JS: Add inline expectation test specifically for TaintedUrlSuffix

asgerf · asgerf · commit e1bed42481b2 · 2024-09-12T13:42:20.000+02:00
diff --git a/javascript/ql/test/library-tests/TaintedUrlSuffix/test.expected b/javascript/ql/test/library-tests/TaintedUrlSuffix/test.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
diff --git a/javascript/ql/test/library-tests/TaintedUrlSuffix/test.ql b/javascript/ql/test/library-tests/TaintedUrlSuffix/test.ql
@@ -0,0 +1,52 @@
+import javascript
+import testUtilities.InlineExpectationsTest
+import semmle.javascript.security.TaintedUrlSuffix
+
+module TestConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node node, DataFlow::FlowLabel state) {
+    node = TaintedUrlSuffix::source() and state = TaintedUrlSuffix::label()
+    or
+    node instanceof RemoteFlowSource and
+    not node = TaintedUrlSuffix::source() and
+    state.isTaint()
+  }
+
+  predicate isSink(DataFlow::Node node, DataFlow::FlowLabel state) { none() }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(DataFlow::CallNode call |
+      call.getCalleeName() = "sink" and
+      node = call.getArgument(0)
+    )
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
+    DataFlow::FlowLabel state2
+  ) {
+    TaintedUrlSuffix::step(node1, node2, state1, state2)
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+    TaintedUrlSuffix::isBarrier(node, label)
+  }
+}
+
+module TestFlow = TaintTracking::GlobalWithState<TestConfig>;
+
+module InlineTest implements TestSig {
+  string getARelevantTag() { result = "flow" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "flow" and
+    exists(TestFlow::PathNode src, TestFlow::PathNode sink | TestFlow::flowPath(src, sink) |
+      sink.getLocation() = location and
+      element = "" and
+      value = sink.getState()
+    )
+  }
+}
+
+import MakeTest<InlineTest>
diff --git a/javascript/ql/test/library-tests/TaintedUrlSuffix/tst.js b/javascript/ql/test/library-tests/TaintedUrlSuffix/tst.js
@@ -0,0 +1,22 @@
+import 'dummy';
+
+function t1() {
+    const href = window.location.href;
+
+    sink(href); // $ flow=tainted-url-suffix
+
+    sink(href.split('#')[0]); // $ MISSING: flow=tainted-url-suffix SPURIOUS: flow=taint
+    sink(href.split('#')[1]); // $ flow=taint
+    sink(href.split('#').pop()); // $ flow=taint
+    sink(href.split('#')[2]); // $ flow=taint
+
+    sink(href.split('?')[0]); // $ MISSING: flow=tainted-url-suffix
+    sink(href.split('?')[1]); // $ flow=taint
+    sink(href.split('?').pop()); // $ flow=taint
+    sink(href.split('?')[2]); // $ flow=taint
+
+    sink(href.split(blah())[0]); // $ flow=tainted-url-suffix
+    sink(href.split(blah())[1]); // $ flow=tainted-url-suffix
+    sink(href.split(blah()).pop()); // $ flow=tainted-url-suffix
+    sink(href.split(blah())[2]); // $ flow=tainted-url-suffix
+}
