Merge pull request github#12633 from erik-krogh/more-global-flow

erik-krogh · web-flow · commit 451f6f01bb4d · 2023-03-28T15:19:50.000+02:00
JS: better callgraph support for global variables
diff --git a/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll
@@ -243,6 +243,11 @@ module AccessPath {
       root.isGlobal()
     )
     or
+    exists(Assignment assign |
+      fromReference(assign.getLhs().flow(), root) = result and
+      node = assign.getRhs().flow()
+    )
+    or
     exists(FunctionDeclStmt fun |
       node = DataFlow::valueNode(fun) and
       result = fun.getIdentifier().(GlobalVarDecl).getName() and
diff --git a/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected b/javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected
@@ -85,6 +85,7 @@ test_getAFunctionValue
 | es2015.js:35:1:35:3 | sum | es2015.js:31:1:33:1 | functio ... +y+z;\\n} |
 | es2015.js:36:1:36:3 | sum | es2015.js:31:1:33:1 | functio ... +y+z;\\n} |
 | m2.js:2:6:2:18 | function() {} | m2.js:2:6:2:18 | function() {} |
+| m.js:1:1:1:9 | exports.f | m.js:1:13:1:25 | function() {} |
 | m.js:1:1:1:25 | exports ... on() {} | m.js:1:13:1:25 | function() {} |
 | m.js:1:13:1:25 | function() {} | m.js:1:13:1:25 | function() {} |
 | m.js:2:1:2:9 | exports.f | m.js:1:13:1:25 | function() {} |
@@ -100,16 +101,19 @@ test_getAFunctionValue
 | protoclass.js:3:10:3:10 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | protoclass.js:4:3:4:11 | this.init | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:7:1:7:1 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
+| protoclass.js:7:1:7:16 | F.prototype.init | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:7:1:11:1 | F.proto ...  m();\\n} | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:7:20:11:1 | functio ...  m();\\n} | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:8:3:8:13 | this.method | protoclass.js:13:22:13:34 | function() {} |
 | protoclass.js:9:11:9:21 | this.method | protoclass.js:13:22:13:34 | function() {} |
 | protoclass.js:13:1:13:1 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
+| protoclass.js:13:1:13:18 | F.prototype.method | protoclass.js:13:22:13:34 | function() {} |
 | protoclass.js:13:1:13:34 | F.proto ... on() {} | protoclass.js:13:22:13:34 | function() {} |
 | protoclass.js:13:22:13:34 | function() {} | protoclass.js:13:22:13:34 | function() {} |
 | protoclass.js:15:16:15:16 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | reflection.js:1:1:3:1 | functio ...  x+y;\\n} | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:5:3:5:5 | add | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
+| reflection.js:5:3:5:11 | add.apply | reflection.js:5:15:5:39 | functio ... n 56; } |
 | reflection.js:5:3:5:39 | add.app ... n 56; } | reflection.js:5:15:5:39 | functio ... n 56; } |
 | reflection.js:5:15:5:14 | this | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:5:15:5:39 | functio ... n 56; } | reflection.js:5:15:5:39 | functio ... n 56; } |
@@ -163,11 +167,13 @@ test_getAFunctionValue
 | tst.js:42:2:42:26 | functio ... rn x; } | tst.js:42:2:42:26 | functio ... rn x; } |
 | tst.js:44:1:44:15 | function A() {} | tst.js:44:1:44:15 | function A() {} |
 | tst.js:45:1:45:1 | A | tst.js:44:1:44:15 | function A() {} |
+| tst.js:45:1:45:13 | A.prototype.f | tst.js:45:17:47:1 | functio ... .g();\\n} |
 | tst.js:45:1:47:1 | A.proto ... .g();\\n} | tst.js:45:17:47:1 | functio ... .g();\\n} |
 | tst.js:45:17:47:1 | functio ... .g();\\n} | tst.js:45:17:47:1 | functio ... .g();\\n} |
 | tst.js:46:2:46:7 | this.g | tst.js:48:17:48:29 | function() {} |
 | tst.js:46:2:46:7 | this.g | tst.js:61:17:61:29 | function() {} |
 | tst.js:48:1:48:1 | A | tst.js:44:1:44:15 | function A() {} |
+| tst.js:48:1:48:13 | A.prototype.g | tst.js:48:17:48:29 | function() {} |
 | tst.js:48:1:48:29 | A.proto ... on() {} | tst.js:48:17:48:29 | function() {} |
 | tst.js:48:17:48:29 | function() {} | tst.js:48:17:48:29 | function() {} |
 | tst.js:50:1:50:15 | function B() {} | tst.js:50:1:50:15 | function B() {} |
@@ -186,11 +192,13 @@ test_getAFunctionValue
 | tst.js:60:1:60:1 | C | tst.js:59:1:59:15 | function C() {} |
 | tst.js:60:19:60:19 | A | tst.js:44:1:44:15 | function A() {} |
 | tst.js:61:1:61:1 | C | tst.js:59:1:59:15 | function C() {} |
+| tst.js:61:1:61:13 | C.prototype.g | tst.js:61:17:61:29 | function() {} |
 | tst.js:61:1:61:29 | C.proto ... on() {} | tst.js:61:17:61:29 | function() {} |
 | tst.js:61:17:61:29 | function() {} | tst.js:61:17:61:29 | function() {} |
 | tst.js:63:1:67:2 | (functi ... f();\\n}) | tst.js:63:2:67:1 | functio ... .f();\\n} |
 | tst.js:63:2:67:1 | functio ... .f();\\n} | tst.js:63:2:67:1 | functio ... .f();\\n} |
 | tst.js:64:17:64:17 | B | tst.js:50:1:50:15 | function B() {} |
+| tst.js:65:5:65:7 | b.f | tst.js:65:11:65:23 | function() {} |
 | tst.js:65:5:65:23 | b.f = function() {} | tst.js:65:11:65:23 | function() {} |
 | tst.js:65:11:65:23 | function() {} | tst.js:65:11:65:23 | function() {} |
 | tst.js:66:5:66:7 | b.f | tst.js:52:5:54:2 | functio ... g();\\n\\t} |
diff --git a/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected b/javascript/ql/test/library-tests/TypeTracking/ClassStyle.expected
@@ -12,6 +12,7 @@ test_ApiObject
 test_Connection
 | client.js:1:10:1:27 | exportedConnection |
 | tst.js:7:15:7:18 | conn |
+| tst.js:8:5:8:19 | this.connection |
 | tst.js:11:5:11:19 | this.connection |
 | tst.js:16:10:16:49 | api.cha ... ction() |
 | tst.js:19:7:19:21 | getConnection() |
@@ -20,7 +21,9 @@ test_Connection
 | tst.js:48:7:48:21 | getConnection() |
 | tst.js:54:37:54:51 | getConnection() |
 | tst.js:57:14:57:48 | config. ... ction') |
+| tst.js:62:3:62:36 | MyAppli ... nection |
 | tst.js:62:40:62:79 | api.cha ... ction() |
+| tst.js:63:3:63:34 | MyAppli ... onflict |
 | tst.js:63:38:63:77 | api.cha ... ction() |
 | tst.js:67:14:67:47 | MyAppli ... nection |
 | tst.js:78:35:78:49 | getConnection() |
@@ -41,6 +44,7 @@ test_Connection
 | tst.js:118:12:118:26 | getConnection() |
 | tst.js:120:21:120:24 | conn |
 | tst.js:126:22:126:25 | conn |
+| tst_conflict.js:6:3:6:34 | MyAppli ... onflict |
 | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 test_DataCallback
 | client.js:3:28:3:34 | x => {} |
diff --git a/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected b/javascript/ql/test/library-tests/TypeTracking/PredicateStyle.expected
@@ -11,6 +11,7 @@ apiObject
 | tst_conflict.js:6:38:6:58 | api.cha ... hain2() |
 connection
 | type tracker with call steps | tst.js:7:15:7:18 | conn |
+| type tracker with call steps | tst.js:8:5:8:19 | this.connection |
 | type tracker with call steps | tst.js:11:5:11:19 | this.connection |
 | type tracker with call steps | tst.js:80:16:80:19 | conn |
 | type tracker with call steps | tst.js:84:22:84:22 | x |
@@ -30,7 +31,9 @@ connection
 | type tracker without call steps | tst.js:48:7:48:21 | getConnection() |
 | type tracker without call steps | tst.js:54:37:54:51 | getConnection() |
 | type tracker without call steps | tst.js:57:14:57:48 | config. ... ction') |
+| type tracker without call steps | tst.js:62:3:62:36 | MyAppli ... nection |
 | type tracker without call steps | tst.js:62:40:62:79 | api.cha ... ction() |
+| type tracker without call steps | tst.js:63:3:63:34 | MyAppli ... onflict |
 | type tracker without call steps | tst.js:63:38:63:77 | api.cha ... ction() |
 | type tracker without call steps | tst.js:67:14:67:47 | MyAppli ... nection |
 | type tracker without call steps | tst.js:78:35:78:49 | getConnection() |
@@ -43,6 +46,7 @@ connection
 | type tracker without call steps | tst.js:118:12:118:26 | getConnection() |
 | type tracker without call steps | tst.js:120:21:120:24 | conn |
 | type tracker without call steps | tst.js:126:22:126:25 | conn |
+| type tracker without call steps | tst_conflict.js:6:3:6:34 | MyAppli ... onflict |
 | type tracker without call steps | tst_conflict.js:6:38:6:77 | api.cha ... ction() |
 | type tracker without call steps with property conflict | tst.js:63:3:63:25 | MyAppli ... mespace |
 | type tracker without call steps with property conflict | tst_conflict.js:6:3:6:25 | MyAppli ... mespace |
diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
@@ -3227,10 +3227,13 @@ getRouteHandlerContainerStep
 | src/route-collection.js:1:18:4:1 | {\\n  a:  ... (req)\\n} | src/route-collection.js:3:6:3:35 | (req, r ... og(req) | src/advanced-routehandler-registration.js:116:14:116:30 | importedRoutes[p] |
 | src/route-collection.js:1:18:4:1 | {\\n  a:  ... (req)\\n} | src/route-collection.js:3:6:3:35 | (req, r ... og(req) | src/advanced-routehandler-registration.js:119:14:119:29 | importedRoutes.b |
 dbUse
+| src/middleware-flow.js:6:5:6:10 | req.db |
 | src/middleware-flow.js:6:5:6:21 | req.db = new DB() |
 | src/middleware-flow.js:6:14:6:21 | new DB() |
+| src/middleware-flow.js:7:5:7:15 | req.deep.db |
 | src/middleware-flow.js:7:5:7:26 | req.dee ... ew DB() |
 | src/middleware-flow.js:7:19:7:26 | new DB() |
+| src/middleware-flow.js:8:5:8:22 | req.deep.access.db |
 | src/middleware-flow.js:8:5:8:33 | req.dee ... ew DB() |
 | src/middleware-flow.js:8:26:8:33 | new DB() |
 | src/middleware-flow.js:18:9:18:14 | req.db |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -159,6 +159,11 @@ nodes
 | xss-through-dom.js:141:25:141:27 | src |
 | xss-through-dom.js:150:24:150:26 | src |
 | xss-through-dom.js:150:24:150:26 | src |
+| xss-through-dom.js:154:25:154:27 | msg |
+| xss-through-dom.js:155:27:155:29 | msg |
+| xss-through-dom.js:155:27:155:29 | msg |
+| xss-through-dom.js:159:34:159:52 | $("textarea").val() |
+| xss-through-dom.js:159:34:159:52 | $("textarea").val() |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -263,6 +268,10 @@ edges
 | xss-through-dom.js:139:11:139:52 | src | xss-through-dom.js:150:24:150:26 | src |
 | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
 | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:139:11:139:52 | src |
+| xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg |
+| xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg |
+| xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg |
+| xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -307,3 +316,4 @@ edges
 | xss-through-dom.js:140:19:140:21 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:140:19:140:21 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
 | xss-through-dom.js:141:25:141:27 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:141:25:141:27 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
 | xss-through-dom.js:150:24:150:26 | src | xss-through-dom.js:139:17:139:52 | documen ... k").src | xss-through-dom.js:150:24:150:26 | src | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:139:17:139:52 | documen ... k").src | DOM text |
+| xss-through-dom.js:155:27:155:29 | msg | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:155:27:155:29 | msg | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:159:34:159:52 | $("textarea").val() | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -148,4 +148,15 @@ const cashDom = require("cash-dom");
     cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK
 
     $("<a />", { html: src }).appendTo("#id"); // NOT OK
+
+    function foo() {
+      window.VeryUniqueXssTestName = {
+        send: function (msg) {
+            $("#id").html(msg); // NOT OK
+        },
+      };
+    
+      VeryUniqueXssTestName.send($("textarea").val());
+    }
+    foo()
 })();
