add consistency checking for CWE-079

Author: erik-krogh

javascript/ql/test/query-tests/Security/CWE-079/Consistency.expected

@@ -0,0 +1,9 @@
+import javascript
+import testUtilities.ConsistencyChecking
+
+import semmle.javascript.security.dataflow.DomBasedXss as DomXss
+import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
+import semmle.javascript.security.dataflow.StoredXss as StoredXss
+import semmle.javascript.security.dataflow.XssThroughDom as ThroughDomXss
+import semmle.javascript.security.dataflow.ExceptionXss as ExceptionXss
+import semmle.javascript.security.dataflow.UnsafeJQueryPlugin as UnsafeJqueryPlugin

javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql

@@ -86,16 +86,16 @@ nodes
 | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:182:19:182:23 | error |
-| tst.js:304:9:304:16 | location |
-| tst.js:304:9:304:16 | location |
-| tst.js:305:10:305:10 | e |
-| tst.js:306:20:306:20 | e |
-| tst.js:306:20:306:20 | e |
-| tst.js:311:10:311:17 | location |
-| tst.js:311:10:311:17 | location |
-| tst.js:313:10:313:10 | e |
-| tst.js:314:20:314:20 | e |
-| tst.js:314:20:314:20 | e |
+| tst.js:301:9:301:16 | location |
+| tst.js:301:9:301:16 | location |
+| tst.js:302:10:302:10 | e |
+| tst.js:303:20:303:20 | e |
+| tst.js:303:20:303:20 | e |
+| tst.js:308:10:308:17 | location |
+| tst.js:308:10:308:17 | location |
+| tst.js:310:10:310:10 | e |
+| tst.js:311:20:311:20 | e |
+| tst.js:311:20:311:20 | e |
 edges
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -178,14 +178,14 @@ edges
 | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:180:26:180:30 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
-| tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
-| tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
-| tst.js:305:10:305:10 | e | tst.js:306:20:306:20 | e |
-| tst.js:305:10:305:10 | e | tst.js:306:20:306:20 | e |
-| tst.js:311:10:311:17 | location | tst.js:313:10:313:10 | e |
-| tst.js:311:10:311:17 | location | tst.js:313:10:313:10 | e |
-| tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
-| tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
+| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
+| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e |
+| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
+| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e |
+| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
+| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e |
+| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
+| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
@@ -203,5 +203,5 @@ edges
 | exception-xss.js:155:18:155:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:155:18:155:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:175:18:175:18 | e | exception-xss.js:146:12:146:28 | document.location | exception-xss.js:175:18:175:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:146:12:146:28 | document.location | Exception text |
 | exception-xss.js:182:19:182:23 | error | exception-xss.js:180:10:180:22 | req.params.id | exception-xss.js:182:19:182:23 | error | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:180:10:180:22 | req.params.id | Exception text |
-| tst.js:306:20:306:20 | e | tst.js:304:9:304:16 | location | tst.js:306:20:306:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:304:9:304:16 | location | Exception text |
-| tst.js:314:20:314:20 | e | tst.js:311:10:311:17 | location | tst.js:314:20:314:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:311:10:311:17 | location | Exception text |
+| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:301:9:301:16 | location | Exception text |
+| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | $@ is reinterpreted as HTML without escaping meta-characters. | tst.js:308:10:308:17 | location | Exception text |

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected

@@ -136,7 +136,7 @@ app.get('/user/:id', function (req, res) {
 
   res.send(escapeHtml1(url)); // OK
   res.send(escapeHtml2(url)); // OK
-  res.send(escapeHtml3(url)); // OK - but FP
+  res.send(escapeHtml3(url)); // OK - but FP [INCONSISTENCY]
   res.send(escapeHtml4(url)); // OK
 });
 

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood3.js

@@ -238,6 +238,6 @@ edges
 | unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ...  OK\\n\\t\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... T OK\\n\\t} | '$.fn.affix' plugin |
 | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... T OK\\n\\t} | '$.fn.tooltip' plugin |
-| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... gged\\n\\t} | '$.fn.my_plugin' plugin |
+| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... NCY]\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin |
 | unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin |