JavaScript: Add new tests for recognising receiver of event handler as DOM element.

Max Schaefer · Max Schaefer · commit ae2a5da63f4c · 2021-02-25T09:04:46.000Z
diff --git a/javascript/ql/test/library-tests/DOM/Customizations.expected b/javascript/ql/test/library-tests/DOM/Customizations.expected
@@ -1,11 +1,15 @@
 test_documentRef
 | customization.js:2:13:2:31 | customGetDocument() |
+| event-handler-receiver.js:1:1:1:8 | document |
 | nameditems.js:1:1:1:8 | document |
 test_locationRef
 | customization.js:3:3:3:14 | doc.location |
+| event-handler-receiver.js:2:49:2:56 | location |
 test_domValueRef
 | customization.js:4:3:4:20 | doc.getElementById |
 | customization.js:4:3:4:28 | doc.get ... 'test') |
+| event-handler-receiver.js:1:1:1:23 | documen ... entById |
+| event-handler-receiver.js:1:1:1:32 | documen ... my-id') |
 | nameditems.js:1:1:1:23 | documen ... entById |
 | nameditems.js:1:1:1:30 | documen ... ('foo') |
 | nameditems.js:1:1:2:19 | documen ... em('x') |
diff --git a/javascript/ql/test/library-tests/DOM/event-handler-receiver.html b/javascript/ql/test/library-tests/DOM/event-handler-receiver.html
@@ -0,0 +1,6 @@
+<html>
+<head></head>
+<body>
+  <button onclick="alert(this.tagName);">Click me</button>
+</body>
+</html>
diff --git a/javascript/ql/test/library-tests/DOM/event-handler-receiver.js b/javascript/ql/test/library-tests/DOM/event-handler-receiver.js
@@ -0,0 +1,3 @@
+document.getElementById('my-id').onclick = function() {
+  this.parentNode.innerHTML = '<h2><a href="' + location.href + '">A link</a></h2>'; // NOT OK
+};
diff --git a/javascript/ql/test/library-tests/DOM/tests.expected b/javascript/ql/test/library-tests/DOM/tests.expected
@@ -1,4 +1,5 @@
 test_AttributeDefinition
+| event-handler-receiver.html:4:11:4:40 | onclick=alert(this.tagName); |
 | tst.html:3:6:3:30 | href=https://semmle.com |
 | tst.html:3:32:3:46 | target=_blank |
 | tst.js:2:22:2:37 | target: "_blank" |
@@ -13,12 +14,17 @@ test_AttributeDefinition
 | tst.jsx:4:40:4:48 | rel={rel} |
 | tst.jsx:4:50:4:64 | {...otherAttrs} |
 test_ElementDefinition_getAttribute
+| event-handler-receiver.html:4:3:4:58 | <button>...</> | 0 | event-handler-receiver.html:4:11:4:40 | onclick=alert(this.tagName); |
 | tst.html:3:3:3:57 | <a>...</> | 0 | tst.html:3:6:3:30 | href=https://semmle.com |
 | tst.html:3:3:3:57 | <a>...</> | 1 | tst.html:3:32:3:46 | target=_blank |
 | tst.jsx:4:11:4:75 | <a href ... mle</a> | 0 | tst.jsx:4:14:4:38 | href="h ... le.com" |
 | tst.jsx:4:11:4:75 | <a href ... mle</a> | 1 | tst.jsx:4:40:4:48 | rel={rel} |
 | tst.jsx:4:11:4:75 | <a href ... mle</a> | 2 | tst.jsx:4:50:4:64 | {...otherAttrs} |
 test_ElementDefinition_getRoot
+| event-handler-receiver.html:1:1:6:7 | <html>...</> | event-handler-receiver.html:1:1:6:7 | <html>...</> |
+| event-handler-receiver.html:2:1:2:13 | <head>...</> | event-handler-receiver.html:1:1:6:7 | <html>...</> |
+| event-handler-receiver.html:3:1:5:7 | <body>...</> | event-handler-receiver.html:1:1:6:7 | <html>...</> |
+| event-handler-receiver.html:4:3:4:58 | <button>...</> | event-handler-receiver.html:1:1:6:7 | <html>...</> |
 | tst.html:1:1:5:7 | <html>...</> | tst.html:1:1:5:7 | <html>...</> |
 | tst.html:2:1:4:7 | <body>...</> | tst.html:1:1:5:7 | <html>...</> |
 | tst.html:3:3:3:57 | <a>...</> | tst.html:1:1:5:7 | <html>...</> |
@@ -36,6 +42,7 @@ test_WebStorageWrite
 | tst.js:17:24:17:30 | "value" |
 | tst.js:18:33:18:39 | "value" |
 test_ElementDefinition_getAttributeByName
+| event-handler-receiver.html:4:3:4:58 | <button>...</> | onclick | event-handler-receiver.html:4:11:4:40 | onclick=alert(this.tagName); |
 | tst.html:3:3:3:57 | <a>...</> | href | tst.html:3:6:3:30 | href=https://semmle.com |
 | tst.html:3:3:3:57 | <a>...</> | target | tst.html:3:32:3:46 | target=_blank |
 | tst.js:3:11:3:31 | $("<a/> ... rAttrs) | data-bind | tst.js:6:5:6:24 | "data-bind": "stuff" |
@@ -49,6 +56,7 @@ test_ElementDefinition_getAttributeByName
 | tst.jsx:4:11:4:75 | <a href ... mle</a> | href | tst.jsx:4:14:4:38 | href="h ... le.com" |
 | tst.jsx:4:11:4:75 | <a href ... mle</a> | rel | tst.jsx:4:40:4:48 | rel={rel} |
 test_AttributeDefinition_getStringValue
+| event-handler-receiver.html:4:11:4:40 | onclick=alert(this.tagName); | alert(this.tagName); |
 | tst.html:3:6:3:30 | href=https://semmle.com | https://semmle.com |
 | tst.html:3:32:3:46 | target=_blank | _blank |
 | tst.js:2:22:2:37 | target: "_blank" | _blank |
@@ -61,6 +69,7 @@ test_AttributeDefinition_getStringValue
 | tst.js:13:3:13:28 | $.prop( ... d", "") |  |
 | tst.jsx:4:14:4:38 | href="h ... le.com" | https://semmle.com |
 test_AttributeDefinition_getName
+| event-handler-receiver.html:4:11:4:40 | onclick=alert(this.tagName); | onclick |
 | tst.html:3:6:3:30 | href=https://semmle.com | href |
 | tst.html:3:32:3:46 | target=_blank | target |
 | tst.js:2:22:2:37 | target: "_blank" | target |
@@ -74,6 +83,10 @@ test_AttributeDefinition_getName
 | tst.jsx:4:14:4:38 | href="h ... le.com" | href |
 | tst.jsx:4:40:4:48 | rel={rel} | rel |
 test_Element
+| event-handler-receiver.html:1:1:6:7 | <html>...</> | event-handler-receiver.html:1:1:6:7 | <html>...</> |
+| event-handler-receiver.html:2:1:2:13 | <head>...</> | event-handler-receiver.html:2:1:2:13 | <head>...</> |
+| event-handler-receiver.html:3:1:5:7 | <body>...</> | event-handler-receiver.html:3:1:5:7 | <body>...</> |
+| event-handler-receiver.html:4:3:4:58 | <button>...</> | event-handler-receiver.html:4:3:4:58 | <button>...</> |
 | tst.html:1:1:5:7 | <html>...</> | tst.html:1:1:5:7 | <html>...</> |
 | tst.html:2:1:4:7 | <body>...</> | tst.html:2:1:4:7 | <body>...</> |
 | tst.html:3:3:3:57 | <a>...</> | tst.html:3:3:3:57 | <a>...</> |
@@ -110,6 +123,10 @@ test_AttributeDefinition_getValueNode
 | tst.jsx:4:40:4:48 | rel={rel} | tst.jsx:4:45:4:47 | rel |
 | tst.jsx:4:50:4:64 | {...otherAttrs} | tst.jsx:4:50:4:64 | ...otherAttrs |
 test_ElementDefinition
+| event-handler-receiver.html:1:1:6:7 | <html>...</> | html |
+| event-handler-receiver.html:2:1:2:13 | <head>...</> | head |
+| event-handler-receiver.html:3:1:5:7 | <body>...</> | body |
+| event-handler-receiver.html:4:3:4:58 | <button>...</> | button |
 | tst.html:1:1:5:7 | <html>...</> | html |
 | tst.html:2:1:4:7 | <body>...</> | body |
 | tst.html:3:3:3:57 | <a>...</> | a |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected
@@ -0,0 +1 @@
+| query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js:2 | expected an alert, but found none | NOT OK |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js
@@ -0,0 +1,3 @@
+document.getElementById('my-id').onclick = function() {
+  this.parentNode.innerHTML = '<h2><a href="' + location.href + '">A link</a></h2>'; // NOT OK
+};

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +<html>
 +<head></head>
 +<body>
 +  <button onclick="alert(this.tagName);">Click me</button>
 +</body>
 +</html>
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+document.getElementById('my-id').onclick = function() {`
	`2`	`+ this.parentNode.innerHTML = '<h2><a href="' + location.href + '">A link</a></h2>'; // NOT OK`
	`3`	`+};`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js:2 \| expected an alert, but found none \| NOT OK \| \|`