add support for try-statements with no catch block

erik-krogh · erik-krogh · commit 9fa7393d5671 · 2019-11-19T13:37:35.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -251,11 +251,11 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode {
    * causes an exception to be thrown.
    */
   DataFlow::Node getThrowsToNode() {
-    if exists(this.getEnclosingStmt().getEnclosingTryStmt())
+    if exists(this.getEnclosingStmt().getEnclosingTryCatchStmt())
     then
       result = DataFlow::parameterNode(this
               .getEnclosingStmt()
-              .getEnclosingTryStmt()
+              .getEnclosingTryCatchStmt()
               .getACatchClause()
               .getAParameter())
     else result = any(DataFlow::FunctionNode f | f.getFunction() = this.getContainer()).getExceptionalReturn()
diff --git a/javascript/ql/src/semmle/javascript/Stmt.qll b/javascript/ql/src/semmle/javascript/Stmt.qll
@@ -57,12 +57,13 @@ class Stmt extends @stmt, ExprOrStmt, Documentable {
   override predicate isAmbient() { hasDeclareKeyword(this) or getParent().isAmbient() }
   
   /**
-  * Gets the `try` statement containing this statement without crossing function
-  * boundaries or other `try ` statements.
+  * Gets the `try` statement with a catch block containing this statement without
+  * crossing function boundaries or other `try ` statements with catch blocks.
   */
-  TryStmt getEnclosingTryStmt() {
+  TryStmt getEnclosingTryCatchStmt() {
     getParentStmt+() = result.getBody() and
-    not exists(TryStmt mid |
+    exists(result.getACatchClause()) and
+    not exists(TryStmt mid | exists(mid.getACatchClause()) | 
       getParentStmt+() = mid.getBody() and mid.getParentStmt+() = result.getBody()
     )
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -47,12 +47,16 @@ nodes
 | exception-xss.js:96:10:96:10 | e |
 | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:107:13:107:25 | req.params.id |
-| exception-xss.js:107:13:107:25 | req.params.id |
-| exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:30:109:30 | e |
+| exception-xss.js:102:12:102:14 | foo |
+| exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:117:13:117:25 | req.params.id |
+| exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e |
 edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -63,6 +67,7 @@ edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:81:16:81:18 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:89:11:89:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
+| exception-xss.js:2:9:2:31 | foo | exception-xss.js:102:12:102:14 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
@@ -101,11 +106,14 @@ edges
 | exception-xss.js:95:12:95:14 | foo | exception-xss.js:95:11:95:22 | [foo, "bar"] |
 | exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
 | exception-xss.js:96:10:96:10 | e | exception-xss.js:97:18:97:18 | e |
-| exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:108:11:108:11 | e |
-| exception-xss.js:108:11:108:11 | e | exception-xss.js:109:30:109:30 | e |
-| exception-xss.js:109:30:109:30 | e | exception-xss.js:109:14:109:30 | "Exception: " + e |
-| exception-xss.js:109:30:109:30 | e | exception-xss.js:109:14:109:30 | "Exception: " + e |
+| exception-xss.js:102:12:102:14 | foo | exception-xss.js:106:10:106:10 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:106:10:106:10 | e | exception-xss.js:107:18:107:18 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:118:11:118:11 | e |
+| exception-xss.js:118:11:118:11 | e | exception-xss.js:119:30:119:30 | e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
+| exception-xss.js:119:30:119:30 | e | exception-xss.js:119:14:119:30 | "Exception: " + e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
@@ -116,4 +124,5 @@ edges
 | exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
-| exception-xss.js:109:14:109:30 | "Exception: " + e | exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:109:14:109:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:107:13:107:25 | req.params.id | user-provided value |
+| exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/exception-xss.js
@@ -96,6 +96,16 @@
 	} catch(e) {
 		$('myId').html(e); // NOT OK! 
 	}
+
+	try {
+		try {
+			unknown(foo);
+		} finally {
+			// nothing
+		}
+	} catch(e) {
+		$('myId').html(e); // NOT OK! 
+	}
 });
 
 var express = require('express');
