4:30:4:40 |  on\\w+=".*" |  on\\w+=".*" |
+| tst-multi-character-sanitization.js:5:13:5:49 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:5:30:5:42 |  on\\w+=\\'.*\\' |  on\\w+=\\'.*\\' |
+| tst-multi-character-sanitization.js:9:13:9:47 | content ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:9:30:9:39 | <.*cript.* | <.*cript.* |
+| tst-multi-character-sanitization.js:10:13:10:49 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:10:30:10:42 | .on\\w+=.*".*" | .on\\w+=.*".*" |
+| tst-multi-character-sanitization.js:11:13:11:51 | content ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:11:30:11:44 | .on\\w+=.*\\'.*\\' | .on\\w+=.*\\'.*\\' |
+| tst-multi-character-sanitization.js:19:3:19:35 | respons ... pt, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:18:18:18:24 | <script | <script |
+| tst-multi-character-sanitization.js:25:10:25:40 | text.re ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:25:24:25:27 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:38:8:38:30 | id.repl ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:38:20:38:23 | \\.\\. | \\.\\. |
+| tst-multi-character-sanitization.js:49:13:49:43 | req.url ... EL, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:48:21:48:31 | (\\/)?\\.\\.\\/ | (\\/)?\\.\\.\\/ |
+| tst-multi-character-sanitization.js:64:7:64:73 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:64:18:64:24 | <script | <script |
+| tst-multi-character-sanitization.js:66:7:66:56 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:66:18:66:49 | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? | (\\/\|\\s)on\\w+=(\\'\|")?[^"]*(\\'\|")? |
+| tst-multi-character-sanitization.js:75:7:75:37 | x.repla ... gm, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:75:18:75:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:77:7:77:36 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:77:18:77:29 | \\sng-[a-z-]+ | \\sng-[a-z-]+ |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:81:18:81:24 | <script | <script |
+| tst-multi-character-sanitization.js:81:7:81:58 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:81:36:81:39 | only | only |
+| tst-multi-character-sanitization.js:82:7:82:50 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:82:18:82:30 | <script async | <script async |
+| tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:83:18:83:21 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:85:7:85:48 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:85:18:85:41 | \\x2E\\x2E\\x2F\\x2E\\x2E\\x2F | \\x2E\\x2E\\x2F\\x2E\\x2E\\x2F |
+| tst-multi-character-sanitization.js:87:7:87:47 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:87:18:87:24 | <script | <script |
+| tst-multi-character-sanitization.js:92:7:96:4 | x.repla ... ";\\n  }) | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:92:18:92:24 | <script | <script |
+| tst-multi-character-sanitization.js:100:7:100:28 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:100:18:100:21 | \\.\\. | \\.\\. |
+| tst-multi-character-sanitization.js:101:7:101:30 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:101:18:101:23 | \\.\\.\\/ | \\.\\.\\/ |
+| tst-multi-character-sanitization.js:102:7:102:30 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:102:18:102:23 | \\/\\.\\. | \\/\\.\\. |
+| tst-multi-character-sanitization.js:104:7:104:58 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:104:18:104:24 | <script | <script |
+| tst-multi-character-sanitization.js:106:7:106:64 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:106:18:106:56 | <(script\|del)(?=[\\s>])[\\w\\W]*?<\\/\\1\\s*> | <(script\|del)(?=[\\s>])[\\w\\W]*?<\\/\\1\\s*> |
+| tst-multi-character-sanitization.js:107:7:107:62 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:107:18:107:55 | \\<script[\\s\\S]*?\\>[\\s\\S]*?\\<\\/script\\> | \\<script[\\s\\S]*?\\>[\\s\\S]*?\\<\\/script\\> |
+| tst-multi-character-sanitization.js:108:7:108:75 | x.repla ... gm, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:108:18:108:67 | <(script\|style\|title)[^<]+<\\/(script\|style\|title)> | <(script\|style\|title)[^<]+<\\/(script\|style\|title)> |
+| tst-multi-character-sanitization.js:109:7:109:58 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:109:18:109:24 | <script | <script |
+| tst-multi-character-sanitization.js:110:7:110:50 | x.repla ... gi, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:110:18:110:24 | <script | <script |
+| tst-multi-character-sanitization.js:111:7:111:32 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:111:20:111:23 | <!-- | <!-- |
+| tst-multi-character-sanitization.js:112:7:112:50 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:112:18:112:43 | require\\('\\.\\.\\/common'\\); | require\\('\\.\\.\\/common'\\); |
+| tst-multi-character-sanitization.js:113:7:113:41 | x.repla ... /g, "") | The replaced string may still contain a substring that starts matching at $@. | tst-multi-character-sanitization.js:113:18:113:34 | \\.\\.\\/\\.\\.\\/lib\\/ | \\.\\.\\/\\.\\.\\/lib\\/ |

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.qlref

@@ -0,0 +1 @@
+Security/CWE-116/IncompleteMultiCharacterSanitization.ql

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js

@@ -0,0 +1,116 @@
+// CVE-2019-10756
+(function(content) {
+  content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // NOT OK
+  content = content.replace(/ on\w+=".*"/g, ""); // NOT OK
+  content = content.replace(/ on\w+=\'.*\'/g, ""); // NOT OK
+  return content;
+});
+(function(content) {
+  content = content.replace(/<.*cript.*/gi, ""); // NOT OK
+  content = content.replace(/.on\w+=.*".*"/g, ""); // NOT OK
+  content = content.replace(/.on\w+=.*\'.*\'/g, ""); // NOT OK
+
+  return content;
+});
+
+// CVE-2020-7656
+(function(responseText) {
+  var rscript = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
+  responseText.replace(rscript, ""); // NOT OK
+  return responseText;
+});
+
+// CVE-2019-1010091
+(function(text) {
+  text = text.replace(/<!--|--!?>/g, ""); // NOT OK
+  return text;
+});
+(function(text) {
+  while (/<!--|--!?>/g.test(text)) {
+    text = text.replace(/<!--|--!?>/g, ""); // OK
+  }
+
+  return text;
+});
+
+// CVE-2019-10767
+(function(id) {
+  id = id.replace(/\.\./g, ""); // NOT OK
+  return id;
+});
+(function(id) {
+  id = id.replace(/[\]\[*,;'"`<>\\?\/]/g, ""); // OK (or is it?)
+  return id;
+});
+
+// CVE-2019-8903
+(function(req) {
+  var REG_TRAVEL = /(\/)?\.\.\//g;
+  req.url = req.url.replace(REG_TRAVEL, ""); // NOT OK
+});
+(function(req) {
+  var beg;
+  for (var i = 0; i < req.url.length; i++) {
+    if (req.url[i] === "." && req.url[i + 1] === "/") beg = i + 1;
+    else if (req.url[i] === "?") break;
+  }
+
+  if (beg) req.url = req.url.substring(beg);
+});
+
+// New cases
+
+(function(x) {
+  x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, ""); // NOT OK
+
+  x = x.replace(/(\/|\s)on\w+=(\'|")?[^"]*(\'|")?/g, ""); // NOT OK
+
+  x = x.replace(/<\/script>/g, ""); // OK
+
+  x = x.replace(/<(.)?br(.)?>/g, ""); // OK
+  x = x.replace(/<\/?b>/g, ""); // OK
+  x = x.replace(/<(ul|ol)><\/(ul|ol)>/gi, ""); // OK
+  x = x.replace(/<li><\/li>/gi, ""); // OK
+
+  x = x.replace(/<!--(.*?)-->/gm, ""); // NOT OK
+  x = x.replace(/\sng-[a-z-]+/, ""); // OK (single ng-attribute, should be flagged by some other query!)
+  x = x.replace(/\sng-[a-z-]+/g, ""); // NOT OK (ng-attributes)
+
+  x = x.replace(/(<!--\[CDATA\[|\]\]-->)/g, "\n"); // OK: not a sanitizer
+
+  x = x.replace(/<script.+desktop\-only.+<\/script>/g, ""); // OK, but still flagged [INCONSISTENCY]
+  x = x.replace(/<script async.+?<\/script>/g, ""); // OK, but still flagged [INCONSISTENCY]
+  x = x.replace(/<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi, ""); // NOT OK
+
+  x = x.replace(/\x2E\x2E\x2F\x2E\x2E\x2F/g, ""); // NOT OK (matches "../../")
+
+  x = x.replace(/<script.*>.*<\/script>/gi, ""); // NOT OK
+
+  x = x.replace(/^(\.\.\/?)+/g, ""); // OK
+
+  // NOT OK
+  x = x.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/g, function(
+    $0
+  ) {
+    return unknown ? $0 : "";
+  });
+
+  x = x.replace(/<\/?([a-z][a-z0-9]*)\b[^>]*>/gi, ""); // NOT OK [INCONSISTENCY]
+
+  x = x.replace(/\.\./g, ""); // NOT OK
+  x = x.replace(/\.\.\//g, ""); // NOT OK
+  x = x.replace(/\/\.\./g, ""); // NOT OK
+
+  x = x.replace(/<script(.*?)>([\s\S]*?)<\/script>/gi, ""); // NOT OK
+
+  x = x.replace(/<(script|del)(?=[\s>])[\w\W]*?<\/\1\s*>/gi, ""); // NOT OK
+  x = x.replace(/\<script[\s\S]*?\>[\s\S]*?\<\/script\>/g, ""); // NOT OK
+  x = x.replace(/<(script|style|title)[^<]+<\/(script|style|title)>/gm, ""); // NOT OK
+  x = x.replace(/<script[^>]*>([\s\S]*?)<\/script>/gi, ""); // NOT OK
+  x = x.replace(/<script[\s\S]*?<\/script>/gi, ""); // NOT OK
+  x = x.replace(/ ?<!-- ?/g, ""); // NOT OK
+  x = x.replace(/require\('\.\.\/common'\);/g, ""); // OK [INCONSISTENCY] permit alphanum-suffix after the dots?
+  x = x.replace(/\.\.\/\.\.\/lib\//g, ""); // OK [INCONSISTENCY] permit alphanum-suffix after the dots?
+
+  return x;
+});

javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.expected

@@ -0,0 +1,9 @@
+| tst.js:15:3:15:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
+| tst.js:18:1:18:40 | process ... HORIZED | Disabling certificate validation is strongly discouraged. |
+| tst.js:21:3:21:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
+| tst.js:25:3:25:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
+| tst.js:29:3:29:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
+| tst.js:34:3:34:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
+| tst.js:39:2:39:29 | rejectU ... ndirect | Disabling certificate validation is strongly discouraged. |
+| tst.js:45:2:45:28 | rejectU ... !!false | Disabling certificate validation is strongly discouraged. |
+| tst.js:48:2:48:26 | rejectU ... : !true | Disabling certificate validation is strongly discouraged. |

javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.qlref

@@ -0,0 +1 @@
+Security/CWE-295/DisablingCertificateValidation.ql

javascript/ql/test/query-tests/Security/CWE-295/tst.js

@@ -0,0 +1,70 @@
+let https = require("https"),
+  tls = require("tls");
+
+new https.Agent(); // OK
+
+new https.Agent({
+  rejectUnauthorized: true // OK
+});
+
+unknownCall({
+  rejectUnauthorized: false // OK (but probably unsafe after all)
+});
+
+new https.Agent({
+  rejectUnauthorized: false // NOT OK
+});
+
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; // NOT OK
+
+https.get({
+  rejectUnauthorized: false // NOT OK
+});
+
+new tls.TLSSocket(socket, {
+  rejectUnauthorized: false // NOT OK
+});
+
+tls.connect({
+  rejectUnauthorized: false // NOT OK
+});
+
+let socket = new tls.TLSSocket();
+socket.renegotiate({
+  rejectUnauthorized: false // NOT OK
+});
+
+let indirect = false;
+new https.Agent({
+	rejectUnauthorized: indirect // NOT OK
+});
+new https.Agent({
+	rejectUnauthorized: !false // OK
+});
+new https.Agent({
+	rejectUnauthorized: !!false // NOT OK
+});
+new https.Agent({
+	rejectUnauthorized: !true // NOT OK
+});
+new https.Agent({
+	rejectUnauthorized: !!true // OK
+});
+new https.Agent({
+	rejectUnauthorized: unknown() // OK
+});
+new https.Agent({
+	rejectUnauthorized: !getOptions().selfSignedSSL // OK
+});
+new https.Agent({
+	rejectUnauthorized: getOptions().rejectUnauthorized // OK
+});
+new https.Agent({
+	rejectUnauthorized: !!getOptions().rejectUnauthorized // OK
+});
+new https.Agent({
+	rejectUnauthorized: getOptions() == null ? true : getOptions().verifySsl // OK
+});
+new https.Agent({
+	rejectUnauthorized: typeof getOptions().rejectUnauthorized === 'boolean' ? getOptions().rejectUnauthorized : undefined // OK
+});

javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.expected

@@ -0,0 +1,15 @@
+| bad-random.js:3:11:3:61 | crypto. ... s(1)[0] | Using addition on a $@ produces biased results. | bad-random.js:3:11:3:31 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:3:11:3:61 | crypto. ... s(1)[0] | Using addition on a $@ produces biased results. | bad-random.js:3:38:3:58 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:4:11:4:61 | crypto. ... s(1)[0] | Using multiplication on a $@ produces biased results. | bad-random.js:4:11:4:31 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:4:11:4:61 | crypto. ... s(1)[0] | Using multiplication on a $@ produces biased results. | bad-random.js:4:38:4:58 | crypto. ... ytes(1) | cryptographically secure random number |
+| bad-random.js:9:28:9:43 | buffer[i] / 25.6 | Using division and rounding the result on a $@ produces biased results. | bad-random.js:6:16:6:40 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:11:17:11:31 | buffer[i] % 100 | Using modulo on a $@ produces biased results. | bad-random.js:6:16:6:40 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:14:11:14:63 | Number( ... (0, 3)) | Using string concatenation on a $@ produces biased results. | bad-random.js:14:25:14:45 | crypto. ... ytes(3) | cryptographically secure random number |
+| bad-random.js:73:32:73:42 | byte / 25.6 | Using division and rounding the result on a $@ produces biased results. | bad-random.js:70:20:70:44 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:75:21:75:30 | byte % 100 | Using modulo on a $@ produces biased results. | bad-random.js:70:20:70:44 | crypto. ... (bytes) | cryptographically secure random number |
+| bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on a $@ produces biased results. | bad-random.js:81:11:81:26 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:81:11:81:51 | secureR ... (10)[0] | Using addition on a $@ produces biased results. | bad-random.js:81:33:81:48 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:85:11:85:35 | goodRan ... Random2 | Using addition on a $@ produces biased results. | bad-random.js:83:23:83:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:85:11:85:35 | goodRan ... Random2 | Using addition on a $@ produces biased results. | bad-random.js:84:23:84:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:87:16:87:24 | bad + bad | Using addition on a $@ produces biased results. | bad-random.js:83:23:83:38 | secureRandom(10) | cryptographically secure random number |
+| bad-random.js:87:16:87:24 | bad + bad | Using addition on a $@ produces biased results. | bad-random.js:84:23:84:38 | secureRandom(10) | cryptographically secure random number |

javascript/ql/test/query-tests/Security/CWE-327/BadRandomness.qlref

@@ -0,0 +1 @@
+Security/CWE-327/BadRandomness.ql

javascript/ql/test/query-tests/Security/CWE-327/bad-random.js

@@ -0,0 +1,113 @@
+const crypto = require('crypto');
+
+var bad = crypto.randomBytes(1)[0] + crypto.randomBytes(1)[0]; // NOT OK
+var bad = crypto.randomBytes(1)[0] * crypto.randomBytes(1)[0]; // NOT OK
+
+const buffer = crypto.randomBytes(bytes);
+const digits = [];
+for (let i = 0; i < buffer.length; ++i) {
+    digits.push(Math.floor(buffer[i] / 25.6)); // NOT OK
+    digits.push(buffer[i] % 8); // OK - input is a random byte, so the output is a uniformly random number between 0 and 7. 
+    digits.push(buffer[i] % 100); // NOT OK
+}
+
+var bad = Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); // NOT OK
+var good = Number(10 + crypto.randomBytes(3).readUIntBE(0, 3)); // OK
+
+const internals = {};
+exports.randomDigits = function (size) {
+    const digits = [];
+
+    let buffer = internals.random(size * 2);
+    let pos = 0;
+
+    while (digits.length < size) {
+        if (pos >= buffer.length) {
+            buffer = internals.random(size * 2);
+            pos = 0;
+        }
+
+        if (buffer[pos] < 250) {
+            digits.push(buffer[pos] % 10); // GOOD - protected by a bias-checking comparison.
+        }
+        ++pos;
+    }
+
+    return digits.join('');
+};
+
+internals.random = function (bytes) {
+    try {
+        return crypto.randomBytes(bytes);
+    }
+    catch (err) {
+        throw new Error("Failed to make bits.");
+    }
+};
+
+exports.randomDigits2 = function (size) {
+    const digits = [];
+
+    let buffer = crypto.randomBytes(size * 2);
+    let pos = 0;
+
+    while (digits.length < size) {
+        if (pos >= buffer.length) {
+            buffer = internals.random(size * 2);
+            pos = 0;
+        }
+        var num = buffer[pos];
+        if (num < 250) {
+            digits.push(num % 10); // GOOD - protected by a bias-checking comparison.
+        }
+        ++pos;
+    }
+
+    return digits.join('');
+};
+
+function setSteps() {
+    const buffer = crypto.randomBytes(bytes);
+    const digits = [];
+    for (const byte of buffer.values()) {
+        digits.push(Math.floor(byte / 25.6)); // NOT OK
+        digits.push(byte % 8); // OK - 8 is a power of 2, so the result is unbiased.
+        digits.push(byte % 100); // NOT OK
+    }
+}
+
+const secureRandom = require("secure-random");
+
+var bad = secureRandom(10)[0] + secureRandom(10)[0]; // NOT OK
+
+var goodRandom1 = 5 + secureRandom(10)[0];
+var goodRandom2 = 5 + secureRandom(10)[0];
+var bad = goodRandom1 + goodRandom2; // NOT OK
+
+var dontFlag = bad + bad; // OK - the operands have already been flagged - but flagged anyway due to us not detecting that [INCONSISTENCY].
+
+var good = secureRandom(10)[0] / 0xff; // OK - result is not rounded. 
+var good = Math.ceil(0.5 - (secureRandom(10)[0] / 25.6)); // NOT OK - division generally introduces bias - but not flagged due to not looking through nested arithmetic [INCONSISTENCY]. 
+
+var good = (crypto.randomBytes(1)[0] << 8) + crypto.randomBytes(3)[0]; // OK - bit shifts are usually used to construct larger/smaller numbers, 
+
+var good = Math.floor(max * (crypto.randomBytes(1)[0] / 0xff)); // OK - division by 0xff (255) gives a uniformly random number between 0 and 1. 
+
+var bad = Math.floor(max * (crypto.randomBytes(1)[0] / 100)); // NOT OK - division by 100 gives bias - but not flagged due to not looking through nested arithmetic [INCONSISTENCY]. 
+
+var crb = crypto.randomBytes(4);
+var cryptoRand = 0x01000000 * crb[0] + 0x00010000 * crb[1] + 0x00000100 * crb[2] + 0x00000001 * crb[3]; // OK - producing a larger number from smaller numbers.
+
+var good = (secureRandom(10)[0] + "foo") + (secureRandom(10)[0] + "bar"); // OK - string concat
+
+var eight = 8;
+var good = crypto.randomBytes(4)[0] % eight; // OK - modulo by power of 2.
+
+var twoHundredAndFiftyFive = 0xff;
+var good = Math.floor(max * (crypto.randomBytes(1)[0] / twoHundredAndFiftyFive)); // OK - division by 0xff (255) gives a uniformly random number between 0 and 1. 
+
+var a = crypto.randomBytes(10);
+var good = ((a[i] & 31) * 0x1000000000000) + (a[i + 1] * 0x10000000000) + (a[i + 2] * 0x100000000) + (a[i + 3] * 0x1000000) + (a[i + 4] << 16) + (a[i + 5] << 8) + a[i + 6]; // OK - generating a large number from smaller bytes.
+var good = (a[i] * 0x100000000) + a[i + 6]; // OK - generating a large number from smaller bytes.
+var good = (a[i + 2] * 0x10000000) + a[i + 6]; // OK - generating a large number from smaller bytes.
+var foo = 0xffffffffffff + 0xfffffffffff + 0xffffffffff + 0xfffffffff + 0xffffffff + 0xfffffff + 0xffffff

javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.expected

@@ -0,0 +1,6 @@
+| server-crash.js:7:5:7:14 | throw err; | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:6:28:8:3 | (err, x ...  OK\\n  } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |
+| server-crash.js:11:3:11:11 | throw 42; | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:50:28:52:3 | (err, x ... ();\\n  } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |
+| server-crash.js:16:7:16:16 | throw err; | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:15:30:17:5 | (err, x ... K\\n    } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |
+| server-crash.js:28:5:28:14 | throw err; | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:27:28:29:3 | (err, x ...  OK\\n  } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |
+| server-crash.js:33:5:33:14 | throw err; | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:32:28:34:3 | (err, x ...  OK\\n  } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |
+| server-crash.js:41:5:41:48 | res.set ... header) | When an exception is thrown here and later exits $@, the server of $@ will crash. | server-crash.js:40:28:42:3 | (err, x ...  OK\\n  } | this asynchronous callback | server-crash.js:31:25:73:1 | (req, r ...   });\\n} | this route handler |

javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.qlref

@@ -0,0 +1 @@
+Security/CWE-730/ServerCrash.ql

javascript/ql/test/query-tests/Security/CWE-730/server-crash.js

@@ -0,0 +1,73 @@
+const express = require("express");
+const app = express();
+const fs = require("fs");
+
+function indirection1() {
+  fs.readFile("/WHATEVER", (err, x) => {
+    throw err; // NOT OK
+  });
+}
+function indirection2() {
+  throw 42; // NOT OK
+}
+function indirection3() {
+  try {
+    fs.readFile("/WHATEVER", (err, x) => {
+      throw err; // NOT OK
+    });
+  } catch (e) {}
+}
+function indirection4() {
+  throw 42; // OK: guarded caller
+}
+function indirection5() {
+  indirection6();
+}
+function indirection6() {
+  fs.readFile("/WHATEVER", (err, x) => {
+    throw err; // NOT OK
+  });
+}
+app.get("/async-throw", (req, res) => {
+  fs.readFile("/WHATEVER", (err, x) => {
+    throw err; // NOT OK
+  });
+  fs.readFile("/WHATEVER", (err, x) => {
+    try {
+      throw err; // OK: guarded throw
+    } catch (e) {}
+  });
+  fs.readFile("/WHATEVER", (err, x) => {
+    res.setHeader("reflected", req.query.header); // NOT OK
+  });
+  fs.readFile("/WHATEVER", (err, x) => {
+    try {
+      res.setHeader("reflected", req.query.header); // OK: guarded call
+    } catch (e) {}
+  });
+
+  indirection1();
+  fs.readFile("/WHATEVER", (err, x) => {
+    indirection2();
+  });
+
+  indirection3();
+  try {
+    indirection4();
+  } catch (e) {}
+  indirection5();
+
+  fs.readFile("/WHATEVER", (err, x) => {
+    req.query.foo; // OK
+  });
+  fs.readFile("/WHATEVER", (err, x) => {
+    req.query.foo.toString(); // OK
+  });
+
+  fs.readFile("/WHATEVER", (err, x) => {
+    req.query.foo.bar; // NOT OK [INCONSISTENCY]: need to add property reads as sinks
+  });
+  fs.readFile("/WHATEVER", (err, x) => {
+    res.setHeader("reflected", unknown); // OK
+  });
+});