remove deep taint of objects

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll

@@ -78,9 +78,6 @@ module ExceptionXss {
       or
       // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
       this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown
-      or
-      // We taint an object deep if it happens before an exception has been thrown.
-      inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown and exists(DataFlow::PropWrite write | write.getRhs() = pred and write.getBase() = succ)
     }
   }
 }

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected

@@ -16,11 +16,6 @@ nodes
 | exception-xss.js:22:10:22:10 | e |
 | exception-xss.js:23:18:23:18 | e |
 | exception-xss.js:23:18:23:18 | e |
-| exception-xss.js:27:11:27:21 | {prop: foo} |
-| exception-xss.js:27:18:27:20 | foo |
-| exception-xss.js:28:10:28:10 | e |
-| exception-xss.js:29:18:29:18 | e |
-| exception-xss.js:29:18:29:18 | e |
 | exception-xss.js:33:11:33:22 | ["bar", foo] |
 | exception-xss.js:33:19:33:21 | foo |
 | exception-xss.js:34:10:34:10 | e |
@@ -61,7 +56,6 @@ edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:21:11:21:13 | foo |
-| exception-xss.js:2:9:2:31 | foo | exception-xss.js:27:18:27:20 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:33:19:33:21 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:46:16:46:18 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
@@ -81,10 +75,6 @@ edges
 | exception-xss.js:21:11:21:21 | foo + "bar" | exception-xss.js:22:10:22:10 | e |
 | exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
 | exception-xss.js:22:10:22:10 | e | exception-xss.js:23:18:23:18 | e |
-| exception-xss.js:27:11:27:21 | {prop: foo} | exception-xss.js:28:10:28:10 | e |
-| exception-xss.js:27:18:27:20 | foo | exception-xss.js:27:11:27:21 | {prop: foo} |
-| exception-xss.js:28:10:28:10 | e | exception-xss.js:29:18:29:18 | e |
-| exception-xss.js:28:10:28:10 | e | exception-xss.js:29:18:29:18 | e |
 | exception-xss.js:33:11:33:22 | ["bar", foo] | exception-xss.js:34:10:34:10 | e |
 | exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] |
 | exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
@@ -118,7 +108,6 @@ edges
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:23:18:23:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:23:18:23:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:29:18:29:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:29:18:29:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:35:18:35:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:35:18:35:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:48:18:48:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:48:18:48:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js

@@ -26,7 +26,7 @@
 	try {
 		unknown({prop: foo});
 	} catch(e) {
-		$('myId').html(e); // NOT OK!
+		$('myId').html(e); // We don't flag this for now.
 	}
 
 	try {