JS: Add test case showing false negative

asgerf · asgerf · commit bc2a772f3ba6 · 2023-03-27T11:08:39.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected
@@ -0,0 +1 @@
+| query-tests/Security/CWE-079/DomBasedXss/jquery.js:37 | expected an alert, but found none | NOT OK |  |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -431,6 +431,8 @@ nodes
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:36:25:36:31 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1512,6 +1514,8 @@ edges
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
@@ -2355,6 +2359,7 @@ edges
 | jquery.js:27:5:27:25 | hash.re ... #', '') | jquery.js:18:14:18:33 | window.location.hash | jquery.js:27:5:27:25 | hash.re ... #', '') | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
 | jquery.js:28:5:28:43 | window. ... ?', '') | jquery.js:28:5:28:26 | window. ... .search | jquery.js:28:5:28:43 | window. ... ?', '') | Cross-site scripting vulnerability due to $@. | jquery.js:28:5:28:26 | window. ... .search | user-provided value |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | jquery.js:18:14:18:33 | window.location.hash | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' | Cross-site scripting vulnerability due to $@. | jquery.js:18:14:18:33 | window.location.hash | user-provided value |
+| jquery.js:36:25:36:31 | tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:36:25:36:31 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value |
 | jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -431,6 +431,8 @@ nodes
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:5:34:25 | '<b>' + ...  '</b>' |
 | jquery.js:34:13:34:16 | hash |
+| jquery.js:36:25:36:31 | tainted |
+| jquery.js:36:25:36:31 | tainted |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:9:5:36 | locale |
 | json-stringify.jsx:5:18:5:36 | req.param("locale") |
@@ -1562,6 +1564,8 @@ edges
 | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") |
 | jquery.js:2:7:2:40 | tainted | jquery.js:7:20:7:26 | tainted |
 | jquery.js:2:7:2:40 | tainted | jquery.js:8:28:8:34 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
+| jquery.js:2:7:2:40 | tainted | jquery.js:36:25:36:31 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
 | jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js
@@ -32,4 +32,7 @@ function test() {
   $(hash + 'blah'); // OK
   $('blah' + hash); // OK - does not start with '<'
   $('<b>' + hash + '</b>'); // NOT OK
+
+  $('#foo').replaceWith(tainted); // NOT OK
+  $('#foo').replaceWith(() => tainted); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| query-tests/Security/CWE-079/DomBasedXss/jquery.js:37 \| expected an alert, but found none \| NOT OK \| \|`
Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,7 @@ function test() {`
`32`	`32`	`$(hash + 'blah'); // OK`
`33`	`33`	`$('blah' + hash); // OK - does not start with '<'`
`34`	`34`	`$('<b>' + hash + '</b>'); // NOT OK`
	`35`	`+`
	`36`	`+ $('#foo').replaceWith(tainted); // NOT OK`
	`37`	`+ $('#foo').replaceWith(() => tainted); // NOT OK`
`35`	`38`	`}`