Merge pull request #2512 from erik-krogh/moarExceptions

Approved by esbena, max-schaefer

javascript/ql/src/semmle/javascript/StandardLibrary.qll

@@ -209,6 +209,22 @@ private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
   }
 }
 
+/**
+ * A data flow edge from the exceptional return of the promise executor to the promise catch handler.
+ * This only adds an edge from the exceptional return of the promise executor to a `.catch()` handler.
+ */
+private class PromiseExceptionalStep extends DataFlow::AdditionalFlowStep {
+  PromiseDefinition promise;
+  PromiseExceptionalStep() {
+    promise = this	
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = promise.getExecutor().getExceptionalReturn() and
+    succ = promise.getACatchHandler().getParameter(0)
+  }
+}
+
 /**
  * Holds if taint propagates from `pred` to `succ` through promises.
  */

javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll

@@ -10,7 +10,8 @@ module ExceptionXss {
   import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
   import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom
   import Xss as Xss
-  
+  private import semmle.javascript.dataflow.InferredTypes
+
   /**
    * Holds if `node` is unlikely to cause an exception containing sensitive information to be thrown.
    */
@@ -24,16 +25,29 @@ module ExceptionXss {
     node = DataFlow::globalVarRef("console").getAMemberCall(_).getAnArgument()
   }
 
+  /**
+   * Holds if `t` is `null` or `undefined`.
+   */
+  private predicate isNullOrUndefined(InferredType t) {
+    t = TTNull() or
+    t = TTUndefined()
+  }
+
   /**
    * Holds if `node` can possibly cause an exception containing sensitive information to be thrown.
    */
   predicate canThrowSensitiveInformation(DataFlow::Node node) {
-    not isUnlikelyToThrowSensitiveInformation(node) and 
+    not isUnlikelyToThrowSensitiveInformation(node) and
     (
       // in the case of reflective calls the below ensures that both InvokeNodes have no known callee.
-      forex(DataFlow::InvokeNode call | node = call.getAnArgument() | not exists(call.getACallee()))
+      forex(DataFlow::InvokeNode call | call.getAnArgument() = node | not exists(call.getACallee()))
       or
       node.asExpr().getEnclosingStmt() instanceof ThrowStmt
+      or
+      exists(DataFlow::PropRef prop |
+        node = DataFlow::valueNode(prop.getPropertyNameExpr()) and
+        forex(InferredType t | t = prop.getBase().analyze().getAType() | isNullOrUndefined(t))
+      )
     )
   }
 
@@ -47,6 +61,55 @@ module ExceptionXss {
     NotYetThrown() { this = "NotYetThrown" }
   }
 
+  /**
+   * A callback that is the last argument to some call, and the callback has the form:
+   * `function (err, value) {if (err) {...} ... }`
+   */
+  class Callback extends DataFlow::FunctionNode {
+    DataFlow::ParameterNode errorParameter;
+
+    Callback() {
+      exists(DataFlow::CallNode call | call.getLastArgument().getAFunctionValue() = this) and
+      this.getNumParameter() = 2 and
+      errorParameter = this.getParameter(0) and
+      exists(IfStmt ifStmt |
+        ifStmt = this.getFunction().getBodyStmt(0) and
+        errorParameter.flowsToExpr(ifStmt.getCondition())
+      )
+    }
+
+    /**
+     * Get the parameter in the callback that contains an error. 
+     * In the current implementation this is always the first parameter.
+     */
+    DataFlow::Node getErrorParam() { result = errorParameter }
+  }
+
+  /**
+   * Gets the error parameter for a callback that is supplied to the same call as `pred` is an argument to. 
+   * For example: `outerCall(foo, <pred>, bar, (<result>, val) => { ... })`. 
+   */
+  DataFlow::Node getCallbackErrorParam(DataFlow::Node pred) {
+    exists(DataFlow::CallNode call, Callback callback |
+      pred = call.getAnArgument() and
+      call.getLastArgument() = callback and
+      result = callback.getErrorParam() and
+      not pred = callback
+    )
+  }
+
+  /**
+   * Gets the data-flow node to which any exceptions thrown by
+   * this expression will propagate.
+   * This predicate adds, on top of `Expr::getExceptionTarget`, exceptions 
+   * propagated by callbacks. 
+   */
+  private DataFlow::Node getExceptionTarget(DataFlow::Node pred) {
+    result = pred.asExpr().getExceptionTarget()
+    or
+    result = getCallbackErrorParam(pred)
+  }
+
   /**
    * A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
    * Flow labels are used to ensure that we only report taint-flow that has been thrown in
@@ -69,12 +132,15 @@ module ExceptionXss {
       DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl,
       DataFlow::FlowLabel outlbl
     ) {
-      inlbl instanceof NotYetThrown and (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
-      succ = pred.asExpr().getExceptionTarget() and
-      canThrowSensitiveInformation(pred)
+      inlbl instanceof NotYetThrown and
+      (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
+      canThrowSensitiveInformation(pred) and
+      succ = getExceptionTarget(pred)
       or
       // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
-      this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown
+      this.isAdditionalFlowStep(pred, succ) and
+      inlbl instanceof NotYetThrown and
+      outlbl instanceof NotYetThrown
     }
   }
 }

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected

@@ -1,64 +1,91 @@
 nodes
-| exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location |
+| exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:9:11:9:13 | foo |
-| exception-xss.js:10:10:10:10 | e |
+| exception-xss.js:10:11:10:11 | e |
 | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
 | exception-xss.js:15:9:15:11 | foo |
-| exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:16:11:16:11 | e |
 | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:21:11:21:13 | foo |
 | exception-xss.js:21:11:21:21 | foo + "bar" |
-| exception-xss.js:22:10:22:10 | e |
+| exception-xss.js:22:11:22:11 | e |
 | exception-xss.js:23:18:23:18 | e |
 | exception-xss.js:23:18:23:18 | e |
 | exception-xss.js:33:11:33:22 | ["bar", foo] |
 | exception-xss.js:33:19:33:21 | foo |
-| exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:34:11:34:11 | e |
 | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:46:8:46:18 | "bar" + foo |
 | exception-xss.js:46:16:46:18 | foo |
-| exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:47:11:47:11 | e |
 | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
 | exception-xss.js:81:16:81:18 | foo |
-| exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:82:11:82:11 | e |
 | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:89:11:89:13 | foo |
 | exception-xss.js:89:11:89:26 | foo.match(/foo/) |
-| exception-xss.js:90:10:90:10 | e |
+| exception-xss.js:90:11:90:11 | e |
 | exception-xss.js:91:18:91:18 | e |
 | exception-xss.js:91:18:91:18 | e |
 | exception-xss.js:95:11:95:22 | [foo, "bar"] |
 | exception-xss.js:95:12:95:14 | foo |
-| exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:96:11:96:11 | e |
 | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:102:12:102:14 | foo |
-| exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:106:11:106:11 | e |
 | exception-xss.js:107:18:107:18 | e |
 | exception-xss.js:107:18:107:18 | e |
-| exception-xss.js:117:13:117:25 | req.params.id |
-| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:117:11:117:23 | req.params.id |
+| exception-xss.js:117:11:117:23 | req.params.id |
 | exception-xss.js:118:11:118:11 | e |
-| exception-xss.js:119:14:119:30 | "Exception: " + e |
-| exception-xss.js:119:14:119:30 | "Exception: " + e |
-| exception-xss.js:119:30:119:30 | e |
-| exception-xss.js:125:48:125:64 | document.location |
-| exception-xss.js:125:48:125:64 | document.location |
-| exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:119:12:119:28 | "Exception: " + e |
+| exception-xss.js:119:12:119:28 | "Exception: " + e |
+| exception-xss.js:119:28:119:28 | e |
+| exception-xss.js:125:45:125:61 | document.location |
+| exception-xss.js:125:45:125:61 | document.location |
+| exception-xss.js:125:45:125:68 | documen ... .search |
 | exception-xss.js:128:11:128:52 | session ... ssion') |
-| exception-xss.js:129:10:129:10 | e |
+| exception-xss.js:129:11:129:11 | e |
 | exception-xss.js:130:18:130:18 | e |
 | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:136:10:136:22 | req.params.id |
+| exception-xss.js:136:10:136:22 | req.params.id |
+| exception-xss.js:136:26:136:30 | error |
+| exception-xss.js:138:19:138:23 | error |
+| exception-xss.js:138:19:138:23 | error |
+| exception-xss.js:146:6:146:35 | foo |
+| exception-xss.js:146:12:146:28 | document.location |
+| exception-xss.js:146:12:146:28 | document.location |
+| exception-xss.js:146:12:146:35 | documen ... .search |
+| exception-xss.js:148:33:148:35 | foo |
+| exception-xss.js:148:55:148:55 | e |
+| exception-xss.js:149:18:149:18 | e |
+| exception-xss.js:149:18:149:18 | e |
+| exception-xss.js:153:8:153:10 | foo |
+| exception-xss.js:154:11:154:11 | e |
+| exception-xss.js:155:18:155:18 | e |
+| exception-xss.js:155:18:155:18 | e |
+| exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) |
+| exception-xss.js:174:31:174:33 | foo |
+| exception-xss.js:174:53:174:53 | e |
+| exception-xss.js:175:18:175:18 | e |
+| exception-xss.js:175:18:175:18 | e |
+| exception-xss.js:180:10:180:22 | req.params.id |
+| exception-xss.js:180:10:180:22 | req.params.id |
+| exception-xss.js:180:26:180:30 | error |
+| exception-xss.js:182:19:182:23 | error |
+| exception-xss.js:182:19:182:23 | error |
 | tst.js:304:9:304:16 | location |
 | tst.js:304:9:304:16 | location |
 | tst.js:305:10:305:10 | e |
@@ -70,63 +97,87 @@ nodes
 | tst.js:314:20:314:20 | e |
 | tst.js:314:20:314:20 | e |
 edges
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:21:11:21:13 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:33:19:33:21 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:46:16:46:18 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:89:11:89:13 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:102:12:102:14 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
-| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
-| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
-| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:21:11:21:13 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:33:19:33:21 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:46:16:46:18 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:81:16:81:18 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:89:11:89:13 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:11:10:11 | e |
+| exception-xss.js:10:11:10:11 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:10:11:10:11 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:11:16:11 | e |
 | exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
-| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
-| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:16:11:16:11 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:16:11:16:11 | e | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" |
-| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:10:22:10 | e |
-| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
-| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
-| exception-xss.js:33:11:33:22 | ["bar", foo] | exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:11:22:11 | e |
+| exception-xss.js:22:11:22:11 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:22:11:22:11 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:33:11:33:22 | ["bar", foo] | exception-xss.js:34:11:34:11 | e |
 | exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] |
-| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
-| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
-| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:34:11:34:11 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:34:11:34:11 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:11:47:11 | e |
 | exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
-| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
-| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
-| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:47:11:47:11 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:47:11:47:11 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:11:82:11 | e |
 | exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
-| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
-| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:82:11:82:11 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:82:11:82:11 | e | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) |
-| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:10:90:10 | e |
-| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
-| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
-| exception-xss.js:95:11:95:22 | [foo, "bar"] | exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:11:90:11 | e |
+| exception-xss.js:90:11:90:11 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:90:11:90:11 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:95:11:95:22 | [foo, "bar"] | exception-xss.js:96:11:96:11 | e |
 | exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] |
-| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:10:106:10 | e |
-| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
-| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
-| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
-| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
-| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:30:119:30 | e |
-| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
-| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
-| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
-| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
-| exception-xss.js:125:48:125:71 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') |
-| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:10:129:10 | e |
-| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
-| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:96:11:96:11 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:96:11:96:11 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:11:106:11 | e |
+| exception-xss.js:106:11:106:11 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:106:11:106:11 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:28:119:28 | e |
+| exception-xss.js:119:28:119:28 | e | exception-xss.js:119:12:119:28 | "Exception: " + e |
+| exception-xss.js:119:28:119:28 | e | exception-xss.js:119:12:119:28 | "Exception: " + e |
+| exception-xss.js:125:45:125:61 | document.location | exception-xss.js:125:45:125:68 | documen ... .search |
+| exception-xss.js:125:45:125:61 | document.location | exception-xss.js:125:45:125:68 | documen ... .search |
+| exception-xss.js:125:45:125:68 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') |
+| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:11:129:11 | e |
+| exception-xss.js:129:11:129:11 | e | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:129:11:129:11 | e | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:136:26:136:30 | error |
+| exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:136:26:136:30 | error |
+| exception-xss.js:136:26:136:30 | error | exception-xss.js:138:19:138:23 | error |
+| exception-xss.js:136:26:136:30 | error | exception-xss.js:138:19:138:23 | error |
+| exception-xss.js:146:6:146:35 | foo | exception-xss.js:148:33:148:35 | foo |
+| exception-xss.js:146:6:146:35 | foo | exception-xss.js:153:8:153:10 | foo |
+| exception-xss.js:146:6:146:35 | foo | exception-xss.js:174:31:174:33 | foo |
+| exception-xss.js:146:12:146:28 | document.location | exception-xss.js:146:12:146:35 | documen ... .search |
+| exception-xss.js:146:12:146:28 | document.location | exception-xss.js:146:12:146:35 | documen ... .search |
+| exception-xss.js:146:12:146:35 | documen ... .search | exception-xss.js:146:6:146:35 | foo |
+| exception-xss.js:148:33:148:35 | foo | exception-xss.js:148:55:148:55 | e |
+| exception-xss.js:148:55:148:55 | e | exception-xss.js:149:18:149:18 | e |
+| exception-xss.js:148:55:148:55 | e | exception-xss.js:149:18:149:18 | e |
+| exception-xss.js:153:8:153:10 | foo | exception-xss.js:154:11:154:11 | e |
+| exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e |
+| exception-xss.js:154:11:154:11 | e | exception-xss.js:155:18:155:18 | e |
+| exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) | exception-xss.js:174:53:174:53 | e |
+| exception-xss.js:174:31:174:33 | foo | exception-xss.js:174:25:174:43 | exceptional return of inner(foo, resolve) |
+| exception-xss.js:174:53:174:53 | e | exception-xss.js:175:18:175:18 | e |
+| exception-xss.js:174:53:174:53 | e | exception-xss.js:175:18:175:18 | e |
+| exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error |
+| exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error |
+| exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
+| exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
 | tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
 | tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
 | tst.js:305:10:305:10 | e | tst.js:306:20:306:20 | e |
@@ -136,16 +187,21 @@ edges
 | tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
 | tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
 #select
-| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:23:18:23:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:35:18:35:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:48:18:48:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
-| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:48:125:64 | document.location | exception-xss.js:130:18:130:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:125:48:125:64 | document.location | user-provided value |
+| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:23:18:23:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:35:18:35:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:48:18:48:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
+| exception-xss.js:119:12:119:28 | "Exception: " + e | exception-xss.js:117:11:117:23 | req.params.id | exception-xss.js:119:12:119:28 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:11:117:23 | req.params.id | user-provided value |
+| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:45:125:61 | document.location | exception-xss.js:130:18:130:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:125:45:125:61 | document.location | user-provided value |
+| exception-xss.js:138:19:138:23 | error | exception-xss.js:136:10:136:22 | req.params.id | exception-xss.js:138:19:138:23 | error | Cross-site scripting vulnerability due to $@. | exception-xss.js:136:10:136:22 | req.params.id | user-provided value |
+| exception-xss.js:149:18:149:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:149:18:149:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
+| exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:155:18:155:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
+| exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:175:18:175:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:146:12:146:28 | document.location | user-provided value |
+| exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | Cross-site scripting vulnerability due to $@. | exception-xss.js:180:10:180:22 | req.params.id | user-provided value |
 | tst.js:306:20:306:20 | e | tst.js:304:9:304:16 | location | tst.js:306:20:306:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:304:9:304:16 | location | user-provided value |
 | tst.js:314:20:314:20 | e | tst.js:311:10:311:17 | location | tst.js:314:20:314:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:311:10:311:17 | location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -15,9 +15,9 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location |
+| exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:86:17:86:19 | foo |
 | exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
@@ -368,10 +368,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -665,7 +665,7 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
-| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:12:2:28 | document.location | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

@@ -15,9 +15,9 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location |
+| exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:86:17:86:19 | foo |
 | exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
@@ -372,10 +372,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:6:2:28 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
+| exception-xss.js:2:12:2:28 | document.location | exception-xss.js:2:6:2:28 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |

javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js

@@ -1,99 +1,99 @@
-(function() {
-    var foo = document.location;
-    
-    function inner(x) {
-    	unknown(x);
+(function () {
+	var foo = document.location;
+
+	function inner(x) {
+		unknown(x);
 	}
 
 	try {
 		unknown(foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK!
 	}
-	
+
 	try {
 		inner(foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK!
 	}
-	
+
 	try {
 		unknown(foo + "bar");
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK!
 	}
-	
+
 	try {
-		unknown({prop: foo});
-	} catch(e) {
-		$('myId').html(e); // We don't flag this for now.
+		unknown({ prop: foo });
+	} catch (e) {
+		$('myId').html(e); // NOT OK!
 	}
-	
+
 	try {
 		unknown(["bar", foo]);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK!
 	}
-	
+
 	function deep(x) {
 		deep2(x);
 	}
 	function deep2(x) {
 		inner(x);
 	}
-	
+
 	try {
 		deep("bar" + foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK!
 	}
-	
+
 	try {
 		var tmp = "bar" + foo;
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // OK 
 	}
-	
+
 	function safe(x) {
 		var foo = x + "bar";
 	}
-	
+
 	try {
 		safe(foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // OK 
 	}
-	
+
 	try {
 		safe.call(null, foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // OK 
 	}
 	var myWeirdInner;
 	try {
 		myWeirdInner = function (x) {
 			inner(x);
-		}		
-	} catch(e) {
+		}
+	} catch (e) {
 		$('myId').html(e); // OK 
 	}
 	try {
 		myWeirdInner(foo);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK! 
 	}
-	
+
 	$('myId').html(foo); // Direct leak, reported by other query.
-	
+
 	try {
 		unknown(foo.match(/foo/));
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK! 
 	}
-	
+
 	try {
 		unknown([foo, "bar"]);
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK! 
 	}
 
@@ -103,7 +103,7 @@
 		} finally {
 			// nothing
 		}
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK! 
 	}
 });
@@ -112,21 +112,75 @@ var express = require('express');
 
 var app = express();
 
-app.get('/user/:id', function(req, res) {
-  try {
-    unknown(req.params.id);
-  } catch(e) {
-    res.send("Exception: " + e); // NOT OK!
-  }
+app.get('/user/:id', function (req, res) {
+	try {
+		unknown(req.params.id);
+	} catch (e) {
+		res.send("Exception: " + e); // NOT OK!
+	}
 });
 
 
 (function () {
-    sessionStorage.setItem('exceptionSession', document.location.search);
+	sessionStorage.setItem('exceptionSession', document.location.search);
 
 	try {
 		unknown(sessionStorage.getItem('exceptionSession'));
-	} catch(e) {
+	} catch (e) {
 		$('myId').html(e); // NOT OK
 	}
 })();
+
+
+app.get('/user/:id', function (req, res) {
+	unknown(req.params.id, (error, res) => {
+		if (error) {
+			$('myId').html(error); // NOT OK
+			return;
+		}
+		$('myId').html(res); // OK (for now?)
+	});
+});
+
+(function () {
+	var foo = document.location.search;
+
+	new Promise(resolve => unknown(foo, resolve)).catch((e) => {
+		$('myId').html(e); // NOT OK
+	});
+
+	try {
+		null[foo];
+	} catch (e) {
+		$('myId').html(e); // NOT OK
+	}
+
+	try {
+		unknown()[foo];
+	} catch (e) {
+		$('myId').html(e); // OK. We are not sure that `unknown()` is null-ish. 
+	}
+
+	try {
+		"foo"[foo]
+	} catch (e) {
+		$('myId').html(e); // OK
+	}
+
+	function inner(tainted, resolve) {
+		unknown(tainted, resolve);
+	}
+
+	new Promise(resolve => inner(foo, resolve)).catch((e) => {
+		$('myId').html(e); // NOT OK
+	});
+})();
+
+app.get('/user/:id', function (req, res) {
+	unknown(req.params.id, (error, res) => {
+		if (error) {
+			$('myId').html(error); // OK (falls through to the next statement) 
+		}
+		$('myId').html(res); // NOT OK!
+	});
+});