JS: Initial model of Response

2026-04-26 01:05:15 +02:00 · 2025-04-02 13:50:41 +02:00
parent 9ebaac82cf
commit db2720ea5b
5 changed files with 166 additions and 14 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -40,6 +40,19 @@
 | partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:31:47:31:53 | req.url | user-provided value |
 | partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to a $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to a $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
+| response-object.js:9:18:9:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:10:18:10:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:11:18:11:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:13:18:13:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:14:18:14:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:16:18:16:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:17:18:17:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:20:18:20:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:23:18:23:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:26:18:26:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:30:18:30:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:34:18:34:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:38:18:38:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to a $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
 | tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:14:9:14:9 | p | user-provided value |
@@ -149,6 +162,20 @@ edges
 | promises.js:5:36:5:42 | [post update] resolve [resolve-value] | promises.js:5:16:5:22 | resolve [Return] [resolve-value] | provenance |  |
 | promises.js:5:44:5:57 | req.query.data | promises.js:5:36:5:42 | [post update] resolve [resolve-value] | provenance |  |
 | promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:9:18:9:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:10:18:10:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:11:18:11:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:13:18:13:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:14:18:14:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:16:18:16:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:17:18:17:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:20:18:20:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:23:18:23:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:26:18:26:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:30:18:30:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:34:18:34:21 | data | provenance |  |
+| response-object.js:7:11:7:25 | data | response-object.js:38:18:38:21 | data | provenance |  |
+| response-object.js:7:18:7:25 | req.body | response-object.js:7:11:7:25 | data | provenance |  |
 | tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p | provenance |  |
 | tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r | provenance |  |
 | tst2.js:6:9:6:9 | p | tst2.js:6:7:6:30 | p | provenance |  |
@@ -332,6 +359,21 @@ nodes
 | promises.js:5:44:5:57 | req.query.data | semmle.label | req.query.data |
 | promises.js:6:11:6:11 | x | semmle.label | x |
 | promises.js:6:25:6:25 | x | semmle.label | x |
+| response-object.js:7:11:7:25 | data | semmle.label | data |
+| response-object.js:7:18:7:25 | req.body | semmle.label | req.body |
+| response-object.js:9:18:9:21 | data | semmle.label | data |
+| response-object.js:10:18:10:21 | data | semmle.label | data |
+| response-object.js:11:18:11:21 | data | semmle.label | data |
+| response-object.js:13:18:13:21 | data | semmle.label | data |
+| response-object.js:14:18:14:21 | data | semmle.label | data |
+| response-object.js:16:18:16:21 | data | semmle.label | data |
+| response-object.js:17:18:17:21 | data | semmle.label | data |
+| response-object.js:20:18:20:21 | data | semmle.label | data |
+| response-object.js:23:18:23:21 | data | semmle.label | data |
+| response-object.js:26:18:26:21 | data | semmle.label | data |
+| response-object.js:30:18:30:21 | data | semmle.label | data |
+| response-object.js:34:18:34:21 | data | semmle.label | data |
+| response-object.js:38:18:38:21 | data | semmle.label | data |
 | tst2.js:6:7:6:30 | p | semmle.label | p |
 | tst2.js:6:7:6:30 | r | semmle.label | r |
 | tst2.js:6:9:6:9 | p | semmle.label | p |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -38,6 +38,19 @@
 | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
 | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
+| response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
+| response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
 | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/response-object.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/response-object.js
@@ -4,36 +4,36 @@ const express = require('express');
 // in isolation from the more complicated http frameworks.

 express().get('/foo', (req) => {
-    const data = req.body; // $ MISSING: Source
+    const data = req.body; // $ Source

-    new Response(data); // $ MISSING: Alert
-    new Response(data, {}); // $ MISSING: Alert
-    new Response(data, { headers: null }); // $ MISSING: Alert
+    new Response(data); // $ Alert
+    new Response(data, {}); // $ Alert
+    new Response(data, { headers: null }); // $ Alert

-    new Response(data, { headers: { 'content-type': 'text/plain'}});
-    new Response(data, { headers: { 'content-type': 'text/html'}}); // $ MISSING: Alert
+    new Response(data, { headers: { 'content-type': 'text/plain'}}); // $ SPURIOUS: Alert
+    new Response(data, { headers: { 'content-type': 'text/html'}}); // $ Alert

-    new Response(data, { headers: { 'Content-Type': 'text/plain'}});
-    new Response(data, { headers: { 'Content-Type': 'text/html'}}); // $ MISSING: Alert
+    new Response(data, { headers: { 'Content-Type': 'text/plain'}}); // $ SPURIOUS: Alert
+    new Response(data, { headers: { 'Content-Type': 'text/html'}}); // $ Alert

    const headers1 = new Headers({ 'content-type': 'text/plain'});
-    new Response(data, { headers: headers1 });
+    new Response(data, { headers: headers1 }); // $ SPURIOUS: Alert

    const headers2 = new Headers({ 'content-type': 'text/html'});
-    new Response(data, { headers: headers2 }); // $ MISSING: Alert
+    new Response(data, { headers: headers2 }); // $ Alert

    const headers3 = new Headers();
-    new Response(data, { headers: headers3 }); // $ MISSING: Alert
+    new Response(data, { headers: headers3 }); // $ Alert

    const headers4 = new Headers();
    headers4.set('content-type', 'text/plain');
-    new Response(data, { headers: headers4 });
+    new Response(data, { headers: headers4 }); // $ SPURIOUS: Alert

    const headers5 = new Headers();
    headers5.set('content-type', 'text/html');
-    new Response(data, { headers: headers5 }); // $ MISSING: Alert
+    new Response(data, { headers: headers5 }); // $ Alert

    const headers6 = new Headers();
    headers6.set('unrelated-header', 'text/plain');
-    new Response(data, { headers: headers6 }); // $ MISSING: Alert
+    new Response(data, { headers: headers6 }); // $ Alert
 });