JS: Update test output and add related TODO in 'markdown-table' model

asgerf · asgerf · commit aea573bb972b · 2024-08-26T14:57:19.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
@@ -52,6 +52,7 @@ module Markdown {
   private class MarkdownTableStep extends MarkdownStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
       exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() |
+        // TODO: needs a flow summary to ensure ArrayElement content is unfolded
         succ = call and
         pred = call.getArgument(0)
       )
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -31,7 +31,7 @@ app.get('/user/:id', function(req, res) {
     ['Name', 'Content'],
     ['body', req.body]
   ]);
-  res.send(mytable); // NOT OK
+  res.send(mytable); // NOT OK - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps
 });
 
 var showdown  = require('showdown');
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -3,7 +3,6 @@
 | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
 | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
 | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value |
-| ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
 | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ module Markdown {`
`52`	`52`	`private class MarkdownTableStep extends MarkdownStep {`
`53`	`53`	`override predicate step(DataFlow::Node pred, DataFlow::Node succ) {`
`54`	`54`	`exists(DataFlow::CallNode call \| call = DataFlow::moduleImport("markdown-table").getACall() \|`
	`55`	`+ // TODO: needs a flow summary to ensure ArrayElement content is unfolded`
`55`	`56`	`succ = call and`
`56`	`57`	`pred = call.getArgument(0)`
`57`	`58`	`)`