JS: model URI and XHR methods from closure library

javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected

@@ -14,6 +14,10 @@ nodes
 | tst.js:30:13:30:43 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted |
 | tst.js:34:34:34:40 | tainted |
+| tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:36:24:36:30 | tainted |
+| tst.js:37:22:37:37 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted |
 edges
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted |
@@ -22,6 +26,8 @@ edges
 | tst.js:14:9:14:52 | tainted | tst.js:28:36:28:42 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:30:37:30:43 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:36:24:36:30 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:37:30:37:36 | tainted |
 | tst.js:14:19:14:42 | url.par ... , true) | tst.js:14:19:14:48 | url.par ... ).query |
 | tst.js:14:19:14:48 | url.par ... ).query | tst.js:14:19:14:52 | url.par ... ery.url |
 | tst.js:14:19:14:52 | url.par ... ery.url | tst.js:14:9:14:52 | tainted |
@@ -29,6 +35,8 @@ edges
 | tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted |
 | tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted |
+| tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) |
 #select
 | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
@@ -37,3 +45,5 @@ edges
 | tst.js:28:5:28:43 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:42 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:30:5:30:44 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:30:13:30:43 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:34:5:34:42 | http.ge ... inted}) | tst.js:14:29:14:35 | req.url | tst.js:34:34:34:40 | tainted | The $@ of this request depends on $@. | tst.js:34:34:34:40 | tainted | host | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:36:5:36:32 | XhrIo.s ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:36:16:36:31 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:37:5:37:38 | new Xhr ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:37:22:37:37 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-918/tst.js

@@ -7,8 +7,8 @@ import axios from 'axios';
 import got from 'got';
 import nodeFetch from 'node-fetch';
 import url from 'url';
-
-
+let XhrIo = goog.require('goog.net.XhrIo');
+let Uri = goog.require('goog.Uri');
 
 var server = http.createServer(function(req, res) {
     var tainted = url.parse(req.url, true).query.url;
@@ -32,4 +32,7 @@ var server = http.createServer(function(req, res) {
     request("http://example.com/?" + tainted); // OK
 
     http.get(relativeUrl, {host: tainted}); // NOT OK
+
+    XhrIo.send(new Uri(tainted)); // NOT OK
+    new XhrIo().send(new Uri(tainted)); // NOT OK
 })