JavaScript: Respect barriers on return edges.

javascript/ql/test/library-tests/InterProceduralFlow/DataFlowConfig.qll

@@ -22,5 +22,11 @@ class TestDataFlowConfiguration extends DataFlow::Configuration {
   override predicate isBarrier(DataFlow::Node src, DataFlow::Node snk) {
     src = src and
     snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    exists (Function f |
+      f.getName().matches("%noReturnTracking%") and
+      src = f.getAReturnedExpr().flow() and
+      snk.(DataFlow::InvokeNode).getACallee() = f
+    )
   }
 }

javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql

@@ -22,6 +22,12 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node src, DataFlow::Node snk) {
     src = src and
     snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    exists (Function f |
+      f.getName().matches("%noReturnTracking%") and
+      src = f.getAReturnedExpr().flow() and
+      snk.(DataFlow::InvokeNode).getACallee() = f
+    )
   }
 }
 

javascript/ql/test/library-tests/InterProceduralFlow/tst3.js

@@ -0,0 +1,13 @@
+(function() {
+  let source1 = "tainted1";
+  function noReturnTracking1(x) {
+    return x;
+  }
+  let sink1 = noReturnTracking1(source1);
+
+  function noReturnTracking2() {
+    let source2 = "tainted2";
+    return source2;
+  }
+  let sink2 = noReturnTracking2();
+});