Merge pull request github#3539 from asger-semmle/js/capture-level-flow

Approved by erik-krogh

Author: semmle-qlci

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -31,6 +31,7 @@ typeInferenceMismatch
 | callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
 | callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
+| capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
 | closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |

javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected

@@ -22,6 +22,7 @@
 | callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
 | callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
 | callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
+| capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |

javascript/ql/test/library-tests/TaintTracking/capture-flow.js

@@ -0,0 +1,19 @@
+import 'dummy';
+
+function outerMost() {
+    function outer() {
+        var captured;
+        function f(x) {
+            captured = x;
+        }
+        f(source());
+
+        return captured;
+    }
+
+    sink(outer()); // NOT OK
+
+    return outer();
+}
+
+sink(outerMost()); // NOT OK - but missed