recognize barrier guard where the result is stored in a variable

Author: erik-krogh

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -438,7 +438,7 @@ private predicate barrierGuardBlocksNode(BarrierGuardNode guard, DataFlow::Node
   barrierGuardIsRelevant(guard) and
   exists(AccessPath p, BasicBlock bb, ConditionGuardNode cond, boolean outcome |
     nd = DataFlow::valueNode(p.getAnInstanceIn(bb)) and
-    guard.getEnclosingExpr() = cond.getTest() and
+    (guard.getEnclosingExpr() = cond.getTest() or guard = cond.getTest().flow().getALocalSource()) and
     outcome = cond.getOutcome() and
     barrierGuardBlocksAccessPath(guard, outcome, p, label) and
     cond.dominates(bb)

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js

@@ -68,3 +68,20 @@ app.get('/user/:id', function(req, res) {
 
   res.send(escapeHtml1(url)); // OK
 });
+
+const matchHtmlRegExp = /["'&<>]/;
+function escapeHtml2 (string) {
+    const str = '' + string;
+    const match = matchHtmlRegExp.exec(str);
+
+    if (!match) {
+        return str;
+    }
+}
+
+app.get('/user/:id', function(req, res) {
+  const url = req.params.id;
+
+  res.send(escapeHtml2(url)); // OK
+});
+