Skip to content

Commit 3691b83

Browse files
asgerfasgerf
committed
JS: Add tests
1 parent 0841677 commit 3691b83

File tree

3 files changed

+35
-0
lines changed

3 files changed

+35
-0
lines changed

javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,33 @@
11
import javascript
22

3+
DataFlow::Node sourceVariable() { result.asExpr().(VarRef).getName() = "sourceVariable" }
4+
5+
StringOps::ConcatenationRoot sinkConcatenation() {
6+
result.getConstantStringParts().matches("<sink>%</sink>")
7+
}
8+
39
class ExampleConfiguration extends TaintTracking::Configuration {
410
ExampleConfiguration() { this = "ExampleConfiguration" }
511

612
override predicate isSource(DataFlow::Node source) {
713
source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
14+
or
15+
source = sourceVariable()
816
}
917

1018
override predicate isSink(DataFlow::Node sink) {
1119
exists(CallExpr callExpr |
1220
callExpr.getCalleeName() = "SINK" and
1321
DataFlow::valueNode(callExpr.getArgument(0)) = sink
1422
)
23+
or
24+
sink = sinkConcatenation()
1525
}
1626

27+
override predicate isSanitizerIn(DataFlow::Node node) { node = sourceVariable() }
28+
29+
override predicate isSanitizerOut(DataFlow::Node node) { node = sinkConcatenation() }
30+
1731
override predicate isSanitizer(DataFlow::Node node) {
1832
exists(CallExpr callExpr |
1933
callExpr.getCalleeName() = "SANITIZE" and

javascript/ql/test/library-tests/TaintBarriers/sanitizer-in-out.js

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
import 'dummy';
2+
3+
function barrierIn() {
4+
var sourceVariable = 123;
5+
SINK(sourceVariable); // NOT OK
6+
7+
flowWithSourceParam(sourceVariable);
8+
}
9+
10+
function barrierInParameter(sourceVariable) {
11+
SINK(sourceVariable); // NOT OK, but only report the parameter as the source
12+
}
13+
14+
function barrierOut() {
15+
let taint = SOURCE();
16+
taint = "<sink>" + taint + "</sink>"; // NOT OK
17+
taint = "<sink>" + taint + "</sink>"; // OK - only report first instance
18+
}

javascript/ql/test/library-tests/TaintBarriers/tests.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,9 @@ sanitizingGuard
133133
| tst.js:399:16:399:41 | o.hasOw ... "p.q"]) | tst.js:399:33:399:40 | v["p.q"] | true |
134134
| tst.js:401:16:401:34 | Object.hasOwn(o, v) | tst.js:401:33:401:33 | v | true |
135135
taintedSink
136+
| sanitizer-in-out.js:5:10:5:23 | sourceVariable | sanitizer-in-out.js:5:10:5:23 | sourceVariable |
137+
| sanitizer-in-out.js:11:10:11:23 | sourceVariable | sanitizer-in-out.js:11:10:11:23 | sourceVariable |
138+
| sanitizer-in-out.js:15:17:15:24 | SOURCE() | sanitizer-in-out.js:16:13:16:40 | "<sink> ... /sink>" |
136139
| tst.js:2:13:2:20 | SOURCE() | tst.js:3:10:3:10 | v |
137140
| tst.js:2:13:2:20 | SOURCE() | tst.js:8:14:8:14 | v |
138141
| tst.js:2:13:2:20 | SOURCE() | tst.js:12:14:12:14 | v |

0 commit comments

Comments
 (0)