JS: Add test case for false positive

Author: asgerf

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -65,7 +65,8 @@
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
-| react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | react.js:10:56:10:77 | documen ... on.hash | This code execution depends on a $@. | react.js:10:56:10:77 | documen ... on.hash | user-provided value |
+| react.js:11:56:11:77 | documen ... on.hash | react.js:11:56:11:77 | documen ... on.hash | react.js:11:56:11:77 | documen ... on.hash | This code execution depends on a $@. | react.js:11:56:11:77 | documen ... on.hash | user-provided value |
+| react.js:25:8:25:11 | data | react-server-function.js:3:35:3:35 | x | react.js:25:8:25:11 | data | This code execution depends on a $@. | react-server-function.js:3:35:3:35 | x | user-provided value |
 | template-sinks.js:20:17:20:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:20:17:20:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:21:16:21:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:21:16:21:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
 | template-sinks.js:22:18:22:24 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:22:18:22:24 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value |
@@ -156,6 +157,12 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance |  |
+| react-server-function.js:3:35:3:35 | x | react-server-function.js:4:12:4:12 | x | provenance |  |
+| react-server-function.js:4:12:4:12 | x | react-server-function.js:4:12:4:29 | x + " from server" | provenance |  |
+| react-server-function.js:4:12:4:29 | x + " from server" | react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | provenance |  |
+| react.js:24:9:24:45 | data | react.js:25:8:25:11 | data | provenance |  |
+| react.js:24:16:24:45 | use(ech ... alue")) | react.js:24:9:24:45 | data | provenance |  |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | react.js:24:16:24:45 | use(ech ... alue")) | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted | provenance |  |
@@ -287,7 +294,14 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") |
 | react-native.js:8:32:8:38 | tainted | semmle.label | tainted |
 | react-native.js:10:23:10:29 | tainted | semmle.label | tainted |
-| react.js:10:56:10:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react-server-function.js:3:35:3:35 | x | semmle.label | x |
+| react-server-function.js:4:12:4:12 | x | semmle.label | x |
+| react-server-function.js:4:12:4:29 | x + " from server" | semmle.label | x + " from server" |
+| react.js:11:56:11:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react.js:24:9:24:45 | data | semmle.label | data |
+| react.js:24:16:24:45 | use(ech ... alue")) | semmle.label | use(ech ... alue")) |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | semmle.label | echoSer ... value") [PromiseValue] |
+| react.js:25:8:25:11 | data | semmle.label | data |
 | template-sinks.js:18:9:18:31 | tainted | semmle.label | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | semmle.label | req.query.foo |
 | template-sinks.js:20:17:20:23 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -58,6 +58,12 @@ edges
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance |  |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance |  |
 | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance |  |
+| react-server-function.js:3:35:3:35 | x | react-server-function.js:4:12:4:12 | x | provenance |  |
+| react-server-function.js:4:12:4:12 | x | react-server-function.js:4:12:4:29 | x + " from server" | provenance |  |
+| react-server-function.js:4:12:4:29 | x + " from server" | react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | provenance |  |
+| react.js:24:9:24:45 | data | react.js:25:8:25:11 | data | provenance |  |
+| react.js:24:16:24:45 | use(ech ... alue")) | react.js:24:9:24:45 | data | provenance |  |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | react.js:24:16:24:45 | use(ech ... alue")) | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:20:17:20:23 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:21:16:21:22 | tainted | provenance |  |
 | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:22:18:22:24 | tainted | provenance |  |
@@ -191,7 +197,14 @@ nodes
 | react-native.js:7:17:7:33 | req.param("code") | semmle.label | req.param("code") |
 | react-native.js:8:32:8:38 | tainted | semmle.label | tainted |
 | react-native.js:10:23:10:29 | tainted | semmle.label | tainted |
-| react.js:10:56:10:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react-server-function.js:3:35:3:35 | x | semmle.label | x |
+| react-server-function.js:4:12:4:12 | x | semmle.label | x |
+| react-server-function.js:4:12:4:29 | x + " from server" | semmle.label | x + " from server" |
+| react.js:11:56:11:77 | documen ... on.hash | semmle.label | documen ... on.hash |
+| react.js:24:9:24:45 | data | semmle.label | data |
+| react.js:24:16:24:45 | use(ech ... alue")) | semmle.label | use(ech ... alue")) |
+| react.js:24:20:24:44 | echoSer ... value") [PromiseValue] | semmle.label | echoSer ... value") [PromiseValue] |
+| react.js:25:8:25:11 | data | semmle.label | data |
 | template-sinks.js:18:9:18:31 | tainted | semmle.label | tainted |
 | template-sinks.js:18:19:18:31 | req.query.foo | semmle.label | req.query.foo |
 | template-sinks.js:20:17:20:23 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-server-function.js

@@ -0,0 +1,5 @@
+"use server";
+
+export async function echoService(x) { // $ Source[js/code-injection]
+    return x + " from server";
+}

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react.js

@@ -1,6 +1,7 @@
-import React from "react";
+import React, { use } from "react";
 import {Helmet} from "react-helmet";
- 
+import { echoService } from "./react-server-function";
+
 class Application extends React.Component {
   render () {
     return (
@@ -14,4 +15,12 @@ class Application extends React.Component {
   }
 };
 
-export default Application
+export default Application
+
+export function Component() {
+  // We currently get false-positive flow through server functions in cases where a safe value
+  // is passed as the argument, which flows to the return value. In this case, the tainted parameter
+  // flows out of the return value regardless.
+  const data = use(echoService("safe value"));
+  eval(data); // $ SPURIOUS: Alert[js/code-injection]
+}