hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into henrymercer/polish-diagnostics

Browse Source
This commit is contained in:
Arthur Baars
2023-03-14 23:42:33 +01:00
committed by GitHub
parent 1454890a58 604d5f0c71
commit fbe9823a42
824 changed files with 32300 additions and 2361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/lib/change-notes/2023-03-03-delete-deps.md Normal file
View File

@@ -0,0 +1,8 @@
---
category: minorAnalysis
---
* Deleted the deprecated `getPath` and `getFolder` predicates from the `XmlFile` class.
* Deleted the deprecated `getId` from the `Function`, `NamespaceDefinition`, and `ImportEqualsDeclaration` classes.
* Deleted the deprecated `flowsTo` predicate from the `HTTP::Servers::RequestSource` and `HTTP::Servers::ResponseSource` class.
* Deleted the deprecated `getEventName` predicate from the `SocketIO::ReceiveNode`, `SocketIO::SendNode`, `SocketIOClient::SendNode` classes.
* Deleted the deprecated `RateLimitedRouteHandlerExpr` and `RouteHandlerExpressionWithRateLimiter` classes.

5
javascript/ql/lib/change-notes/2023-03-03-import-assertion.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* [Import assertions](https://github.com/tc39/proposal-import-assertions) are now supported.
Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.

23
javascript/ql/lib/semmle/javascript/ES2015Modules.qll
View File

@@ -90,6 +90,16 @@ class ImportDeclaration extends Stmt, Import, @import_declaration {
override PathExpr getImportedPath() { result = getChildExpr(-1) }
/**
* Gets the object literal passed as part of the `assert` clause in this import declaration.
*
* For example, this gets the `{ type: "json" }` object literal in the following:
* ```js
* import foo from "foo" assert { type: "json" };
* ```
*/
ObjectExpr getImportAssertion() { result = this.getChildExpr(-10) }
/** Gets the `i`th import specifier of this import declaration. */
ImportSpecifier getSpecifier(int i) { result = getChildExpr(i) }
@@ -310,6 +320,19 @@ abstract class ExportDeclaration extends Stmt, @export_declaration {
predicate isTypeOnly() { has_type_keyword(this) }
override string getAPrimaryQlClass() { result = "ExportDeclaration" }
/**
* Gets the object literal passed as part of the `assert` clause, if this is
* a re-export declaration.
*
* For example, this gets the `{ type: "json" }` expression in each of the following:
* ```js
* export { x } from 'foo' assert { type: "json" };
* export * from 'foo' assert { type: "json" };
* export * as x from 'foo' assert { type: "json" };
* ```
*/
ObjectExpr getImportAssertion() { result = this.getChildExpr(-10) }
}
/**

11
javascript/ql/lib/semmle/javascript/Expr.qll
View File

@@ -2807,6 +2807,7 @@ class FunctionBindExpr extends @bind_expr, Expr {
*
* ```
* import("fs")
* import("foo", { assert: { type: "json" }})
* ```
*/
class DynamicImportExpr extends @dynamic_import, Expr, Import {
@@ -2819,6 +2820,16 @@ class DynamicImportExpr extends @dynamic_import, Expr, Import {
override PathExpr getImportedPath() { result = this.getSource() }
/**
* Gets the second "argument" to the import expression, that is, the `Y` in `import(X, Y)`.
*
* For example, gets the `{ assert: { type: "json" }}` expression in the following:
* ```js
* import('foo', { assert: { type: "json" }})
* ```
*/
Expr getImportAttributes() { result = this.getChildExpr(1) }
override Module getEnclosingModule() { result = this.getTopLevel() }
override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }

7
javascript/ql/lib/semmle/javascript/Functions.qll
View File

@@ -83,13 +83,6 @@ class Function extends @function, Parameterized, TypeParameterized, StmtContaine
result = this.getDocumentation().getATagByTitle("this").getType()
}
/**
* DEPRECATED: Use `getIdentifier()` instead.
*
* Gets the identifier specifying the name of this function, if any.
*/
deprecated VarDecl getId() { result = this.getIdentifier() }
/** Gets the identifier specifying the name of this function, if any. */
VarDecl getIdentifier() { result = this.getChildExpr(-1) }

14
javascript/ql/lib/semmle/javascript/TypeScript.qll
View File

@@ -7,13 +7,6 @@ import javascript
* considered to be namespace definitions.
*/
class NamespaceDefinition extends Stmt, @namespace_definition, AST::ValueNode {
/**
* DEPRECATED: Use `getIdentifier()` instead.
*
* Gets the identifier naming the namespace.
*/
deprecated Identifier getId() { result = this.getIdentifier() }
/**
* Gets the identifier naming the namespace.
*/
@@ -189,13 +182,6 @@ class GlobalAugmentationDeclaration extends Stmt, StmtContainer, @global_augment
/** A TypeScript "import-equals" declaration. */
class ImportEqualsDeclaration extends Stmt, @import_equals_declaration {
/**
* DEPRECATED: Use `getIdentifier()` instead.
*
* Gets the name under which the imported entity is imported.
*/
deprecated Identifier getId() { result = this.getIdentifier() }
/** Gets the name under which the imported entity is imported. */
Identifier getIdentifier() { result = this.getChildExpr(0) }

14
javascript/ql/lib/semmle/javascript/XML.qll
View File

@@ -108,20 +108,6 @@ class XmlFile extends XmlParent, File {
/** Gets the name of this XML file. */
override string getName() { result = File.super.getAbsolutePath() }
/**
* DEPRECATED: Use `getAbsolutePath()` instead.
*
* Gets the path of this XML file.
*/
deprecated string getPath() { result = this.getAbsolutePath() }
/**
* DEPRECATED: Use `getParentContainer().getAbsolutePath()` instead.
*
* Gets the path of the folder that contains this XML file.
*/
deprecated string getFolder() { result = this.getParentContainer().getAbsolutePath() }
/** Gets the encoding of this XML file. */
string getEncoding() { xmlEncoding(this, result) }

6
javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
View File

@@ -347,9 +347,6 @@ module Http {
*/
abstract RouteHandler getRouteHandler();
/** DEPRECATED. Use `ref().flowsTo()` instead. */
deprecated predicate flowsTo(DataFlow::Node nd) { this.ref().flowsTo(nd) }
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
t.start() and
result = this
@@ -372,9 +369,6 @@ module Http {
*/
abstract RouteHandler getRouteHandler();
/** DEPRECATED. Use `ref().flowsTo()` instead. */
deprecated predicate flowsTo(DataFlow::Node nd) { this.ref().flowsTo(nd) }
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
t.start() and
result = this

2
javascript/ql/lib/semmle/javascript/frameworks/React.qll
View File

@@ -775,7 +775,7 @@ private class ReactRouterLocationSource extends DOM::LocationSource::Range {
private DataFlow::SourceNode higherOrderComponentBuilder() {
// `memo(f)` returns a function that behaves as `f` but caches results
// It is sometimes used to wrap an entire functional component.
result = react().getAPropertyRead("memo")
result = react().getAPropertyRead(["memo", "forwardRef"])
or
result = DataFlow::moduleMember("react-redux", "connect").getACall()
or

9
javascript/ql/lib/semmle/javascript/frameworks/SocketIO.qll
View File

@@ -269,9 +269,6 @@ module SocketIO {
/** Gets the acknowledgment callback, if any. */
ReceiveCallback getAck() { result.getReceiveNode() = this }
/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = this.getChannel() }
}
/** An acknowledgment callback when receiving a message. */
@@ -360,9 +357,6 @@ module SocketIO {
/** Gets the acknowledgment callback, if any. */
SendCallback getAck() { result.getSendNode() = this }
/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = this.getChannel() }
}
/** A socket.io namespace, identified by its server and its path. */
@@ -646,9 +640,6 @@ module SocketIOClient {
/** Gets the acknowledgment callback, if any. */
DataFlow::FunctionNode getAck() { result.(SendCallback).getSendNode() = this }
/** DEPRECATED. Use `getChannel()` instead. */
deprecated string getEventName() { result = this.getChannel() }
}
/**

3
javascript/ql/lib/semmle/javascript/frameworks/TrustedTypes.qll
View File

@@ -25,8 +25,7 @@ module TrustedTypes {
/** Gets the function passed as the given option. */
DataFlow::FunctionNode getPolicyCallback(string method) {
// Require local callback to avoid potential call/return mismatch in the uses below
result = getOptionArgument(1, method).getALocalSource()
result = getParameter(1).getMember(method).getAValueReachingSink()
}
}

22
javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
View File

@@ -40,17 +40,6 @@ abstract class ExpensiveRouteHandler extends DataFlow::Node {
abstract predicate explain(string explanation, DataFlow::Node reference, string referenceLabel);
}
/**
* DEPRECATED. Use `RateLimitingMiddleware` instead.
*
* A route handler expression that is guarded by a rate limiter.
*/
deprecated class RateLimitedRouteHandlerExpr extends Express::RouteHandlerExpr {
RateLimitedRouteHandlerExpr() {
Routing::getNode(this.flow()).isGuardedBy(any(RateLimitingMiddleware m))
}
}
// default implementations
/**
* A route handler that performs an expensive action, and hence should be rate-limited.
@@ -100,17 +89,6 @@ class DatabaseAccessAsExpensiveAction extends ExpensiveAction instanceof Databas
override string describe() { result = "a database access" }
}
/**
* DEPRECATED. Use the `Routing::Node` API instead.
*
* A route handler expression that is rate-limited by a rate-limiting middleware.
*/
deprecated class RouteHandlerExpressionWithRateLimiter extends Expr {
RouteHandlerExpressionWithRateLimiter() {
Routing::getNode(this.flow()).isGuardedBy(any(RateLimitingMiddleware m))
}
}
/**
* The creation of a middleware function that acts as a rate limiter.
*/

13
javascript/ql/test/library-tests/TypeScript/ImportAssertions/js-import-assertions.js Normal file
View File

@@ -0,0 +1,13 @@
import "module" assert { type: "json" };
import * as v1 from "module" assert { type: "json" };
import { v2 } from "module" assert { type: "json" };
import v3 from "module" assert { type: "json" };
export { v4 } from "module" assert { type: "json" };
export * from "module" assert { type: "json" };
export * as v5 from "module" assert { type: "json" };
const v6 = import("module", { assert: { type: "json" } });
import "module" // missing semicolon
assert({type: "json"}); // function call, not import assertion

20
javascript/ql/test/library-tests/TypeScript/ImportAssertions/test.expected Normal file
View File

@@ -0,0 +1,20 @@
getImportAssertionFromImport
| js-import-assertions.js:1:1:1:40 | import ... son" }; | js-import-assertions.js:1:24:1:39 | { type: "json" } |
| js-import-assertions.js:2:1:2:53 | import ... son" }; | js-import-assertions.js:2:37:2:52 | { type: "json" } |
| js-import-assertions.js:3:1:3:52 | import ... son" }; | js-import-assertions.js:3:36:3:51 | { type: "json" } |
| js-import-assertions.js:4:1:4:48 | import ... son" }; | js-import-assertions.js:4:32:4:47 | { type: "json" } |
| ts-import-assertions.ts:3:1:3:40 | import ... son" }; | ts-import-assertions.ts:3:24:3:39 | { type: "json" } |
| ts-import-assertions.ts:4:1:4:53 | import ... son" }; | ts-import-assertions.ts:4:37:4:52 | { type: "json" } |
| ts-import-assertions.ts:5:1:5:52 | import ... son" }; | ts-import-assertions.ts:5:36:5:51 | { type: "json" } |
| ts-import-assertions.ts:6:1:6:48 | import ... son" }; | ts-import-assertions.ts:6:32:6:47 | { type: "json" } |
getImportAssertionFromExport
| js-import-assertions.js:6:1:6:52 | export ... son" }; | js-import-assertions.js:6:36:6:51 | { type: "json" } |
| js-import-assertions.js:7:1:7:47 | export ... son" }; | js-import-assertions.js:7:31:7:46 | { type: "json" } |
| js-import-assertions.js:8:1:8:53 | export ... son" }; | js-import-assertions.js:8:37:8:52 | { type: "json" } |
| ts-import-assertions.ts:8:1:8:52 | export ... son" }; | ts-import-assertions.ts:8:36:8:51 | { type: "json" } |
| ts-import-assertions.ts:9:1:9:47 | export ... son" }; | ts-import-assertions.ts:9:31:9:46 | { type: "json" } |
| ts-import-assertions.ts:10:1:10:53 | export ... son" }; | ts-import-assertions.ts:10:37:10:52 | { type: "json" } |
getImportAttributes
| js-import-assertions.js:10:12:10:57 | import( ... n" } }) | js-import-assertions.js:10:29:10:56 | { asser ... on" } } |
| ts-import-assertions.ts:12:12:12:57 | import( ... n" } }) | ts-import-assertions.ts:12:29:12:56 | { asser ... on" } } |
errors

13
javascript/ql/test/library-tests/TypeScript/ImportAssertions/test.ql Normal file
View File

@@ -0,0 +1,13 @@
import javascript
query Expr getImportAssertionFromImport(ImportDeclaration decl) {
result = decl.getImportAssertion()
}
query Expr getImportAssertionFromExport(ExportDeclaration decl) {
result = decl.getImportAssertion()
}
query Expr getImportAttributes(DynamicImportExpr imprt) { result = imprt.getImportAttributes() }
query JSParseError errors() { any() }

15
javascript/ql/test/library-tests/TypeScript/ImportAssertions/ts-import-assertions.ts Normal file
View File

@@ -0,0 +1,15 @@
// TypeScript
import "module" assert { type: "json" };
import * as v1 from "module" assert { type: "json" };
import { v2 } from "module" assert { type: "json" };
import v3 from "module" assert { type: "json" };
export { v4 } from "module" assert { type: "json" };
export * from "module" assert { type: "json" };
export * as v5 from "module" assert { type: "json" };
const v6 = import("module", { assert: { type: "json" } });
import "module" // missing semicolon
assert({ type: "json" }); // function call, not import assertion

6
javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
View File

@@ -949,6 +949,8 @@ nodes
| tst.ts:237:8:237:16 | [ImportSpecifier] * as Foo3 | semmle.label | [ImportSpecifier] * as Foo3 |
| tst.ts:237:13:237:16 | [VarDecl] Foo3 | semmle.label | [VarDecl] Foo3 |
| tst.ts:237:23:237:40 | [Literal] "./something.json" | semmle.label | [Literal] "./something.json" |
| tst.ts:237:49:237:64 | [ObjectExpr] { type: "json" } | semmle.label | [ObjectExpr] { type: "json" } |
| tst.ts:237:51:237:62 | [Property] type: "json" | semmle.label | [Property] type: "json" |
| tst.ts:238:1:238:19 | [DeclStmt] var foo = ... | semmle.label | [DeclStmt] var foo = ... |
| tst.ts:238:1:238:19 | [DeclStmt] var foo = ... | semmle.order | 59 |
| tst.ts:238:5:238:7 | [VarDecl] foo | semmle.label | [VarDecl] foo |
@@ -3461,8 +3463,12 @@ edges
| tst.ts:237:1:237:65 | [ImportDeclaration] import ... son" }; | tst.ts:237:8:237:16 | [ImportSpecifier] * as Foo3 | semmle.order | 1 |
| tst.ts:237:1:237:65 | [ImportDeclaration] import ... son" }; | tst.ts:237:23:237:40 | [Literal] "./something.json" | semmle.label | 2 |
| tst.ts:237:1:237:65 | [ImportDeclaration] import ... son" }; | tst.ts:237:23:237:40 | [Literal] "./something.json" | semmle.order | 2 |
| tst.ts:237:1:237:65 | [ImportDeclaration] import ... son" }; | tst.ts:237:49:237:64 | [ObjectExpr] { type: "json" } | semmle.label | 3 |
| tst.ts:237:1:237:65 | [ImportDeclaration] import ... son" }; | tst.ts:237:49:237:64 | [ObjectExpr] { type: "json" } | semmle.order | 3 |
| tst.ts:237:8:237:16 | [ImportSpecifier] * as Foo3 | tst.ts:237:13:237:16 | [VarDecl] Foo3 | semmle.label | 1 |
| tst.ts:237:8:237:16 | [ImportSpecifier] * as Foo3 | tst.ts:237:13:237:16 | [VarDecl] Foo3 | semmle.order | 1 |
| tst.ts:237:49:237:64 | [ObjectExpr] { type: "json" } | tst.ts:237:51:237:62 | [Property] type: "json" | semmle.label | 1 |
| tst.ts:237:49:237:64 | [ObjectExpr] { type: "json" } | tst.ts:237:51:237:62 | [Property] type: "json" | semmle.order | 1 |
| tst.ts:238:1:238:19 | [DeclStmt] var foo = ... | tst.ts:238:5:238:18 | [VariableDeclarator] foo = Foo3.foo | semmle.label | 1 |
| tst.ts:238:1:238:19 | [DeclStmt] var foo = ... | tst.ts:238:5:238:18 | [VariableDeclarator] foo = Foo3.foo | semmle.order | 1 |
| tst.ts:238:5:238:18 | [VariableDeclarator] foo = Foo3.foo | tst.ts:238:5:238:7 | [VarDecl] foo | semmle.label | 1 |

4
javascript/ql/test/library-tests/frameworks/ReactJS/higherOrderComponent.jsx
View File

@@ -1,4 +1,4 @@
import { memo } from 'react';
import { memo, forwardRef } from 'react';
import { connect } from 'react-redux';
import { compose } from 'redux';
import styled from 'styled-components';
@@ -25,4 +25,4 @@ const ConnectedComponent = compose(withConnect, unknownFunction)(StyledComponent
const ConnectedComponent2 = withState('counter', 'setCounter', 0)(ConnectedComponent);
export default hot(module)(memo(ConnectedComponent2));
export default hot(module)(memo(forwardRef(ConnectedComponent2)));

51
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -689,14 +689,22 @@ nodes
| translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:50 | searchP ... 'term') |
| trusted-types.js:2:66:2:66 | x |
| trusted-types.js:2:66:2:66 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types-lib.js:1:28:1:28 | x |
| trusted-types-lib.js:1:28:1:28 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types.js:3:62:3:62 | x |
| trusted-types.js:3:62:3:62 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:2:42:2:63 | window. ... .search |
@@ -1818,14 +1826,22 @@ edges
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |
@@ -2382,7 +2398,8 @@ edges
| tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
| tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value |
| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value |
| trusted-types.js:2:71:2:71 | x | trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:71:2:71 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:3:24:3:34 | window.name | user-provided value |
| trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value |
| trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value |
| tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:5:26:5:31 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:5:26:5:31 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |
| tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value |

48
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -701,14 +701,22 @@ nodes
| translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:50 | searchP ... 'term') |
| trusted-types.js:2:66:2:66 | x |
| trusted-types.js:2:66:2:66 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types.js:3:24:3:34 | window.name |
| trusted-types-lib.js:1:28:1:28 | x |
| trusted-types-lib.js:1:28:1:28 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:2:12:2:12 | x |
| trusted-types.js:3:62:3:62 | x |
| trusted-types.js:3:62:3:62 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:67:3:67 | x |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:4:20:4:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| trusted-types.js:13:20:13:30 | window.name |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) |
| tst3.js:2:23:2:74 | decodeU ... str(1)) |
| tst3.js:2:42:2:63 | window. ... .search |
@@ -1880,14 +1888,22 @@ edges
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:2:66:2:66 | x | trusted-types.js:2:71:2:71 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types.js:3:24:3:34 | window.name | trusted-types.js:2:66:2:66 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:1:28:1:28 | x |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:4:25:4:28 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:5:26:5:29 | data |
| tst3.js:2:12:2:75 | JSON.pa ... tr(1))) | tst3.js:7:32:7:35 | data |

3
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types-lib.js Normal file
View File

@@ -0,0 +1,3 @@
export function createHtml(x) {
return x;
}

19
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js
View File

@@ -1,10 +1,13 @@
(function() {
const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // NOT OK
policy1.createHTML(window.name);
import * as lib from './trusted-types-lib';
const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); // OK
policy2.createHTML(window.name);
const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // NOT OK
policy1.createHTML(window.name);
const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); // OK
policy3.createHTML('safe');
})();
const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); // OK
policy2.createHTML(window.name);
const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); // OK
policy3.createHTML('safe');
const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml });
policy4.createHTML(window.name);