fix that the TypeTracker was unrestricted for the base-case of nonFirstLocationType

Author: erik-krogh

javascript/ql/lib/semmle/javascript/DOM.qll

@@ -465,7 +465,11 @@ module DOM {
    */
   private DataFlow::SourceNode nonFirstLocationType(DataFlow::TypeTracker t) {
     // One step inlined in the beginning.
-    result = any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource().track(_, t)
+    exists(DataFlow::TypeTracker t2 |
+      result =
+        any(DataFlow::Node n | n.hasUnderlyingType("Location")).getALocalSource().track(t2, t) and
+      t2.start()
+    )
     or
     exists(DataFlow::TypeTracker t2 | result = nonFirstLocationType(t2).track(t2, t))
   }

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -220,9 +220,14 @@ nodes
 | typed.ts:29:33:29:43 | redirectUri |
 | typed.ts:47:25:47:34 | loc.search |
 | typed.ts:47:25:47:34 | loc.search |
+| typed.ts:48:26:48:36 | loc2.search |
+| typed.ts:48:26:48:36 | loc2.search |
 | typed.ts:51:24:51:34 | redirectUri |
 | typed.ts:52:33:52:43 | redirectUri |
 | typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri |
+| typed.ts:56:33:56:43 | redirectUri |
+| typed.ts:56:33:56:43 | redirectUri |
 edges
 | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
 | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() |
@@ -419,8 +424,12 @@ edges
 | typed.ts:28:24:28:34 | redirectUri | typed.ts:29:33:29:43 | redirectUri |
 | typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
 | typed.ts:47:25:47:34 | loc.search | typed.ts:51:24:51:34 | redirectUri |
+| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
+| typed.ts:48:26:48:36 | loc2.search | typed.ts:55:25:55:35 | redirectUri |
 | typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
 | typed.ts:51:24:51:34 | redirectUri | typed.ts:52:33:52:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
+| typed.ts:55:25:55:35 | redirectUri | typed.ts:56:33:56:43 | redirectUri |
 #select
 | electron.js:7:20:7:29 | getTaint() | electron.js:4:12:4:22 | window.name | electron.js:7:20:7:29 | getTaint() | Untrusted URL redirection depends on a $@. | electron.js:4:12:4:22 | window.name | user-provided value |
 | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | react.js:10:60:10:81 | documen ... on.hash | Untrusted URL redirection depends on a $@. | react.js:10:60:10:81 | documen ... on.hash | user-provided value |
@@ -485,3 +494,4 @@ edges
 | typed.ts:8:33:8:43 | redirectUri | typed.ts:4:22:4:36 | location.search | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:4:22:4:36 | location.search | user-provided value |
 | typed.ts:29:33:29:43 | redirectUri | typed.ts:25:25:25:34 | loc.search | typed.ts:29:33:29:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:25:25:25:34 | loc.search | user-provided value |
 | typed.ts:52:33:52:43 | redirectUri | typed.ts:47:25:47:34 | loc.search | typed.ts:52:33:52:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:47:25:47:34 | loc.search | user-provided value |
+| typed.ts:56:33:56:43 | redirectUri | typed.ts:48:26:48:36 | loc2.search | typed.ts:56:33:56:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:48:26:48:36 | loc2.search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/typed.ts

@@ -53,6 +53,6 @@ export class WeirdTracking {
     }
 
     private doRedirect2(redirectUri: string) {
-        window.location.replace(redirectUri); // NOT OK - but not flagged [INCONSISTENCY]
+        window.location.replace(redirectUri); // NOT OK - and correctly flagged
     }
 }