github · asgerf · Mar 11, 2025 · Feb 10, 2025 · Feb 4, 2025 · Feb 6, 2025
@@ -221,7 +221,10 @@ private module Postgres {
 
     /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */
     private DataFlow::Node getARawValue() {
-      result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1
+      result = this.getValues() and
+      this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1
+      not result instanceof DataFlow::ArrayCreationNode and
+      not result instanceof DataFlow::ObjectLiteralNode
       or
       exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() |
         result = values.getAPropertyWrite(this.getARawParameterName()).getRhs()

@@ -421,3 +421,22 @@ private module ClosureLibraryUri {
     }
   }
 }
+
+private class QueryStringStringification extends DataFlow::SummarizedCallable {
+  QueryStringStringification() { this = "query-string stringification" }
+
+  override DataFlow::InvokeNode getACall() {
+    result =
+      API::moduleImport(["querystring", "query-string", "querystringify", "qs"])
+          .getMember("stringify")
+          .getACall() or
+    result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or
+    result = API::moduleImport("parseqs").getMember("encode").getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = false and
+    input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and
+    output = "ReturnValue"
+  }
+}
@@ -20,7 +20,11 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer
+    or
+    node = HostnameSanitizerGuard::getABarrierNode()
+  }
 
   predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
 
@@ -69,10 +73,12 @@ deprecated class Configuration extends TaintTracking::Configuration {
 }
 
 /**
+ * DEPRECATED. This is no longer used as a sanitizer guard.
+ *
  * A call to a function called `isLocalUrl` or similar, which is
  * considered to sanitize a variable for purposes of URL redirection.
  */
-class LocalUrlSanitizingGuard extends DataFlow::CallNode {
+deprecated class LocalUrlSanitizingGuard extends DataFlow::CallNode {
   LocalUrlSanitizingGuard() { this.getCalleeName().regexpMatch("(?i)(is_?)?local_?url") }
 
   /** DEPRECATED. Use `blocksExpr` instead. */

@@ -4,14 +4,22 @@ private import codeql.util.test.InlineExpectationsTest
 module Impl implements InlineExpectationsTestSig {
   private import javascript
 
-  final private class LineCommentFinal = LineComment;
+  final class ExpectationComment = ExpectationCommentImpl;
 
-  class ExpectationComment extends LineCommentFinal {
-    string getContents() { result = this.getText() }
+  class Location = JS::Location;
+
+  abstract private class ExpectationCommentImpl extends Locatable {
+    abstract string getContents();
 
     /** Gets this element's location. */
     Location getLocation() { result = super.getLocation() }
   }
 
-  class Location = JS::Location;
+  private class JSComment extends ExpectationCommentImpl instanceof Comment {
+    override string getContents() { result = super.getText() }
+  }
+
+  private class HtmlComment extends ExpectationCommentImpl instanceof HTML::CommentNode {
+    override string getContents() { result = super.getText() }
+  }
 }
@@ -0,0 +1,5 @@
+---
+category: fix
+---
+* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
+  valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
@@ -1 +1,2 @@
-AngularJS/DeadAngularJSEventListener.ql
+query: AngularJS/DeadAngularJSEventListener.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -1,50 +1,50 @@
 angular.module('myModule', [])
     .controller('MyController', function($scope) {
-        $scope.$on('destroy', cleanup); // BAD
+        $scope.$on('destroy', cleanup); // $ Alert
     })
     .controller('MyController', ["$scope", function(s) {
-        s.$on('destroy', cleanup); // BAD
+        s.$on('destroy', cleanup); // $ Alert
     }])
     .controller('MyController', function($scope) {
         var destroy = 'destroy';
-        $scope.$on(destroy, cleanup); // BAD
+        $scope.$on(destroy, cleanup); // $ Alert
     })
     .controller('MyController', function($scope) {
-        $scope.$on('$destroy', cleanup); // GOOD
+        $scope.$on('$destroy', cleanup);
     })
     .controller('MyController', function($scope) {
         $scope.$emit('foo');
-        $scope.$on('foo', cleanup); // GOOD
+        $scope.$on('foo', cleanup);
     })
     .controller('MyController', function($scope) {
-        $scope.$on('bar', cleanup); // BAD
+        $scope.$on('bar', cleanup); // $ Alert
     })
     .controller('MyController', function($scope) {
-        $scope.$on('$locationChangeStart', cleanup); // OK
+        $scope.$on('$locationChangeStart', cleanup);
     })
     .controller('MyController', function($scope) {
-        $scope.$on('lib1.foo', cleanup); // OK
+        $scope.$on('lib1.foo', cleanup);
     })
     .controller('MyController', function($scope) {
-        $scope.$on('lib2:foo', cleanup); // OK
+        $scope.$on('lib2:foo', cleanup);
     })
     .controller('MyController', function($scope) {
-        $scope.$on('onClick', cleanup); // OK
+        $scope.$on('onClick', cleanup);
     })
     .controller('MyController', function($scope) {
         function f($scope){
             $scope.$emit('probablyFromUserCode1')
         }
-        $scope.$on('probablyFromUserCode1', cleanup); // OK
+        $scope.$on('probablyFromUserCode1', cleanup);
     })
     .controller('MyController', function($scope) {
         function f($scope){
             var scope = $scope;
             scope.$emit('probablyFromUserCode2')
         }
-        $scope.$on('probablyFromUserCode2', cleanup); // OK
+        $scope.$on('probablyFromUserCode2', cleanup);
     })
     .controller('MyController', function($scope) {
-        $scope.$on('event-from-AngularJS-expression', cleanup); // GOOD
+        $scope.$on('event-from-AngularJS-expression', cleanup);
     })
 ;
@@ -1 +1,2 @@
-AngularJS/DependencyMismatch.ql
+query: AngularJS/DependencyMismatch.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -1,36 +1,36 @@
 angular.module('app1', [])
-       .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]);  // NOT OK
+       .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]);  // $ Alert
 
 angular.module('app2')
-       .directive('mydirective', [ '$compile', function($compile, $http) { // NOT OK
+       .directive('mydirective', [ '$compile', function($compile, $http) { // $ Alert
            // ...
        }]);
 
 angular.module('app1', [])
-       .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]);  // OK
+       .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]);
 
 angular.module('app2')
-       .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // OK
+       .directive('mydirective', [ '$compile', '$http', function($compile, $http) {
            // ...
        }]);
 
 angular.module('app3', [])
-       .run(function(dep1, dep3) {});  // OK
+       .run(function(dep1, dep3) {});
 
 angular.module('app4')
-       .directive('mydirective', function($compile, $http) {  // OK
+       .directive('mydirective', function($compile, $http) {
            // ...
        });
 
 angular.module('app5')
-       .directive('mydirective', [ 'fully.qualified.name', function(name) { // OK
+       .directive('mydirective', [ 'fully.qualified.name', function(name) {
            // ...
        }])
 
 angular.module('app6')
     .directive('mydirective', function() {
         return {
-            link: function (scope, element, attrs) { // OK
+            link: function (scope, element, attrs) {
             }
         };
     });
@@ -1,17 +1,17 @@
 angular.module('app', [])
     .config(function($sceProvider) {
-        $sceProvider.enabled(false); // BAD
+        $sceProvider.enabled(false); // $ Alert
     })
     .config(['otherProvider', function($sceProvider) {
-        $sceProvider.enabled(false); // OK
+        $sceProvider.enabled(false);
     }])
     .config(['$sceProvider', function(x) {
-        x.enabled(false); // BAD
+        x.enabled(false); // $ Alert
     }])
     .config(function($sceProvider) {
-        $sceProvider.enabled(true); // OK
+        $sceProvider.enabled(true);
     })
     .config(function($sceProvider) {
         var x = false;
-        $sceProvider.enabled(x); // BAD
+        $sceProvider.enabled(x); // $ Alert
     });
@@ -1 +1,2 @@
-AngularJS/DisablingSce.ql
+query: AngularJS/DisablingSce.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -1 +1,2 @@
-AngularJS/DoubleCompilation.ql
+query: AngularJS/DoubleCompilation.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -11,7 +11,7 @@ angular.module('app').directive('addMouseover', function($compile) {
 
       attrs.$set('addMouseover', null); // To stop infinite compile loop
       element.append(newEl);
-      $compile(element)(scope); // Double compilation
+      $compile(element)(scope); // $ Alert - Double compilation
     }
   }
 })
@@ -1 +1,2 @@
-AngularJS/IncompatibleService.ql
+query: AngularJS/IncompatibleService.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -11,68 +11,68 @@ angular.module('myModule', [])
 ;
 
 angular.module('myModule2', [])
-    .controller('c0', function(factoryId){}) // OK
-    .controller('c1', function(serviceId){}) // OK
-    .controller('c2', function(valueId){}) // OK
-    .controller('c3', function(constantId){}) // OK
-    .controller('c4', function(providerId){}) // OK
-    .controller('c5', function($http){}) // OK
-    .controller('c6', function($provider){}) // NOT OK
-    .controller('c7', function($scope){}) // OK
-    .controller('c8', function($compile){}) // OK
-    .controller('c9', function(UNKNOWN){}) // OK
-    .controller('c10', function(providerIdProvider){}) // NOT OK
-    .controller('c11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error
-    .controller('c12', function($provide){}) // OK (special case)
-    .controller('c13', function(providerId2Provider){}) // NOT OK
+    .controller('c0', function(factoryId){})
+    .controller('c1', function(serviceId){})
+    .controller('c2', function(valueId){})
+    .controller('c3', function(constantId){})
+    .controller('c4', function(providerId){})
+    .controller('c5', function($http){})
+    .controller('c6', function($provider){}) // $ Alert
+    .controller('c7', function($scope){})
+    .controller('c8', function($compile){})
+    .controller('c9', function(UNKNOWN){})
+    .controller('c10', function(providerIdProvider){}) // $ Alert
+    .controller('c11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error
+    .controller('c12', function($provide){}) // OK - special case
+    .controller('c13', function(providerId2Provider){}) // $ Alert
 
-    .factory('s0', function(factoryId){}) // OK
-    .factory('s1', function(serviceId){}) // OK
-    .factory('s2', function(valueId){}) // OK
-    .factory('s3', function(constantId){}) // OK
-    .factory('s4', function(providerId){}) // OK
-    .factory('s5', function($http){}) // OK
-    .factory('s6', function($provider){}) // NOT OK
-    .factory('s7', function($scope){}) // NOT OK
-    .factory('s8', function($compile){}) // OK
-    .factory('s9', function(UNKNOWN){}) // OK
-    .factory('s10', function(providerIdProvider){}) // NOT OK
-    .factory('s11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error
-    .factory('s12', function($provide){}) // OK (special case)
-    .factory('s13', function(providerId2Provider){}) // NOT OK
+    .factory('s0', function(factoryId){})
+    .factory('s1', function(serviceId){})
+    .factory('s2', function(valueId){})
+    .factory('s3', function(constantId){})
+    .factory('s4', function(providerId){})
+    .factory('s5', function($http){})
+    .factory('s6', function($provider){}) // $ Alert
+    .factory('s7', function($scope){}) // $ Alert
+    .factory('s8', function($compile){})
+    .factory('s9', function(UNKNOWN){})
+    .factory('s10', function(providerIdProvider){}) // $ Alert
+    .factory('s11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error
+    .factory('s12', function($provide){}) // OK - special case
+    .factory('s13', function(providerId2Provider){}) // $ Alert
 
-    .run(function(factoryId){}) // OK
-    .run(function(serviceId){}) // OK
-    .run(function(valueId){}) // OK
-    .run(function(constantId){}) // OK
-    .run(function(providerId){}) // OK
-    .run(function($http){}) // OK
-    .run(function($provider){}) // NOT OK
-    .run(function($scope){}) // NOT OK
-    .run(function($compile){}) // OK
-    .run(function(UNKNOWN){}) // OK
-    .run(function(providerIdProvider){}) // NOT OK
-    .run(function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error
-    .run(function($provide){}) // OK (special case)
-    .run(function(providerId2Provider){}) // NOT OK
+    .run(function(factoryId){})
+    .run(function(serviceId){})
+    .run(function(valueId){})
+    .run(function(constantId){})
+    .run(function(providerId){})
+    .run(function($http){})
+    .run(function($provider){}) // $ Alert
+    .run(function($scope){}) // $ Alert
+    .run(function($compile){})
+    .run(function(UNKNOWN){})
+    .run(function(providerIdProvider){}) // $ Alert
+    .run(function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error
+    .run(function($provide){}) // OK - special case
+    .run(function(providerId2Provider){}) // $ Alert
 
-    .config(function(factoryId){}) // NOT OK
-    .config(function(serviceId){}) // NOT OK
-    .config(function(valueId){}) // NOT OK
-    .config(function(constantId){}) // OK
-    .config(function(providerId){}) // NOT OK
-    .config(function($http){}) // NOT OK
-    .config(function($provider){}) // OK
-    .config(function($scope){}) // NOT OK
-    .config(function($compile){}) // OK
-    .config(function(UNKNOWN){}) // OK
-    .config(function(providerIdProvider){}) // OK
-    .config(function(providerId, UNKNOWN){}) // NOT OK, but only one error
-    .config(function($provide){}) // OK (special case)
-    .config(function(valueId2){}) // NOT OK
+    .config(function(factoryId){}) // $ Alert
+    .config(function(serviceId){}) // $ Alert
+    .config(function(valueId){}) // $ Alert
+    .config(function(constantId){})
+    .config(function(providerId){}) // $ Alert
+    .config(function($http){}) // $ Alert
+    .config(function($provider){})
+    .config(function($scope){}) // $ Alert
+    .config(function($compile){})
+    .config(function(UNKNOWN){})
+    .config(function(providerIdProvider){})
+    .config(function(providerId, UNKNOWN){}) // $ Alert - but only one error
+    .config(function($provide){}) // OK - special case
+    .config(function(valueId2){}) // $ Alert
 
     // service: same restrcitions as .factory
-    .service('s14', function(factoryId){}) // OK
-    .service('s15', function($provider){}) // NOT OK
+    .service('s14', function(factoryId){})
+    .service('s15', function($provider){}) // $ Alert
 
 ;
@@ -1 +1,2 @@
-AngularJS/InsecureUrlWhitelist.ql
+query: AngularJS/InsecureUrlWhitelist.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql