JS: Add test case with [(ngModel)]

asgerf · asgerf · commit d55c68c1f1f6 · 2025-01-17T10:24:16.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -1,5 +1,5 @@
 edges
-| angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | provenance |  |
+| angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | provenance |  |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values | provenance |  |
 | forms.js:9:31:9:36 | values | forms.js:9:31:9:40 | values.foo | provenance |  |
 | forms.js:11:24:11:29 | values | forms.js:12:31:12:36 | values | provenance |  |
@@ -43,10 +43,10 @@ edges
 | xss-through-dom.js:154:25:154:27 | msg | xss-through-dom.js:155:27:155:29 | msg | provenance |  |
 | xss-through-dom.js:159:34:159:52 | $("textarea").val() | xss-through-dom.js:154:25:154:27 | msg | provenance |  |
 nodes
-| angular.ts:12:24:12:41 | event.target.value | semmle.label | event.target.value |
-| angular.ts:16:24:16:35 | target.value | semmle.label | target.value |
-| angular.ts:20:24:20:33 | form.value | semmle.label | form.value |
-| angular.ts:20:24:20:37 | form.value.foo | semmle.label | form.value.foo |
+| angular.ts:15:24:15:41 | event.target.value | semmle.label | event.target.value |
+| angular.ts:19:24:19:35 | target.value | semmle.label | target.value |
+| angular.ts:23:24:23:33 | form.value | semmle.label | form.value |
+| angular.ts:23:24:23:37 | form.value.foo | semmle.label | form.value.foo |
 | forms.js:8:23:8:28 | values | semmle.label | values |
 | forms.js:9:31:9:36 | values | semmle.label | values |
 | forms.js:9:31:9:40 | values.foo | semmle.label | values.foo |
@@ -129,9 +129,9 @@ nodes
 | xss-through-dom.js:159:34:159:52 | $("textarea").val() | semmle.label | $("textarea").val() |
 subpaths
 #select
-| angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | angular.ts:12:24:12:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:12:24:12:41 | event.target.value | DOM text |
-| angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | angular.ts:16:24:16:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:16:24:16:35 | target.value | DOM text |
-| angular.ts:20:24:20:37 | form.value.foo | angular.ts:20:24:20:33 | form.value | angular.ts:20:24:20:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:20:24:20:33 | form.value | DOM text |
+| angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | angular.ts:15:24:15:41 | event.target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:15:24:15:41 | event.target.value | DOM text |
+| angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | angular.ts:19:24:19:35 | target.value | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:19:24:19:35 | target.value | DOM text |
+| angular.ts:23:24:23:37 | form.value.foo | angular.ts:23:24:23:33 | form.value | angular.ts:23:24:23:37 | form.value.foo | $@ is reinterpreted as HTML without escaping meta-characters. | angular.ts:23:24:23:33 | form.value | DOM text |
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
 | forms.js:25:23:25:34 | values.email | forms.js:24:15:24:20 | values | forms.js:25:23:25:34 | values.email | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:24:15:24:20 | values | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts
@@ -5,9 +5,12 @@ import { NgForm } from "@angular/forms";
     template: `
         <input type="text" (input)="setInput1($event)"></input>
         <input type="text" (input)="setInput2($event.target)"></input>
+        <input type="text" [(ngModel)]="field"></input>
     `
 })
 export class Foo {
+    field: string = "";
+
     setInput1(event) {
         document.write(event.target.value); // NOT OK
     }
@@ -19,4 +22,8 @@ export class Foo {
     blah(form: NgForm) {
         document.write(form.value.foo); // NOT OK
     }
+
+    useField() {
+        document.write(this.field); // NOT OK [INCONSISTENCY]
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,9 +5,12 @@ import { NgForm } from "@angular/forms";`
`5`	`5`	template: `
`6`	`6`	`<input type="text" (input)="setInput1($event)"></input>`
`7`	`7`	`<input type="text" (input)="setInput2($event.target)"></input>`
	`8`	`+ <input type="text" [(ngModel)]="field"></input>`
`8`	`9`	`
`9`	`10`	`})`
`10`	`11`	`export class Foo {`
	`12`	`+ field: string = "";`
	`13`	`+`
`11`	`14`	`setInput1(event) {`
`12`	`15`	`document.write(event.target.value); // NOT OK`
`13`	`16`	`}`
`@@ -19,4 +22,8 @@ export class Foo {`
`19`	`22`	`blah(form: NgForm) {`
`20`	`23`	`document.write(form.value.foo); // NOT OK`
`21`	`24`	`}`
	`25`	`+`
	`26`	`+ useField() {`
	`27`	`+ document.write(this.field); // NOT OK [INCONSISTENCY]`
	`28`	`+ }`
`22`	`29`	`}`