Merge pull request github#17285 from asgerf/js/shared-dataflow-bump

JS: Resolve conflicts after merging 'main' into shared data flow branch

Author: asgerf

javascript/ql/lib/semmle/javascript/NodeJS.qll

@@ -309,10 +309,10 @@ private predicate isRequire(EarlyStageNode nd) {
   // `$.require('underscore');`.
   // NPM as supported in [XSJS files](https://www.npmjs.com/package/@sap/async-xsjs#npm-packages-support).
   exists(MethodCallExpr require |
-    nd.getFile().getExtension() = ["xsjs", "xsjslib"] and
+    require.getFile().getExtension() = ["xsjs", "xsjslib"] and
     require.getCalleeName() = "require" and
     require.getReceiver().(GlobalVarAccess).getName() = "$" and
-    nd = require.getCallee().flow()
+    nd = TValueNode(require.getCallee())
   )
 }
 

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -27,6 +27,10 @@ nodes
 | angular2-client.ts:38:44:38:58 | this.router.url | semmle.label | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url | semmle.label | this.router.url |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | semmle.label | routeSn ... ('foo') |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | semmle.label | Cookie.get("unsafe") |
+| angular-tempate-url.js:13:30:13:31 | ev | semmle.label | ev |
+| angular-tempate-url.js:14:26:14:27 | ev | semmle.label | ev |
+| angular-tempate-url.js:14:26:14:32 | ev.data | semmle.label | ev.data |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | semmle.label | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) | semmle.label | classNa ... w.name) |
 | classnames.js:7:58:7:68 | window.name | semmle.label | window.name |
@@ -636,6 +640,9 @@ edges
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo | provenance |  |
 | angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x | provenance |  |
 | angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x | provenance |  |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev | provenance |  |
+| angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data | provenance |  |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | provenance |  |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` | provenance |  |
 | classnames.js:7:58:7:68 | window.name | classnames.js:7:47:7:69 | classNa ... w.name) | provenance |  |
 | classnames.js:8:47:8:70 | classNa ... w.name) | classnames.js:8:31:8:85 | `<span  ... <span>` | provenance |  |
@@ -1243,6 +1250,7 @@ subpaths
 | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | angular2-client.ts:38:44:38:58 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:38:44:38:58 | this.router.url | user-provided value |
 | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | angular2-client.ts:40:45:40:59 | this.router.url | Cross-site scripting vulnerability due to $@. | angular2-client.ts:40:45:40:59 | this.router.url | user-provided value |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | Cross-site scripting vulnerability due to $@. | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | user-provided value |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | Cross-site scripting vulnerability due to $@. | angular-tempate-url.js:13:30:13:31 | ev | user-provided value |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | classnames.js:7:58:7:68 | window.name | classnames.js:7:31:7:84 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:7:58:7:68 | window.name | user-provided value |
 | classnames.js:8:31:8:85 | `<span  ... <span>` | classnames.js:8:59:8:69 | window.name | classnames.js:8:31:8:85 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:8:59:8:69 | window.name | user-provided value |
 | classnames.js:9:31:9:85 | `<span  ... <span>` | classnames.js:9:59:9:69 | window.name | classnames.js:9:31:9:85 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:9:59:9:69 | window.name | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -27,6 +27,10 @@ nodes
 | angular2-client.ts:38:44:38:58 | this.router.url | semmle.label | this.router.url |
 | angular2-client.ts:40:45:40:59 | this.router.url | semmle.label | this.router.url |
 | angular2-client.ts:44:44:44:76 | routeSn ... ('foo') | semmle.label | routeSn ... ('foo') |
+| angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | semmle.label | Cookie.get("unsafe") |
+| angular-tempate-url.js:13:30:13:31 | ev | semmle.label | ev |
+| angular-tempate-url.js:14:26:14:27 | ev | semmle.label | ev |
+| angular-tempate-url.js:14:26:14:32 | ev.data | semmle.label | ev.data |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | semmle.label | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) | semmle.label | classNa ... w.name) |
 | classnames.js:7:58:7:68 | window.name | semmle.label | window.name |
@@ -657,6 +661,9 @@ edges
 | angular2-client.ts:25:44:25:74 | this.ro ... yParams | angular2-client.ts:25:44:25:78 | this.ro ... ams.foo | provenance |  |
 | angular2-client.ts:34:44:34:80 | this.ro ... ameters | angular2-client.ts:34:44:34:82 | this.ro ... eters.x | provenance |  |
 | angular2-client.ts:36:44:36:89 | this.ro ... .params | angular2-client.ts:36:44:36:91 | this.ro ... arams.x | provenance |  |
+| angular-tempate-url.js:13:30:13:31 | ev | angular-tempate-url.js:14:26:14:27 | ev | provenance |  |
+| angular-tempate-url.js:14:26:14:27 | ev | angular-tempate-url.js:14:26:14:32 | ev.data | provenance |  |
+| angular-tempate-url.js:14:26:14:32 | ev.data | angular-tempate-url.js:9:26:9:45 | Cookie.get("unsafe") | provenance |  |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` | provenance |  |
 | classnames.js:7:58:7:68 | window.name | classnames.js:7:47:7:69 | classNa ... w.name) | provenance |  |
 | classnames.js:8:47:8:70 | classNa ... w.name) | classnames.js:8:31:8:85 | `<span  ... <span>` | provenance |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -82,6 +82,7 @@ nodes
 | build-leaks.js:41:82:41:83 | pw | semmle.label | pw |
 subpaths
 | build-leaks.js:17:12:19:9 | {\\n      ...       } | build-leaks.js:14:18:14:20 | env | build-leaks.js:16:20:16:22 | env | build-leaks.js:13:17:19:10 | Object. ...      }) |
+| build-leaks.js:22:36:22:38 | raw | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:22:36:22:38 | raw | build-leaks.js:23:39:23:41 | raw | build-leaks.js:22:49:22:51 | env [Return] | build-leaks.js:25:12:25:13 | [post update] {} |
 | build-leaks.js:22:36:22:38 | raw | build-leaks.js:23:39:23:41 | raw | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:25:12:25:13 | {} | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |

javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected

@@ -39,10 +39,9 @@ edges
 | RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | provenance |  |
 | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | provenance |  |
 | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | provenance |  |
-| tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e | provenance |  |
-| tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data | provenance |  |
-| tst.js:2:16:2:16 | e | tst.js:2:9:2:21 | data | provenance |  |
-| tst.js:3:21:3:24 | data | tst.js:3:16:3:35 | "^"+ data.name + "$" | provenance |  |
+| tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data | provenance |  |
+| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data | provenance |  |
+| tst.js:6:21:6:24 | data | tst.js:6:16:6:35 | "^"+ data.name + "$" | provenance |  |
 nodes
 | RegExpInjection.js:5:7:5:28 | key | semmle.label | key |
 | RegExpInjection.js:5:13:5:28 | req.param("key") | semmle.label | req.param("key") |
@@ -89,11 +88,10 @@ nodes
 | RegExpInjection.js:91:20:91:30 | process.env | semmle.label | process.env |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` |
 | RegExpInjection.js:93:20:93:31 | process.argv | semmle.label | process.argv |
-| tst.js:1:46:1:46 | e | semmle.label | e |
-| tst.js:2:9:2:21 | data | semmle.label | data |
-| tst.js:2:16:2:16 | e | semmle.label | e |
-| tst.js:3:16:3:35 | "^"+ data.name + "$" | semmle.label | "^"+ data.name + "$" |
-| tst.js:3:21:3:24 | data | semmle.label | data |
+| tst.js:5:9:5:29 | data | semmle.label | data |
+| tst.js:5:16:5:29 | req.query.data | semmle.label | req.query.data |
+| tst.js:6:16:6:35 | "^"+ data.name + "$" | semmle.label | "^"+ data.name + "$" |
+| tst.js:6:21:6:24 | data | semmle.label | data |
 subpaths
 | RegExpInjection.js:11:26:11:26 | s | RegExpInjection.js:14:18:14:18 | s | RegExpInjection.js:15:12:15:24 | s + "=(.*)\\n" | RegExpInjection.js:11:20:11:27 | wrap2(s) |
 | RegExpInjection.js:19:19:19:21 | key | RegExpInjection.js:10:17:10:17 | s | RegExpInjection.js:11:12:11:27 | "\\\\b" + wrap2(s) | RegExpInjection.js:19:14:19:22 | wrap(key) |
@@ -116,4 +114,4 @@ subpaths
 | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
 | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
-| tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |
+| tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |