add support for try-statements with no catch block

2026-04-30 11:15:13 +02:00 · 2019-11-19 13:37:35 +01:00
parent 91674f681b
commit 9fa7393d56
4 changed files with 38 additions and 18 deletions
--- a/javascript/ql/src/semmle/javascript/Expr.qll
+++ b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -251,11 +251,11 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode {
   * causes an exception to be thrown.
   */
  DataFlow::Node getThrowsToNode() {
-    if exists(this.getEnclosingStmt().getEnclosingTryStmt())
+    if exists(this.getEnclosingStmt().getEnclosingTryCatchStmt())
    then
      result = DataFlow::parameterNode(this
              .getEnclosingStmt()
-              .getEnclosingTryStmt()
+              .getEnclosingTryCatchStmt()
              .getACatchClause()
              .getAParameter())
    else result = any(DataFlow::FunctionNode f | f.getFunction() = this.getContainer()).getExceptionalReturn()
--- a/javascript/ql/src/semmle/javascript/Stmt.qll
+++ b/javascript/ql/src/semmle/javascript/Stmt.qll
@@ -57,12 +57,13 @@ class Stmt extends @stmt, ExprOrStmt, Documentable {
  override predicate isAmbient() { hasDeclareKeyword(this) or getParent().isAmbient() }
  
  /**
-  * Gets the `try` statement containing this statement without crossing function
-  * boundaries or other `try ` statements.
+  * Gets the `try` statement with a catch block containing this statement without
+  * crossing function boundaries or other `try ` statements with catch blocks.
  */
-  TryStmt getEnclosingTryStmt() {
+  TryStmt getEnclosingTryCatchStmt() {
    getParentStmt+() = result.getBody() and
-    not exists(TryStmt mid |
+    exists(result.getACatchClause()) and
+    not exists(TryStmt mid | exists(mid.getACatchClause()) | 
      getParentStmt+() = mid.getBody() and mid.getParentStmt+() = result.getBody()
    )
  }
--- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -47,12 +47,16 @@ nodes
 | exception-xss.js:96:10:96:10 | e |
 | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:107:13:107:25 | req.params.id |
-| exception-xss.js:107:13:107:25 | req.params.id |
-| exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:30:109:30 | e |
+| exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e |
 edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -63,6 +67,7 @@ edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:89:11:89:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:102:12:102:14 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
@@ -101,11 +106,14 @@ edges
 | exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] |
 | exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:108:11:108:11 | e | exception-xss.js:109:30:109:30 | e |
-| exception-xss.js:109:30:109:30 | e | exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:30:109:30 | e | exception-xss.js:109:14:109:30 | "Exception: " + e |
+| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
@@ -116,4 +124,5 @@ edges
 | exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:109:14:109:30 | "Exception: " + e | exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:109:14:109:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:107:13:107:25 | req.params.id | user-provided value |
+| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
@@ -96,6 +96,16 @@
 	} catch(e) {
 		$('myId').html(e); // NOT OK! 
 	}
+
+	try {
+		try {
+			unknown(foo);
+		} finally {
+			// nothing
+		}
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
 });

 var express = require('express');