JS: Expand on test

asgerf · asgerf · commit 7045fb46792f · 2021-08-11T12:50:54.000+02:00
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.expected
@@ -0,0 +1,33 @@
+nodes
+| app.js:15:30:15:58 | req.que ... tedCode |
+| app.js:15:30:15:58 | req.que ... tedCode |
+| app.js:17:25:17:48 | req.que ... shSink1 |
+| app.js:17:25:17:48 | req.que ... shSink1 |
+| app.js:19:35:19:68 | req.que ... rString |
+| app.js:19:35:19:68 | req.que ... rString |
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
+edges
+| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
+| app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode |
+| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
+| app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 |
+| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
+| app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString |
+| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:13:43:13:61 | dataInGeneratedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:16:23:16:36 | backslashSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+| views/ejs_sinks.ejs:21:43:21:66 | dataInE ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
+#select
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | app.js:15:30:15:58 | req.que ... tedCode | views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> | $@ flows to here and is interpreted as code. | app.js:15:30:15:58 | req.que ... tedCode | User-provided value |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | app.js:17:25:17:48 | req.que ... shSink1 | views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> | $@ flows to here and is interpreted as code. | app.js:17:25:17:48 | req.que ... shSink1 | User-provided value |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | app.js:19:35:19:68 | req.que ... rString | views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> | $@ flows to here and is interpreted as code. | app.js:19:35:19:68 | req.que ... rString | User-provided value |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref b/javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-094/CodeInjection.ql
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected b/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected
@@ -0,0 +1,53 @@
+nodes
+| app.js:8:18:8:34 | req.query.rawHtml |
+| app.js:8:18:8:34 | req.query.rawHtml |
+| app.js:11:26:11:46 | req.que ... tmlProp |
+| app.js:11:26:11:46 | req.que ... tmlProp |
+| app.js:14:33:14:64 | req.que ... eralRaw |
+| app.js:14:33:14:64 | req.que ... eralRaw |
+| app.js:16:33:16:64 | req.que ... CodeRaw |
+| app.js:16:33:16:64 | req.que ... CodeRaw |
+| app.js:20:38:20:74 | req.que ... ringRaw |
+| app.js:20:38:20:74 | req.que ... ringRaw |
+| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
+| views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
+| views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
+| views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp |
+| views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
+| views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
+| views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw |
+| views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
+| views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
+| views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw |
+| views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+edges
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
+| app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp |
+| app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp |
+| app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw |
+| app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw |
+| app.js:16:33:16:64 | req.que ... CodeRaw | views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw |
+| app.js:16:33:16:64 | req.que ... CodeRaw | views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw |
+| app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+| app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+| views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
+| views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
+| views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
+| views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
+| views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
+| views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
+| views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+#select
+| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
+| views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | Cross-site scripting vulnerability due to $@. | app.js:11:26:11:46 | req.que ... tmlProp | user-provided value |
+| views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | Cross-site scripting vulnerability due to $@. | app.js:14:33:14:64 | req.que ... eralRaw | user-provided value |
+| views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> | app.js:16:33:16:64 | req.que ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> | Cross-site scripting vulnerability due to $@. | app.js:16:33:16:64 | req.que ... CodeRaw | user-provided value |
+| views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> | app.js:20:38:20:74 | req.que ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> | Cross-site scripting vulnerability due to $@. | app.js:20:38:20:74 | req.que ... ringRaw | user-provided value |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/Xss.qlref b/javascript/ql/test/library-tests/frameworks/Templating/Xss.qlref
@@ -0,0 +1 @@
+Security/CWE-079/Xss.ql
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/app.js b/javascript/ql/test/library-tests/frameworks/Templating/app.js
@@ -0,0 +1,22 @@
+const express = require('express');
+
+let app = express();
+
+app.get('/ejs', (req, res) => {
+    res.render('ejs_sinks', {
+        escapedHtml: req.query.escapedHtml,
+        rawHtml: req.query.rawHtml,
+        rawHtmlSafeValue: 'safe',
+        object: {
+            rawHtmlProp: req.query.rawHtmlProp
+        },
+        dataInStringLiteral: req.query.dataInStringLiteral,
+        dataInStringLiteralRaw: req.query.dataInStringLiteralRaw,
+        dataInGeneratedCode: req.query.dataInGeneratedCode,
+        dataInGeneratedCodeRaw: req.query.dataInGeneratedCodeRaw,
+        backslashSink1: req.query.backslashSink1,
+        backslashSink2: req.query.backslashSink2,
+        dataInEventHandlerString: req.query.dataInEventHandlerString,
+        dataInEventHandlerStringRaw: req.query.dataInEventHandlerStringRaw,
+    });
+});
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/test.expected b/javascript/ql/test/library-tests/frameworks/Templating/test.expected
@@ -2,8 +2,23 @@ getTemplateInstantiationSyntax
 | consolidate.js:3:1:3:83 | consoli ...  => {}) | ejs |
 | consolidate.js:4:1:4:90 | consoli ...  => {}) | mustache |
 getLikelyTemplateSyntax
+| views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs | ejs |
 | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html | ejs |
 | views/instantiated_as_hbs.html:0:0:0:0 | views/instantiated_as_hbs.html | mustache |
+getTargetFile
+| app.js:6:5:21:6 | res.ren ... \\n    }) | views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs |
+| consolidate.js:3:1:3:83 | consoli ...  => {}) | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html |
+| consolidate.js:4:1:4:90 | consoli ...  => {}) | views/instantiated_as_hbs.html:0:0:0:0 | views/instantiated_as_hbs.html |
 xssSink
+| views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_sinks.ejs:5:9:5:31 | <%- rawHtmlSafeValue %> |
+| views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
+| views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
+| views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
+| views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/instantiated_as_ejs.html:4:9:4:23 | <%- xss_sink %> |
 | views/instantiated_as_hbs.html:7:9:7:24 | {{{ xss_sink }}} |
+codeInjectionSink
+| views/ejs_sinks.ejs:13:39:13:64 | <%= dataInGeneratedCode %> |
+| views/ejs_sinks.ejs:16:19:16:39 | <%= backslashSink1 %> |
+| views/ejs_sinks.ejs:21:39:21:69 | <%= dataInEventHandlerString %> |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/test.ql b/javascript/ql/test/library-tests/frameworks/Templating/test.ql
@@ -1,5 +1,6 @@
 import javascript
 import semmle.javascript.security.dataflow.Xss
+import semmle.javascript.security.dataflow.CodeInjectionCustomizations
 
 query Templating::TemplateSyntax getTemplateInstantiationSyntax(Templating::TemplateInstantiaton inst) {
   result = inst.getTemplateSyntax()
@@ -9,6 +10,14 @@ query Templating::TemplateSyntax getLikelyTemplateSyntax(Templating::TemplateFil
   result = Templating::getLikelyTemplateSyntax(file)
 }
 
+query Templating::TemplateFile getTargetFile(Templating::TemplateInstantiaton inst) {
+  result = inst.getTemplateFile()
+}
+
 query DomBasedXss::Sink xssSink() {
   any()
 }
+
+query CodeInjection::Sink codeInjectionSink() {
+  any()
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs
@@ -0,0 +1,24 @@
+<html>
+    <body>
+        <%= escapedHtml %>
+        <%- rawHtml %>
+        <%- rawHtmlSafeValue %>
+
+        <%- object.rawHtmlProp %>
+
+        <script>
+            var dataInStringLiteral = "<%= dataInStringLiteral %>";
+            var dataInStringLiteralRaw = "<%- dataInStringLiteralRaw %>";
+
+            var dataInGeneratedCode = <%= dataInGeneratedCode %>;
+            var dataInGeneratedCodeRaw = <%- dataInGeneratedCodeRaw %>;
+
+            init("<%= backslashSink1 %>", "<%= backslashSink2 %>");
+
+            var mustache = "{{ rawHtml }}";
+        </script>
+
+        <button onclick="doSomething('<%= dataInEventHandlerString %>')">Click me</button>
+        <button onclick="doSomething('<%- dataInEventHandlerStringRaw %>')">Click me</button>
+    </body>
+</html>
