Merge pull request #982 from asger-semmle/closure-string-lib

JS: model string functions from closure library

javascript/ql/src/javascript.qll

@@ -61,6 +61,7 @@ import semmle.javascript.frameworks.Azure
 import semmle.javascript.frameworks.Babel
 import semmle.javascript.frameworks.ComposedFunctions
 import semmle.javascript.frameworks.ClientRequests
+import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries

javascript/ql/src/semmle/javascript/HtmlSanitizers.qll

@@ -54,6 +54,8 @@ private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
               .getAPropertyRead(name) or
         callee = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
       )
+      or
+      callee = Closure::moduleImport("goog.string.htmlEscape")
     )
     or
     // Match home-made sanitizers by name.

javascript/ql/src/semmle/javascript/StringConcatenation.qll

@@ -47,6 +47,11 @@ module StringConcatenation {
         n = 0
       )
     )
+    or
+    exists(DataFlow::CallNode call | node = call |
+      call = Closure::moduleImport("goog.string.buildString").getACall() and
+      result = call.getArgument(n)
+    )
   }
 
   /** Gets an operand to the string concatenation defining `node`. */

javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll

@@ -0,0 +1,56 @@
+/**
+ * Provides models for miscellaneous utility functions in the closure standard library.
+ */
+
+import javascript
+
+module ClosureLibrary {
+  private import DataFlow
+
+  private class StringStep extends TaintTracking::AdditionalTaintStep, CallNode {
+    Node pred;
+
+    StringStep() {
+      exists (string name | this = Closure::moduleImport("goog.string." + name).getACall() |
+        pred = getAnArgument() and
+        (
+          name = "canonicalizeNewlines" or 
+          name = "capitalize" or
+          name = "collapseBreakingSpaces" or
+          name = "collapseWhitespace" or
+          name = "format" or
+          name = "makeSafe" or // makeSafe just guards against null and undefined
+          name = "newLineOrBr" or
+          name = "normalizeSpaces" or
+          name = "normalizeWhitespace" or
+          name = "preserveSpaces" or
+          name = "remove" or // removes first occurrence of a substring
+          name = "repeat" or
+          name = "splitLimit" or
+          name = "stripNewlines" or
+          name = "subs" or
+          name = "toCamelCase" or
+          name = "toSelectorCase" or
+          name = "toTitleCase" or
+          name = "trim" or
+          name = "trimLeft" or
+          name = "trimRight" or
+          name = "unescapeEntities" or
+          name = "whitespaceEscape"
+        )
+        or
+        pred = getArgument(0) and
+        (
+          name = "truncate" or
+          name = "truncateMiddle" or
+          name = "unescapeEntitiesWithDocument"
+        )
+      )
+    }
+
+    override predicate step(Node src, Node dst) {
+      src = pred and
+      dst = this
+    }
+  }
+}

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

@@ -355,6 +355,13 @@ private module ClosureLibraryUri {
         name = "setPath" or
         name = "split"
       )
+      or
+      // static methods in goog.string
+      arg = 0 and
+      exists(string name | this = Closure::moduleImport("goog.string." + name).getACall() |
+        name = "urlDecode" or
+        name = "urlEncode"
+      )
     }
 
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {