Merge pull request #2330 from erik-krogh/exceptionXss

JS: Added query for detecting XSS that happens through an exception

javascript/ql/src/Security/CWE-079/ExceptionXss.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly writing exceptions to a webpage without sanitization allows for a cross-site scripting
+vulnerability if the value of the exception can be influenced by a user.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against cross-site scripting, consider using contextual output encoding/escaping before
+writing user input to the page, or one of the other solutions that are mentioned in the
+references.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an exception being written directly to the document, 
+and this exception can potentially be influenced by the page URL, 
+leaving the website vulnerable to cross-site scripting.
+</p>
+<sample src="examples/ExceptionXss.js" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html">DOM based
+XSS Prevention Cheat Sheet</a>.
+</li>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
+(Cross Site Scripting) Prevention Cheat Sheet</a>.
+</li>
+<li>
+OWASP
+<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
+</li>
+<li>
+OWASP
+<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+Scripting</a>.
+</li>
+<li>
+Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-079/ExceptionXss.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Cross-site scripting through exception
+ * @description Inserting data from an exception containing user
+ *              input into the DOM may enable cross-site scripting.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision medium
+ * @id js/xss-through-exception
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.ExceptionXss::ExceptionXss
+import DataFlow::PathGraph
+
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  sink.getNode().(Xss::Shared::Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
+  "user-provided value"

javascript/ql/src/Security/CWE-079/examples/ExceptionXss.js

@@ -0,0 +1,10 @@
+function setLanguageOptions() {
+    var href = document.location.href,
+        deflt = href.substring(href.indexOf("default=")+8);
+    
+    try {
+        var parsed = unknownParseFunction(deflt); 
+    } catch(e) {
+        document.write("Had an error: " + e + ".");
+    }
+}

javascript/ql/src/semmle/javascript/Expr.qll

@@ -245,6 +245,21 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode {
       ctx.(ConditionalExpr).inNullSensitiveContext()
     )
   }
+
+  /**
+   * Gets the data-flow node where exceptions thrown by this expression will
+   * propagate if this expression causes an exception to be thrown.
+   */
+  DataFlow::Node getExceptionTarget() {
+    if exists(this.getEnclosingStmt().getEnclosingTryCatchStmt())
+    then
+      result = DataFlow::parameterNode(this
+              .getEnclosingStmt()
+              .getEnclosingTryCatchStmt()
+              .getACatchClause()
+              .getAParameter())
+    else result = any(DataFlow::FunctionNode f | f.getFunction() = this.getContainer()).getExceptionalReturn()
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/Stmt.qll

@@ -55,6 +55,18 @@ class Stmt extends @stmt, ExprOrStmt, Documentable {
   }
 
   override predicate isAmbient() { hasDeclareKeyword(this) or getParent().isAmbient() }
+  
+  /**
+  * Gets the `try` statement with a catch block containing this statement without
+  * crossing function boundaries or other `try ` statements with catch blocks.
+  */
+  TryStmt getEnclosingTryCatchStmt() {
+    getParentStmt+() = result.getBody() and
+    exists(result.getACatchClause()) and
+    not exists(TryStmt mid | exists(mid.getACatchClause()) | 
+      getParentStmt+() = mid.getBody() and mid.getParentStmt+() = result.getBody()
+    )
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -1125,6 +1125,9 @@ class MidPathNode extends PathNode, MkMidNode {
     // Skip to the top of big left-leaning string concatenation trees.
     nd = any(AddExpr add).flow() and
     nd = any(AddExpr add).getAnOperand().flow()
+    or
+    // Skip the exceptional return on functions, as this highlights the entire function.
+    nd = any(DataFlow::FunctionNode f).getExceptionalReturn()
   }
 }
 

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -558,6 +558,23 @@ module TaintTracking {
       succ = this
     }
   }
+  
+
+  /**
+   * A taint propagating data flow edge arising from calling `String.prototype.match()`.
+   */
+  private class StringMatchTaintStep extends AdditionalTaintStep, DataFlow::MethodCallNode {
+    StringMatchTaintStep() {
+      this.getMethodName() = "match" and
+      this.getNumArgument() = 1 and
+      this.getArgument(0) .analyze().getAType() = TTRegExp()
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = this.getReceiver() and
+      succ = this
+    }
+  }
 
   /**
    * A taint propagating data flow edge arising from JSON unparsing.

javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -66,19 +66,7 @@ predicate localExceptionStep(DataFlow::Node pred, DataFlow::Node succ) {
     or
     DataFlow::exceptionalInvocationReturnNode(pred, expr)
   |
-    // Propagate out of enclosing function.
-    not exists(getEnclosingTryStmt(expr.getEnclosingStmt())) and
-    exists(Function f |
-      f = expr.getEnclosingFunction() and
-      DataFlow::exceptionalFunctionReturnNode(succ, f)
-    )
-    or
-    // Propagate to enclosing try/catch.
-    // To avoid false flow, we only propagate to an unguarded catch clause.
-    exists(TryStmt try |
-      try = getEnclosingTryStmt(expr.getEnclosingStmt()) and
-      DataFlow::parameterNode(succ, try.getCatchClause().getAParameter())
-    )
+    succ = expr.getExceptionTarget()
   )
 }
 
@@ -156,19 +144,6 @@ private module CachedSteps {
   cached
   predicate callStep(DataFlow::Node pred, DataFlow::Node succ) { argumentPassing(_, pred, _, succ) }
 
-  /**
-   * Gets the `try` statement containing `stmt` without crossing function boundaries
-   * or other `try ` statements.
-   */
-  cached
-  TryStmt getEnclosingTryStmt(Stmt stmt) {
-    result.getBody() = stmt
-    or
-    not stmt instanceof Function and
-    not stmt = any(TryStmt try).getBody() and
-    result = getEnclosingTryStmt(stmt.getParentStmt())
-  }
-
   /**
    * Holds if there is a flow step from `pred` to `succ` through:
    * - returning a value from a function call, or

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXss.qll

@@ -6,7 +6,7 @@
 import javascript
 
 module DomBasedXss {
-  import Xss::DomBasedXss
+  import DomBasedXssCustomizations::DomBasedXss
 
   /**
    * A taint-tracking configuration for reasoning about XSS.
@@ -33,16 +33,4 @@ module DomBasedXss {
       node instanceof Sanitizer
     }
   }
-
-  /** A source of remote user input, considered as a flow source for DOM-based XSS. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * An access of the URL of this page, or of the referrer to this page.
-   */
-  class LocationSource extends Source {
-    LocationSource() { this = DOM::locationSource() }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides default sources for reasoning about DOM-based
+ * cross-site scripting vulnerabilities. 
+ */
+
+
+import javascript
+
+module DomBasedXss {
+  import Xss::DomBasedXss
+
+  /** A source of remote user input, considered as a flow source for DOM-based XSS. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * An access of the URL of this page, or of the referrer to this page.
+   */
+  class LocationSource extends Source {
+    LocationSource() { this = DOM::locationSource() }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll

@@ -0,0 +1,80 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about cross-site
+ * scripting vulnerabilities where the taint-flow passes through a thrown
+ * exception.
+ */
+
+import javascript
+
+module ExceptionXss {
+  import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
+  import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom
+  import Xss as Xss
+  
+  /**
+   * Holds if `node` is unlikely to cause an exception containing sensitive information to be thrown.
+   */
+  private predicate isUnlikelyToThrowSensitiveInformation(DataFlow::Node node) {
+    node = any(DataFlow::CallNode call | call.getCalleeName() = "getElementById").getAnArgument()
+    or
+    node = any(DataFlow::CallNode call | call.getCalleeName() = "indexOf").getAnArgument()
+    or
+    node = any(DataFlow::CallNode call | call.getCalleeName() = "stringify").getAnArgument()
+    or
+    node = DataFlow::globalVarRef("console").getAMemberCall(_).getAnArgument()
+  }
+
+  /**
+   * Holds if `node` can possibly cause an exception containing sensitive information to be thrown.
+   */
+  predicate canThrowSensitiveInformation(DataFlow::Node node) {
+    not isUnlikelyToThrowSensitiveInformation(node) and 
+    (
+      // in the case of reflective calls the below ensures that both InvokeNodes have no known callee.
+      forex(DataFlow::InvokeNode call | node = call.getAnArgument() | not exists(call.getACallee()))
+      or
+      node.asExpr().getEnclosingStmt() instanceof ThrowStmt
+    )
+  }
+
+  /**
+   * A FlowLabel representing tainted data that has not been thrown in an exception.
+   * In the js/xss-through-exception query data-flow can only reach a sink after
+   * the data has been thrown as an exception, and data that has not been thrown
+   * as an exception therefore has this flow label, and only this flow label, associated with it.
+   */
+  class NotYetThrown extends DataFlow::FlowLabel {
+    NotYetThrown() { this = "NotYetThrown" }
+  }
+
+  /**
+   * A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
+   * Flow labels are used to ensure that we only report taint-flow that has been thrown in
+   * an exception.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "ExceptionXss" }
+
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+      source instanceof Xss::Shared::Source and label instanceof NotYetThrown
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+      sink instanceof Xss::Shared::Sink and not label instanceof NotYetThrown
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Xss::Shared::Sanitizer }
+
+    override predicate isAdditionalFlowStep(
+      DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl,
+      DataFlow::FlowLabel outlbl
+    ) {
+      inlbl instanceof NotYetThrown and (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
+      succ = pred.asExpr().getExceptionTarget() and
+      canThrowSensitiveInformation(pred)
+      or
+      // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
+      this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll

@@ -6,7 +6,7 @@
 import javascript
 
 module ReflectedXss {
-  import Xss::ReflectedXss
+  import ReflectedXssCustomizations::ReflectedXss
 
   /**
    * A taint-tracking configuration for reasoning about XSS.
@@ -23,13 +23,4 @@ module ReflectedXss {
       node instanceof Sanitizer
     }
   }
-
-  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
-  class ThirdPartyRequestInputAccessAsSource extends Source {
-    ThirdPartyRequestInputAccessAsSource() {
-      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
-      or
-      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
-    }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll

@@ -0,0 +1,19 @@
+/**
+ * Provides default sources for reasoning about reflected
+ * cross-site scripting vulnerabilities.
+ */
+
+import javascript
+
+module ReflectedXss {
+  import Xss::ReflectedXss
+
+  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
+    }
+  }
+}

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected

@@ -0,0 +1,151 @@
+nodes
+| exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:9:11:9:13 | foo |
+| exception-xss.js:10:10:10:10 | e |
+| exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:15:9:15:11 | foo |
+| exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:21:11:21:13 | foo |
+| exception-xss.js:21:11:21:21 | foo + "bar" |
+| exception-xss.js:22:10:22:10 | e |
+| exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:33:11:33:22 | ["bar", foo] |
+| exception-xss.js:33:19:33:21 | foo |
+| exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:46:8:46:18 | "bar" + foo |
+| exception-xss.js:46:16:46:18 | foo |
+| exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:81:16:81:18 | foo |
+| exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:89:11:89:13 | foo |
+| exception-xss.js:89:11:89:26 | foo.match(/foo/) |
+| exception-xss.js:90:10:90:10 | e |
+| exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:95:11:95:22 | [foo, "bar"] |
+| exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:125:48:125:64 | document.location |
+| exception-xss.js:125:48:125:64 | document.location |
+| exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:128:11:128:52 | session ... ssion') |
+| exception-xss.js:129:10:129:10 | e |
+| exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:130:18:130:18 | e |
+| tst.js:298:9:298:16 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:299:10:299:10 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location |
+| tst.js:305:10:305:17 | location |
+| tst.js:307:10:307:10 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:308:20:308:20 | e |
+edges
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:21:11:21:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:33:19:33:21 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:46:16:46:18 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:89:11:89:13 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
+| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
+| exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" |
+| exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:10:22:10 | e |
+| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
+| exception-xss.js:33:11:33:22 | ["bar", foo] | exception-xss.js:34:10:34:10 | e |
+| exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] |
+| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
+| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
+| exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) |
+| exception-xss.js:89:11:89:26 | foo.match(/foo/) | exception-xss.js:90:10:90:10 | e |
+| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:90:10:90:10 | e | exception-xss.js:91:18:91:18 | e |
+| exception-xss.js:95:11:95:22 | [foo, "bar"] | exception-xss.js:96:10:96:10 | e |
+| exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] |
+| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
+| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:125:48:125:64 | document.location | exception-xss.js:125:48:125:71 | documen ... .search |
+| exception-xss.js:125:48:125:71 | documen ... .search | exception-xss.js:128:11:128:52 | session ... ssion') |
+| exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:10:129:10 | e |
+| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
+| exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+#select
+| exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:23:18:23:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:23:18:23:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:35:18:35:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:35:18:35:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:48:18:48:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:48:18:48:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
+| exception-xss.js:130:18:130:18 | e | exception-xss.js:125:48:125:64 | document.location | exception-xss.js:130:18:130:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:125:48:125:64 | document.location | user-provided value |
+| tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
+| tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/ExceptionXss.ql

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -15,6 +15,11 @@ nodes
 | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:2:15:2:31 | document.location |
+| exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:86:17:86:19 | foo |
 | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:33 | document.location |
 | jquery.js:2:17:2:33 | document.location |
@@ -313,9 +318,19 @@ nodes
 | tst.js:282:19:282:29 | window.name |
 | tst.js:285:59:285:65 | tainted |
 | tst.js:285:59:285:65 | tainted |
-| tst.js:297:35:297:42 | location |
-| tst.js:297:35:297:42 | location |
-| tst.js:297:35:297:42 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:298:9:298:16 | location |
+| tst.js:299:10:299:10 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location |
+| tst.js:305:10:305:17 | location |
+| tst.js:307:10:307:10 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
+| tst.js:313:35:313:42 | location |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -343,6 +358,10 @@ edges
 | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:28 | event |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
 | addEventListener.js:12:24:12:28 | event | addEventListener.js:12:24:12:33 | event.data |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:86:17:86:19 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
+| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
@@ -602,7 +621,15 @@ edges
 | tst.js:282:9:282:29 | tainted | tst.js:285:59:285:65 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
 | tst.js:282:19:282:29 | window.name | tst.js:282:9:282:29 | tainted |
-| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -619,6 +646,7 @@ edges
 | addEventListener.js:2:20:2:29 | event.data | addEventListener.js:1:43:1:47 | event | addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | addEventListener.js:6:20:6:23 | data | addEventListener.js:5:43:5:48 | {data} | addEventListener.js:6:20:6:23 | data | Cross-site scripting vulnerability due to $@. | addEventListener.js:5:43:5:48 | {data} | user-provided value |
 | addEventListener.js:12:24:12:33 | event.data | addEventListener.js:10:21:10:25 | event | addEventListener.js:12:24:12:33 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:10:21:10:25 | event | user-provided value |
+| exception-xss.js:86:17:86:19 | foo | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:86:17:86:19 | foo | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | jquery.js:4:5:4:11 | tainted | jquery.js:2:17:2:33 | document.location | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:33 | document.location | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:33 | document.location | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
@@ -690,7 +718,9 @@ edges
 | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | tst.js:261:11:261:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:261:11:261:21 | window.name | user-provided value |
 | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | tst.js:277:22:277:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:277:22:277:29 | location | user-provided value |
 | tst.js:285:59:285:65 | tainted | tst.js:282:19:282:29 | window.name | tst.js:285:59:285:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:282:19:282:29 | window.name | user-provided value |
-| tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | tst.js:297:35:297:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:297:35:297:42 | location | user-provided value |
+| tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
+| tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
+| tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:313:35:313:42 | location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js

@@ -0,0 +1,132 @@
+(function() {
+    var foo = document.location;
+    
+    function inner(x) {
+    	unknown(x);
+	}
+
+	try {
+		unknown(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		inner(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		unknown(foo + "bar");
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		unknown({prop: foo});
+	} catch(e) {
+		$('myId').html(e); // We don't flag this for now.
+	}
+	
+	try {
+		unknown(["bar", foo]);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	function deep(x) {
+		deep2(x);
+	}
+	function deep2(x) {
+		inner(x);
+	}
+	
+	try {
+		deep("bar" + foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK!
+	}
+	
+	try {
+		var tmp = "bar" + foo;
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	
+	function safe(x) {
+		var foo = x + "bar";
+	}
+	
+	try {
+		safe(foo);
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	
+	try {
+		safe.call(null, foo);
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	var myWeirdInner;
+	try {
+		myWeirdInner = function (x) {
+			inner(x);
+		}		
+	} catch(e) {
+		$('myId').html(e); // OK 
+	}
+	try {
+		myWeirdInner(foo);
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+	
+	$('myId').html(foo); // Direct leak, reported by other query.
+	
+	try {
+		unknown(foo.match(/foo/));
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+	
+	try {
+		unknown([foo, "bar"]);
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+
+	try {
+		try {
+			unknown(foo);
+		} finally {
+			// nothing
+		}
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
+});
+
+var express = require('express');
+
+var app = express();
+
+app.get('/user/:id', function(req, res) {
+  try {
+    unknown(req.params.id);
+  } catch(e) {
+    res.send("Exception: " + e); // NOT OK!
+  }
+});
+
+
+(function () {
+    sessionStorage.setItem('exceptionSession', document.location.search);
+
+	try {
+		unknown(sessionStorage.getItem('exceptionSession'));
+	} catch(e) {
+		$('myId').html(e); // NOT OK
+	}
+})();

javascript/ql/test/query-tests/Security/CWE-079/tst.js

@@ -293,6 +293,22 @@ function flowThroughPropertyNames() {
       $(p); // OK
 }
 
+function basicExceptions() {
+	try {
+		throw location;
+	} catch(e) {
+		$("body").append(e); // NOT OK
+	}
+
+	try {
+		try {
+			throw location
+		} finally {}
+	} catch(e) {
+		$("body").append(e); // NOT OK
+	}
+}
+
 function handlebarsSafeString() {
 	return new Handlebars.SafeString(location); // NOT OK!	
 }