add model for xml2js

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll

@@ -169,6 +169,31 @@ module XML {
     override predicate resolvesEntities(XML::EntityKind kind) { kind = InternalEntity() }
   }
 
+  /**
+   * An invocation of `xml2js`.
+   */
+  private class Xml2JSInvocation extends XML::ParserInvocation {
+    js::DataFlow::CallNode call;
+
+    Xml2JSInvocation() {
+      exists(js::API::Node imp | imp = js::API::moduleImport("xml2js") |
+        call = [imp, imp.getMember("Parser").getInstance()].getMember("parseString").getACall() and
+        this = call.asExpr()
+      )
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // sax-js (the parser used) does not expand entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() {
+      result = call.getABoundCallbackParameter(call.getNumArgument() - 1, 1)
+    }
+  }
+
   private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
     XML::ParserInvocation parser;
 

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -146,3 +146,4 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
+| xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |

javascript/ql/test/library-tests/TaintTracking/xml.js

@@ -7,4 +7,9 @@
     parser.on("text", text => {
         sink(text); // NOT OK
     });
+
+    var parseString = require('xml2js').parseString;
+    parseString(source(), function (err, result) {
+        sink(result); // NOT OK
+    });
 })();