JS: model URI and XHR methods from closure library

javascript/ql/test/library-tests/frameworks/UriLibraries/UriLibraryStep.expected

@@ -1,3 +1,27 @@
+| closureUri.js:5:11:5:20 | new Uri(x) | closureUri.js:5:19:5:19 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:6:1:6:12 | Uri.parse(x) | closureUri.js:6:11:6:11 | x | closureUri.js:6:1:6:12 | Uri.parse(x) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:13:7:13 | x | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:16:7:16 | y | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:12:8:17 | scheme | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:26:8:31 | domain | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:40:8:43 | path | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:1:10:3 | uri | closureUri.js:10:1:10:16 | uri.setScheme(x) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:15:10:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:11:1:11:18 | uri.setUserInfo(x) | closureUri.js:11:1:11:3 | uri | closureUri.js:11:1:11:18 | uri.setUserInfo(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:1:12:3 | uri | closureUri.js:12:1:12:16 | uri.setDomain(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:15:12:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:13:1:13:14 | uri.setPort(x) | closureUri.js:13:1:13:3 | uri | closureUri.js:13:1:13:14 | uri.setPort(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:1:14:3 | uri | closureUri.js:14:1:14:14 | uri.setPath(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:13:14:13 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:15:1:15:15 | uri.setQuery(x) | closureUri.js:15:1:15:3 | uri | closureUri.js:15:1:15:15 | uri.setQuery(x) |
+| closureUri.js:16:1:16:18 | uri.setFragment(x) | closureUri.js:16:1:16:3 | uri | closureUri.js:16:1:16:18 | uri.setFragment(x) |
+| closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:3 | uri | closureUri.js:18:1:18:15 | uri.setQuery(x) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:26 | uri.set ... Path(y) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:25:18:25 | y | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:39 | uri.set ... heme(z) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:38:18:38 | z | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:22:1:22:25 | utils.a ... uri, z) | closureUri.js:22:19:22:21 | uri | closureUri.js:22:1:22:25 | utils.a ... uri, z) |
+| closureUri.js:23:1:23:18 | utils.getPath(uri) | closureUri.js:23:15:23:17 | uri | closureUri.js:23:1:23:18 | utils.getPath(uri) |
 | punycode.js:3:9:3:26 | punycode.decode(x) | punycode.js:3:25:3:25 | x | punycode.js:3:9:3:26 | punycode.decode(x) |
 | punycode.js:5:5:5:22 | punycode.encode(x) | punycode.js:5:21:5:21 | x | punycode.js:5:5:5:22 | punycode.encode(x) |
 | punycode.js:7:5:7:25 | punycod ... code(x) | punycode.js:7:24:7:24 | x | punycode.js:7:5:7:25 | punycod ... code(x) |

javascript/ql/test/library-tests/frameworks/UriLibraries/closureUri.js

@@ -0,0 +1,23 @@
+goog.module('closureUri');
+
+let Uri = goog.require('goog.Uri');
+
+let uri = new Uri(x);
+Uri.parse(x);
+Uri.resolve(x, y);
+Uri.create(scheme, cred, domain, port, path, query, frag);
+
+uri.setScheme(x);
+uri.setUserInfo(x);
+uri.setDomain(x);
+uri.setPort(x);
+uri.setPath(x);
+uri.setQuery(x);
+uri.setFragment(x);
+
+uri.setQuery(x).setPath(y).setScheme(z);
+
+let utils = goog.require('goog.uri.utils');
+
+utils.appendParam(uri, z);
+utils.getPath(uri);

javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected

@@ -14,6 +14,10 @@ nodes
 | tst.js:30:13:30:43 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted |
 | tst.js:34:34:34:40 | tainted |
+| tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:36:24:36:30 | tainted |
+| tst.js:37:22:37:37 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted |
 edges
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted |
@@ -22,6 +26,8 @@ edges
 | tst.js:14:9:14:52 | tainted | tst.js:28:36:28:42 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:30:37:30:43 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:36:24:36:30 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:37:30:37:36 | tainted |
 | tst.js:14:19:14:42 | url.par ... , true) | tst.js:14:19:14:48 | url.par ... ).query |
 | tst.js:14:19:14:48 | url.par ... ).query | tst.js:14:19:14:52 | url.par ... ery.url |
 | tst.js:14:19:14:52 | url.par ... ery.url | tst.js:14:9:14:52 | tainted |
@@ -29,6 +35,8 @@ edges
 | tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted |
 | tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted |
+| tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) |
 #select
 | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
@@ -37,3 +45,5 @@ edges
 | tst.js:28:5:28:43 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:42 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:30:5:30:44 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:30:13:30:43 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:34:5:34:42 | http.ge ... inted}) | tst.js:14:29:14:35 | req.url | tst.js:34:34:34:40 | tainted | The $@ of this request depends on $@. | tst.js:34:34:34:40 | tainted | host | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:36:5:36:32 | XhrIo.s ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:36:16:36:31 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:37:5:37:38 | new Xhr ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:37:22:37:37 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-918/tst.js

@@ -7,8 +7,8 @@ import axios from 'axios';
 import got from 'got';
 import nodeFetch from 'node-fetch';
 import url from 'url';
-
-
+let XhrIo = goog.require('goog.net.XhrIo');
+let Uri = goog.require('goog.Uri');
 
 var server = http.createServer(function(req, res) {
     var tainted = url.parse(req.url, true).query.url;
@@ -32,4 +32,7 @@ var server = http.createServer(function(req, res) {
     request("http://example.com/?" + tainted); // OK
 
     http.get(relativeUrl, {host: tainted}); // NOT OK
+
+    XhrIo.send(new Uri(tainted)); // NOT OK
+    new XhrIo().send(new Uri(tainted)); // NOT OK
 })