model responseText and responseXml on jqXHR objects

javascript/ql/src/semmle/javascript/frameworks/jQuery.qll

@@ -291,7 +291,16 @@ private class JQueryAjaxCall extends ClientRequest::Range {
             .(DataFlow::FunctionNode)
             .getParameter(0)
       or
+      result =
+        getAResponseNodeFromAnXHRObject(getOptionArgument([0 .. 1],
+            any(string method | method = "error" or method = "complete"))
+              .getALocalSource()
+              .(DataFlow::FunctionNode)
+              .getParameter(0))
+      or
       result = getAnAjaxCallbackDataNode(this)
+      or
+      result = getAResponseNodeFromAnXHRObject(getAnXHRObject(this))
     )
   }
 }
@@ -304,6 +313,25 @@ DataFlow::Node getAnAjaxCallbackDataNode(ClientRequest::Range request) {
     request.getAMemberCall(any(string s | s = "done" or s = "then")).getCallback(0).getParameter(0)
 }
 
+/**
+ * Gets the `jqXHR` object from a call to `fail` on the result from an ajax call (`request`).
+ */
+DataFlow::SourceNode getAnXHRObject(ClientRequest::Range request) {
+  result = request.getAMemberCall("fail").getCallback(0).getParameter(0)
+}
+
+/**
+ * Gets a node refering to the response contained in an `jqXHR` object (`obj`).
+ */
+DataFlow::SourceNode getAResponseNodeFromAnXHRObject(DataFlow::SourceNode obj) {
+  result =
+    obj
+        .getAPropertyRead(any(string s |
+            s = "responseText" or
+            s = "responseXML"
+          ))
+}
+
 /**
  * A model of a URL request made using a `jQuery.ajax` shorthand.
  * E.g. `jQuery.getJSON`, `jQuery.post` etc.
@@ -360,11 +388,13 @@ private class JQueryAjaxShortHand extends ClientRequest::Range {
       not exists(getResponseType()) and responseType = ""
     ) and
     promise = false and
-    // one of the two last arguments
     (
+      // one of the two last arguments
       result = getCallback([getNumArgument() - 2 .. getNumArgument() - 1]).getParameter(0)
       or
       result = getAnAjaxCallbackDataNode(this)
+      or
+      result = getAResponseNodeFromAnXHRObject(getAnXHRObject(this))
     )
   }
 }

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected

@@ -64,6 +64,8 @@ test_ClientRequest
 | tst.js:195:2:195:54 | $.get(  ... "json") |
 | tst.js:197:2:197:45 | $.ajax( ... blob"}) |
 | tst.js:200:2:200:21 | $.get("example.php") |
+| tst.js:202:5:208:7 | $.ajax( ...     }}) |
+| tst.js:210:2:210:21 | $.get("example.php") |
 test_getADataNode
 | tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
 | tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
@@ -169,6 +171,8 @@ test_getUrl
 | tst.js:195:2:195:54 | $.get(  ... "json") | tst.js:195:9:195:24 | "ajax/test.json" |
 | tst.js:197:2:197:45 | $.ajax( ... blob"}) | tst.js:197:15:197:25 | "ajax/blob" |
 | tst.js:200:2:200:21 | $.get("example.php") | tst.js:200:8:200:20 | "example.php" |
+| tst.js:202:5:208:7 | $.ajax( ...     }}) | tst.js:203:10:203:22 | "example.php" |
+| tst.js:210:2:210:21 | $.get("example.php") | tst.js:210:8:210:20 | "example.php" |
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
@@ -227,3 +231,5 @@ test_getAResponseDataNode
 | tst.js:195:2:195:54 | $.get(  ... "json") | tst.js:195:37:195:40 | data | json | false |
 | tst.js:197:2:197:45 | $.ajax( ... blob"}) | tst.js:198:23:198:26 | data | blob | false |
 | tst.js:200:2:200:21 | $.get("example.php") | tst.js:200:37:200:44 | response |  | false |
+| tst.js:202:5:208:7 | $.ajax( ...     }}) | tst.js:207:21:207:36 | err.responseText | json | false |
+| tst.js:210:2:210:21 | $.get("example.php") | tst.js:210:55:210:70 | xhr.responseText |  | false |

javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js

@@ -198,4 +198,14 @@ import {ClientRequest, net} from 'electron';
       .done(function( data ) {});
 
 	$.get("example.php").done(function(response) {})
+	
+    $.ajax({
+    url: "example.php",
+    type: 'POST',
+    dataType: "json",
+    error: function (err) {
+        console.log(err.responseText)
+    }});
+
+	$.get("example.php").fail(function(xhr) {console.log(xhr.responseText)});
 });