From efddef7fa2dc83afee7163fceb4c90d7583b02d5 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Wed, 11 Nov 2020 00:05:14 -0800
Subject: [PATCH] Add tests for stored XSS query

---
 .../Security/CWE-079/StoredXss.expected       | 11 ++++
 .../query-tests/Security/CWE-079/StoredXss.go | 15 ++++++
 .../Security/CWE-079/StoredXss.qlref          |  1 +
 .../Security/CWE-079/StoredXssGood.go         | 16 ++++++
 .../query-tests/Security/CWE-079/stored.go    | 53 +++++++++++++++++++
 ql/test/query-tests/Security/CWE-079/tst.go   |  2 +
 6 files changed, 98 insertions(+)
 create mode 100644 ql/test/query-tests/Security/CWE-079/StoredXss.expected
 create mode 100644 ql/test/query-tests/Security/CWE-079/StoredXss.go
 create mode 100644 ql/test/query-tests/Security/CWE-079/StoredXss.qlref
 create mode 100644 ql/test/query-tests/Security/CWE-079/StoredXssGood.go
 create mode 100644 ql/test/query-tests/Security/CWE-079/stored.go

diff --git a/ql/test/query-tests/Security/CWE-079/StoredXss.expected b/ql/test/query-tests/Security/CWE-079/StoredXss.expected
new file mode 100644
index 00000000000..c9de068a66d
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -0,0 +1,11 @@
+edges
+| StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... |
+| stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name |
+nodes
+| StoredXss.go:13:21:13:31 | call to Name : string | semmle.label | call to Name : string |
+| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
+| stored.go:16:3:16:28 | ... := ...[0] : pointer type | semmle.label | ... := ...[0] : pointer type |
+| stored.go:28:22:28:25 | name | semmle.label | name |
+#select
+| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name : string | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
+| stored.go:28:22:28:25 | name | stored.go:16:3:16:28 | ... := ...[0] : pointer type | stored.go:28:22:28:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:16:3:16:28 | ... := ...[0] | stored value |
diff --git a/ql/test/query-tests/Security/CWE-079/StoredXss.go b/ql/test/query-tests/Security/CWE-079/StoredXss.go
new file mode 100644
index 00000000000..008b738f4ca
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.go
@@ -0,0 +1,15 @@
+package main
+
+import (
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+func ListFiles(w http.ResponseWriter, r *http.Request) {
+	files, _ := ioutil.ReadDir(".")
+
+	for _, file := range files {
+		io.WriteString(w, file.Name()+"\n")
+	}
+}
diff --git a/ql/test/query-tests/Security/CWE-079/StoredXss.qlref b/ql/test/query-tests/Security/CWE-079/StoredXss.qlref
new file mode 100644
index 00000000000..1ab28863211
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-079/StoredXss.qlref
@@ -0,0 +1 @@
+Security/CWE-079/StoredXss.ql
diff --git a/ql/test/query-tests/Security/CWE-079/StoredXssGood.go b/ql/test/query-tests/Security/CWE-079/StoredXssGood.go
new file mode 100644
index 00000000000..d73a205ff3f
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-079/StoredXssGood.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"html"
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+func ListFiles1(w http.ResponseWriter, r *http.Request) {
+	files, _ := ioutil.ReadDir(".")
+
+	for _, file := range files {
+		io.WriteString(w, html.EscapeString(file.Name())+"\n")
+	}
+}
diff --git a/ql/test/query-tests/Security/CWE-079/stored.go b/ql/test/query-tests/Security/CWE-079/stored.go
new file mode 100644
index 00000000000..005a8e5f635
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-079/stored.go
@@ -0,0 +1,53 @@
+package main
+
+import (
+	"database/sql"
+	"io"
+	"log"
+	"net/http"
+)
+
+var db *sql.DB
+var q string
+
+func storedserve1() {
+	http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		r.ParseForm()
+		rows, _ := db.Query(q, 32)
+
+		for rows.Next() {
+			var (
+				id   int64
+				name string
+			)
+			if err := rows.Scan(&id, &name); err != nil {
+				log.Fatal(err)
+			}
+
+			// BAD: the stored XSS query assumes all query results are untrusted
+			io.WriteString(w, name)
+		}
+	})
+}
+
+func storedserve2() {
+	http.HandleFunc("/user", func(w http.ResponseWriter, r *http.Request) {
+		r.ParseForm()
+		rows, _ := db.Query(q, 32)
+
+		for rows.Next() {
+			var (
+				id   int64
+				name string
+			)
+			if err := rows.Scan(&id, &name); err != nil {
+				log.Fatal(err)
+			}
+
+			// GOOD: name is checked against a constant value
+			if name == "Sam" {
+				io.WriteString(w, name)
+			}
+		}
+	})
+}
diff --git a/ql/test/query-tests/Security/CWE-079/tst.go b/ql/test/query-tests/Security/CWE-079/tst.go
index dfdf3bbf6b0..e6d4f1ed22b 100644
--- a/ql/test/query-tests/Security/CWE-079/tst.go
+++ b/ql/test/query-tests/Security/CWE-079/tst.go
@@ -69,3 +69,5 @@ func serve9(log io.Writer) {
 	})
 	http.ListenAndServe(":80", nil)
 }
+
+func main() {}