Merge pull request github#3599 from asger-semmle/js/nameditem

Approved by esbena

Author: semmle-qlci

javascript/ql/src/semmle/javascript/DOM.qll

@@ -340,6 +340,9 @@ module DOM {
     t.start() and
     result = domValueSource()
     or
+    t.start() and
+    result = domValueRef().getAMethodCall(["item", "namedItem"])
+    or
     exists(DataFlow::TypeTracker t2 | result = domValueRef(t2).track(t2, t))
   }
 

javascript/ql/test/library-tests/DOM/Customizations.expected

@@ -1,8 +1,11 @@
 test_documentRef
 | customization.js:2:13:2:31 | customGetDocument() |
+| nameditems.js:1:1:1:8 | document |
 test_locationRef
 | customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |
+| nameditems.js:1:1:1:30 | documen ... ('foo') |
+| nameditems.js:1:1:2:19 | documen ... em('x') |
 | tst.js:49:3:49:8 | window |
 | tst.js:50:3:50:8 | window |

javascript/ql/test/library-tests/DOM/nameditems.js

@@ -0,0 +1,2 @@
+document.getElementById('foo')
+    .namedItem('x');

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -331,6 +331,8 @@ nodes
 | tst.js:194:54:194:60 | tainted |
 | tst.js:195:45:195:51 | tainted |
 | tst.js:195:45:195:51 | tainted |
+| tst.js:196:49:196:55 | tainted |
+| tst.js:196:49:196:55 | tainted |
 | tst.js:200:9:200:42 | tainted |
 | tst.js:200:19:200:35 | document.location |
 | tst.js:200:19:200:35 | document.location |
@@ -749,6 +751,8 @@ edges
 | tst.js:187:9:187:42 | tainted | tst.js:194:54:194:60 | tainted |
 | tst.js:187:9:187:42 | tainted | tst.js:195:45:195:51 | tainted |
 | tst.js:187:9:187:42 | tainted | tst.js:195:45:195:51 | tainted |
+| tst.js:187:9:187:42 | tainted | tst.js:196:49:196:55 | tainted |
+| tst.js:187:9:187:42 | tainted | tst.js:196:49:196:55 | tainted |
 | tst.js:187:19:187:35 | document.location | tst.js:187:19:187:42 | documen ... .search |
 | tst.js:187:19:187:35 | document.location | tst.js:187:19:187:42 | documen ... .search |
 | tst.js:187:19:187:42 | documen ... .search | tst.js:187:9:187:42 | tainted |
@@ -925,6 +929,7 @@ edges
 | tst.js:192:33:192:39 | tainted | tst.js:187:19:187:35 | document.location | tst.js:192:33:192:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:187:19:187:35 | document.location | user-provided value |
 | tst.js:194:54:194:60 | tainted | tst.js:187:19:187:35 | document.location | tst.js:194:54:194:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:187:19:187:35 | document.location | user-provided value |
 | tst.js:195:45:195:51 | tainted | tst.js:187:19:187:35 | document.location | tst.js:195:45:195:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:187:19:187:35 | document.location | user-provided value |
+| tst.js:196:49:196:55 | tainted | tst.js:187:19:187:35 | document.location | tst.js:196:49:196:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:187:19:187:35 | document.location | user-provided value |
 | tst.js:202:67:202:73 | tainted | tst.js:200:19:200:35 | document.location | tst.js:202:67:202:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:200:19:200:35 | document.location | user-provided value |
 | tst.js:203:67:203:73 | tainted | tst.js:200:19:200:35 | document.location | tst.js:203:67:203:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:200:19:200:35 | document.location | user-provided value |
 | tst.js:215:28:215:46 | this.state.tainted1 | tst.js:200:19:200:35 | document.location | tst.js:215:28:215:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:200:19:200:35 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/XssWithAdditionalSources.expected

@@ -331,6 +331,8 @@ nodes
 | tst.js:194:54:194:60 | tainted |
 | tst.js:195:45:195:51 | tainted |
 | tst.js:195:45:195:51 | tainted |
+| tst.js:196:49:196:55 | tainted |
+| tst.js:196:49:196:55 | tainted |
 | tst.js:200:9:200:42 | tainted |
 | tst.js:200:19:200:35 | document.location |
 | tst.js:200:19:200:35 | document.location |
@@ -753,6 +755,8 @@ edges
 | tst.js:187:9:187:42 | tainted | tst.js:194:54:194:60 | tainted |
 | tst.js:187:9:187:42 | tainted | tst.js:195:45:195:51 | tainted |
 | tst.js:187:9:187:42 | tainted | tst.js:195:45:195:51 | tainted |
+| tst.js:187:9:187:42 | tainted | tst.js:196:49:196:55 | tainted |
+| tst.js:187:9:187:42 | tainted | tst.js:196:49:196:55 | tainted |
 | tst.js:187:19:187:35 | document.location | tst.js:187:19:187:42 | documen ... .search |
 | tst.js:187:19:187:35 | document.location | tst.js:187:19:187:42 | documen ... .search |
 | tst.js:187:19:187:42 | documen ... .search | tst.js:187:9:187:42 | tainted |

javascript/ql/test/query-tests/Security/CWE-079/tst.js

@@ -193,7 +193,7 @@ function references() {
 
     document.getElementsByClassName()[0].innerHTML = tainted; // NOT OK
     getElementsByClassName()[0].innerHTML = tainted; // NOT OK
-    getElementsByClassName().item().innerHTML = tainted; // NOT OK, but not supported
+    getElementsByClassName().item().innerHTML = tainted; // NOT OK
 }
 
 function react(){