JS: Add tests for EJS includes

asgerf · asgerf · commit b7339348efaa · 2021-08-11T12:50:54.000+02:00
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected b/javascript/ql/test/library-tests/frameworks/Templating/Xss.expected
@@ -77,6 +77,12 @@ nodes
 | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml |
+| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
+| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
+| views/ejs_include1.ejs:1:5:1:7 | foo |
+| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
+| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
+| views/ejs_include2.ejs:1:5:1:11 | rawHtml |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
@@ -92,6 +98,7 @@ nodes
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw |
+| views/ejs_sinks.ejs:24:44:24:50 | rawHtml |
 | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
 | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
 | views/hbs_sinks.hbs:4:13:4:19 | rawHtml |
@@ -121,8 +128,12 @@ nodes
 | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
 | views/njk_sinks.njk:23:42:23:68 | dataInE ... ringRaw |
 edges
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include2.ejs:1:5:1:11 | rawHtml |
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include2.ejs:1:5:1:11 | rawHtml |
 | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
 | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:13:4:19 | rawHtml |
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:24:44:24:50 | rawHtml |
+| app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:24:44:24:50 | rawHtml |
 | app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp |
 | app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp |
 | app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:47:11:68 | dataInS ... eralRaw |
@@ -203,6 +214,10 @@ edges
 | views/angularjs_include.ejs:3:9:3:15 | rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:13:4:19 | rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_include1.ejs:1:5:1:7 | foo | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
+| views/ejs_include1.ejs:1:5:1:7 | foo | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
+| views/ejs_include2.ejs:1:5:1:11 | rawHtml | views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
+| views/ejs_include2.ejs:1:5:1:11 | rawHtml | views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:13:4:19 | rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:7:13:7:30 | object.rawHtmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
@@ -213,6 +228,7 @@ edges
 | views/ejs_sinks.ejs:14:46:14:67 | dataInG ... CodeRaw | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
 | views/ejs_sinks.ejs:22:43:22:69 | dataInE ... ringRaw | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/ejs_sinks.ejs:24:44:24:50 | rawHtml | views/ejs_include1.ejs:1:5:1:7 | foo |
 | views/hbs_sinks.hbs:4:13:4:19 | rawHtml | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
 | views/hbs_sinks.hbs:4:13:4:19 | rawHtml | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
 | views/hbs_sinks.hbs:7:13:7:30 | object.rawHtmlProp | views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
@@ -238,6 +254,8 @@ edges
 | projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> | projectB/src/index.js:38:16:38:30 | req.query.sinkB | projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> | Cross-site scripting vulnerability due to $@. | projectB/src/index.js:38:16:38:30 | req.query.sinkB | user-provided value |
 | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
 | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:66:18:66:34 | req.query.rawHtml | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:66:18:66:34 | req.query.rawHtml | user-provided value |
+| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include1.ejs:1:1:1:10 | <%- foo %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
+| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | app.js:8:18:8:34 | req.query.rawHtml | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> | Cross-site scripting vulnerability due to $@. | app.js:8:18:8:34 | req.query.rawHtml | user-provided value |
 | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | app.js:11:26:11:46 | req.que ... tmlProp | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> | Cross-site scripting vulnerability due to $@. | app.js:11:26:11:46 | req.que ... tmlProp | user-provided value |
 | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | app.js:14:33:14:64 | req.que ... eralRaw | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> | Cross-site scripting vulnerability due to $@. | app.js:14:33:14:64 | req.que ... eralRaw | user-provided value |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/test.expected b/javascript/ql/test/library-tests/frameworks/Templating/test.expected
@@ -10,6 +10,8 @@ getLikelyTemplateSyntax
 | projectB/views/subfolder/other.ejs:0:0:0:0 | projectB/views/subfolder/other.ejs | ejs |
 | views/angularjs_include.ejs:0:0:0:0 | views/angularjs_include.ejs | ejs |
 | views/angularjs_sinks.ejs:0:0:0:0 | views/angularjs_sinks.ejs | ejs |
+| views/ejs_include1.ejs:0:0:0:0 | views/ejs_include1.ejs | ejs |
+| views/ejs_include2.ejs:0:0:0:0 | views/ejs_include2.ejs | ejs |
 | views/ejs_sinks.ejs:0:0:0:0 | views/ejs_sinks.ejs | ejs |
 | views/hbs_sinks.hbs:0:0:0:0 | views/hbs_sinks.hbs | mustache |
 | views/instantiated_as_ejs.html:0:0:0:0 | views/instantiated_as_ejs.html | ejs |
@@ -32,6 +34,7 @@ getTargetFile
 | projectB/src/index.js:16:5:19:6 | res.ren ... \\n    }) | projectB/views/subfolder/index.ejs:0:0:0:0 | projectB/views/subfolder/index.ejs |
 | projectB/src/index.js:31:5:34:6 | res.ren ... \\n    }) | projectB/views/subfolder/other.ejs:0:0:0:0 | projectB/views/subfolder/other.ejs |
 | projectB/src/index.js:36:5:39:6 | res.ren ... \\n    }) | projectB/views/subfolder/other.ejs:0:0:0:0 | projectB/views/subfolder/other.ejs |
+| views/ejs_sinks.ejs:24:13:24:53 | include ... Html }) | views/ejs_include1.ejs:0:0:0:0 | views/ejs_include1.ejs |
 xssSink
 | projectA/views/main.ejs:2:1:2:12 | <%- sinkA %> |
 | projectA/views/subfolder/index.ejs:2:1:2:12 | <%- sinkA %> |
@@ -41,12 +44,15 @@ xssSink
 | projectB/views/subfolder/other.ejs:3:1:3:12 | <%- sinkB %> |
 | views/angularjs_include.ejs:3:5:3:18 | <%- rawHtml %> |
 | views/angularjs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
+| views/ejs_include1.ejs:1:1:1:10 | <%- foo %> |
+| views/ejs_include2.ejs:1:1:1:14 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:4:9:4:22 | <%- rawHtml %> |
 | views/ejs_sinks.ejs:5:9:5:31 | <%- rawHtmlSafeValue %> |
 | views/ejs_sinks.ejs:7:9:7:33 | <%- object.rawHtmlProp %> |
 | views/ejs_sinks.ejs:11:43:11:71 | <%- dataInStringLiteralRaw %> |
 | views/ejs_sinks.ejs:14:42:14:70 | <%- dataInGeneratedCodeRaw %> |
 | views/ejs_sinks.ejs:22:39:22:72 | <%- dataInEventHandlerStringRaw %> |
+| views/ejs_sinks.ejs:24:9:24:57 | <%- include('ejs_include1', { foo: rawHtml }) _%> |
 | views/hbs_sinks.hbs:4:9:4:23 | {{{ rawHtml }}} |
 | views/hbs_sinks.hbs:5:9:5:32 | {{{ rawHtmlSafeValue }}} |
 | views/hbs_sinks.hbs:7:9:7:34 | {{{ object.rawHtmlProp }}} |
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_include1.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_include1.ejs
@@ -0,0 +1 @@
+<%- foo %>
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_include2.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_include2.ejs
@@ -0,0 +1 @@
+<%- rawHtml %>
diff --git a/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs b/javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs
@@ -20,5 +20,8 @@
 
         <button onclick="doSomething('<%= dataInEventHandlerString %>')">Click me</button>
         <button onclick="doSomething('<%- dataInEventHandlerStringRaw %>')">Click me</button>
+
+        <%- include('ejs_include1', { foo: rawHtml }) _%>
+        <% include ejs_include2 %>
     </body>
 </html>
