Add replace method test

tyage · tyage · commit 320cb99dbfb1 · 2023-04-08T18:31:48.000+09:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -567,13 +567,18 @@ nodes
 | react-use-router.js:8:21:8:32 | router.query |
 | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:39 | router.query.foobar |
-| react-use-router.js:19:15:19:24 | router |
-| react-use-router.js:19:17:19:22 | router |
-| react-use-router.js:20:43:20:48 | router |
-| react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:61 | router.query.foobar |
+| react-use-router.js:11:24:11:29 | router |
+| react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:22:15:22:24 | router |
+| react-use-router.js:22:17:22:22 | router |
+| react-use-router.js:23:43:23:48 | router |
+| react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:61 | router.query.foobar |
 | react-use-state.js:4:9:4:49 | state |
 | react-use-state.js:4:9:4:49 | state |
 | react-use-state.js:4:10:4:14 | state |
@@ -1715,21 +1720,27 @@ edges
 | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name |
 | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name |
 | react-use-router.js:4:9:4:28 | router | react-use-router.js:8:21:8:26 | router |
+| react-use-router.js:4:9:4:28 | router | react-use-router.js:11:24:11:29 | router |
 | react-use-router.js:4:18:4:28 | useRouter() | react-use-router.js:4:9:4:28 | router |
 | react-use-router.js:8:21:8:26 | router | react-use-router.js:8:21:8:32 | router.query |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:39 | router.query.foobar | react-use-router.js:4:18:4:28 | useRouter() |
-| react-use-router.js:19:15:19:24 | router | react-use-router.js:20:43:20:48 | router |
-| react-use-router.js:19:17:19:22 | router | react-use-router.js:19:15:19:24 | router |
-| react-use-router.js:20:43:20:48 | router | react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:61 | router.query.foobar | react-use-router.js:19:17:19:22 | router |
+| react-use-router.js:11:24:11:29 | router | react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:22:15:22:24 | router | react-use-router.js:23:43:23:48 | router |
+| react-use-router.js:22:17:22:22 | router | react-use-router.js:22:15:22:24 | router |
+| react-use-router.js:23:43:23:48 | router | react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:61 | router.query.foobar | react-use-router.js:22:17:22:22 | router |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
@@ -2417,7 +2428,9 @@ edges
 | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value |
 | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:16:26:16:36 | window.name | user-provided value |
 | react-use-router.js:8:21:8:39 | router.query.foobar | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:8:21:8:32 | router.query | user-provided value |
-| react-use-router.js:20:43:20:61 | router.query.foobar | react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:20:43:20:54 | router.query | user-provided value |
+| react-use-router.js:11:24:11:42 | router.query.foobar | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:8:21:8:32 | router.query | user-provided value |
+| react-use-router.js:11:24:11:42 | router.query.foobar | react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:11:24:11:35 | router.query | user-provided value |
+| react-use-router.js:23:43:23:61 | router.query.foobar | react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar | Cross-site scripting vulnerability due to $@. | react-use-router.js:23:43:23:54 | router.query | user-provided value |
 | react-use-state.js:5:51:5:55 | state | react-use-state.js:4:38:4:48 | window.name | react-use-state.js:5:51:5:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:4:38:4:48 | window.name | user-provided value |
 | react-use-state.js:11:51:11:55 | state | react-use-state.js:10:14:10:24 | window.name | react-use-state.js:11:51:11:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:10:14:10:24 | window.name | user-provided value |
 | react-use-state.js:17:51:17:55 | state | react-use-state.js:16:20:16:30 | window.name | react-use-state.js:17:51:17:55 | state | Cross-site scripting vulnerability due to $@. | react-use-state.js:16:20:16:30 | window.name | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
@@ -579,13 +579,18 @@ nodes
 | react-use-router.js:8:21:8:32 | router.query |
 | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:39 | router.query.foobar |
-| react-use-router.js:19:15:19:24 | router |
-| react-use-router.js:19:17:19:22 | router |
-| react-use-router.js:20:43:20:48 | router |
-| react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:61 | router.query.foobar |
+| react-use-router.js:11:24:11:29 | router |
+| react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:22:15:22:24 | router |
+| react-use-router.js:22:17:22:22 | router |
+| react-use-router.js:23:43:23:48 | router |
+| react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:61 | router.query.foobar |
 | react-use-state.js:4:9:4:49 | state |
 | react-use-state.js:4:9:4:49 | state |
 | react-use-state.js:4:10:4:14 | state |
@@ -1777,21 +1782,27 @@ edges
 | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name |
 | react-use-context.js:16:26:16:36 | window.name | react-use-context.js:16:26:16:36 | window.name |
 | react-use-router.js:4:9:4:28 | router | react-use-router.js:8:21:8:26 | router |
+| react-use-router.js:4:9:4:28 | router | react-use-router.js:11:24:11:29 | router |
 | react-use-router.js:4:18:4:28 | useRouter() | react-use-router.js:4:9:4:28 | router |
 | react-use-router.js:8:21:8:26 | router | react-use-router.js:8:21:8:32 | router.query |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:32 | router.query | react-use-router.js:8:21:8:39 | router.query.foobar |
 | react-use-router.js:8:21:8:39 | router.query.foobar | react-use-router.js:4:18:4:28 | useRouter() |
-| react-use-router.js:19:15:19:24 | router | react-use-router.js:20:43:20:48 | router |
-| react-use-router.js:19:17:19:22 | router | react-use-router.js:19:15:19:24 | router |
-| react-use-router.js:20:43:20:48 | router | react-use-router.js:20:43:20:54 | router.query |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:54 | router.query | react-use-router.js:20:43:20:61 | router.query.foobar |
-| react-use-router.js:20:43:20:61 | router.query.foobar | react-use-router.js:19:17:19:22 | router |
+| react-use-router.js:11:24:11:29 | router | react-use-router.js:11:24:11:35 | router.query |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:11:24:11:35 | router.query | react-use-router.js:11:24:11:42 | router.query.foobar |
+| react-use-router.js:22:15:22:24 | router | react-use-router.js:23:43:23:48 | router |
+| react-use-router.js:22:17:22:22 | router | react-use-router.js:22:15:22:24 | router |
+| react-use-router.js:23:43:23:48 | router | react-use-router.js:23:43:23:54 | router.query |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:54 | router.query | react-use-router.js:23:43:23:61 | router.query.foobar |
+| react-use-router.js:23:43:23:61 | router.query.foobar | react-use-router.js:22:17:22:22 | router |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
 | react-use-state.js:4:9:4:49 | state | react-use-state.js:5:51:5:55 | state |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js
@@ -7,6 +7,9 @@ export function nextRouter() {
       <span onClick={() => {
         router.push(router.query.foobar) // NOT OK
       }}>Click to XSS 1</span>
+      <span onClick={() => {
+        router.replace(router.query.foobar) // NOT OK
+      }}>Click to XSS 2</span>
       <span onClick={() => {
         router.push('/?foobar=' + router.query.foobar) // OK
       }}>Safe Link</span>
@@ -17,6 +20,6 @@ export function nextRouter() {
 import { withRouter } from 'next/router'
 
 function Page({ router }) {
-  return <span onClick={() => router.push(router.query.foobar)}>Click to XSS 2</span> // NOT OK
+  return <span onClick={() => router.push(router.query.foobar)}>Click to XSS 3</span> // NOT OK
 }
 export const pageWithRouter = withRouter(Page);
