Added test cases for aws sources

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -60,6 +60,54 @@ nodes
 | aws-db.js:74:35:74:43 | data.Item | semmle.label | data.Item |
 | aws-db.js:77:35:77:38 | data | semmle.label | data |
 | aws-db.js:77:35:77:43 | data.Item | semmle.label | data.Item |
+| aws.js:14:31:14:36 | result | semmle.label | result |
+| aws.js:14:31:14:44 | result.comment | semmle.label | result.comment |
+| aws.js:18:31:18:37 | result2 | semmle.label | result2 |
+| aws.js:18:31:18:45 | result2.comment | semmle.label | result2.comment |
+| aws.js:22:31:22:37 | result3 | semmle.label | result3 |
+| aws.js:22:31:22:45 | result3.comment | semmle.label | result3.comment |
+| aws.js:26:31:26:37 | result4 | semmle.label | result4 |
+| aws.js:26:31:26:45 | result4.comment | semmle.label | result4.comment |
+| aws.js:34:31:34:34 | data | semmle.label | data |
+| aws.js:34:31:34:42 | data.comment | semmle.label | data.comment |
+| aws.js:37:35:37:38 | data | semmle.label | data |
+| aws.js:37:35:37:46 | data.comment | semmle.label | data.comment |
+| aws.js:47:31:47:34 | data | semmle.label | data |
+| aws.js:47:31:47:42 | data.comment | semmle.label | data.comment |
+| aws.js:50:35:50:38 | data | semmle.label | data |
+| aws.js:50:35:50:46 | data.comment | semmle.label | data.comment |
+| aws.js:59:31:59:34 | data | semmle.label | data |
+| aws.js:59:31:59:42 | data.comment | semmle.label | data.comment |
+| aws.js:62:35:62:38 | data | semmle.label | data |
+| aws.js:62:35:62:46 | data.comment | semmle.label | data.comment |
+| aws.js:66:31:66:35 | data2 | semmle.label | data2 |
+| aws.js:66:31:66:43 | data2.comment | semmle.label | data2.comment |
+| aws.js:69:35:69:38 | data | semmle.label | data |
+| aws.js:69:35:69:46 | data.comment | semmle.label | data.comment |
+| aws.js:78:31:78:34 | data | semmle.label | data |
+| aws.js:78:31:78:42 | data.comment | semmle.label | data.comment |
+| aws.js:81:35:81:38 | data | semmle.label | data |
+| aws.js:81:35:81:46 | data.comment | semmle.label | data.comment |
+| aws.js:85:31:85:35 | data2 | semmle.label | data2 |
+| aws.js:85:31:85:43 | data2.comment | semmle.label | data2.comment |
+| aws.js:88:35:88:38 | data | semmle.label | data |
+| aws.js:88:35:88:46 | data.comment | semmle.label | data.comment |
+| aws.js:92:31:92:35 | data3 | semmle.label | data3 |
+| aws.js:92:31:92:43 | data3.comment | semmle.label | data3.comment |
+| aws.js:95:35:95:38 | data | semmle.label | data |
+| aws.js:95:35:95:46 | data.comment | semmle.label | data.comment |
+| aws.js:99:31:99:35 | data4 | semmle.label | data4 |
+| aws.js:99:31:99:43 | data4.comment | semmle.label | data4.comment |
+| aws.js:102:35:102:38 | data | semmle.label | data |
+| aws.js:102:35:102:46 | data.comment | semmle.label | data.comment |
+| aws.js:106:31:106:35 | data5 | semmle.label | data5 |
+| aws.js:106:31:106:43 | data5.comment | semmle.label | data5.comment |
+| aws.js:109:35:109:38 | data | semmle.label | data |
+| aws.js:109:35:109:46 | data.comment | semmle.label | data.comment |
+| aws.js:113:31:113:35 | data6 | semmle.label | data6 |
+| aws.js:113:31:113:43 | data6.comment | semmle.label | data6.comment |
+| aws.js:116:35:116:38 | data | semmle.label | data |
+| aws.js:116:35:116:46 | data.comment | semmle.label | data.comment |
 | classnames.js:7:31:7:84 | `<span  ... <span>` | semmle.label | `<span  ... <span>` |
 | classnames.js:7:47:7:69 | classNa ... w.name) | semmle.label | classNa ... w.name) |
 | classnames.js:7:58:7:68 | window.name | semmle.label | window.name |
@@ -766,6 +814,30 @@ edges
 | aws-db.js:69:35:69:38 | data | aws-db.js:69:35:69:52 | data.updateResults | provenance |  |
 | aws-db.js:74:35:74:38 | data | aws-db.js:74:35:74:43 | data.Item | provenance |  |
 | aws-db.js:77:35:77:38 | data | aws-db.js:77:35:77:43 | data.Item | provenance |  |
+| aws.js:14:31:14:36 | result | aws.js:14:31:14:44 | result.comment | provenance |  |
+| aws.js:18:31:18:37 | result2 | aws.js:18:31:18:45 | result2.comment | provenance |  |
+| aws.js:22:31:22:37 | result3 | aws.js:22:31:22:45 | result3.comment | provenance |  |
+| aws.js:26:31:26:37 | result4 | aws.js:26:31:26:45 | result4.comment | provenance |  |
+| aws.js:34:31:34:34 | data | aws.js:34:31:34:42 | data.comment | provenance |  |
+| aws.js:37:35:37:38 | data | aws.js:37:35:37:46 | data.comment | provenance |  |
+| aws.js:47:31:47:34 | data | aws.js:47:31:47:42 | data.comment | provenance |  |
+| aws.js:50:35:50:38 | data | aws.js:50:35:50:46 | data.comment | provenance |  |
+| aws.js:59:31:59:34 | data | aws.js:59:31:59:42 | data.comment | provenance |  |
+| aws.js:62:35:62:38 | data | aws.js:62:35:62:46 | data.comment | provenance |  |
+| aws.js:66:31:66:35 | data2 | aws.js:66:31:66:43 | data2.comment | provenance |  |
+| aws.js:69:35:69:38 | data | aws.js:69:35:69:46 | data.comment | provenance |  |
+| aws.js:78:31:78:34 | data | aws.js:78:31:78:42 | data.comment | provenance |  |
+| aws.js:81:35:81:38 | data | aws.js:81:35:81:46 | data.comment | provenance |  |
+| aws.js:85:31:85:35 | data2 | aws.js:85:31:85:43 | data2.comment | provenance |  |
+| aws.js:88:35:88:38 | data | aws.js:88:35:88:46 | data.comment | provenance |  |
+| aws.js:92:31:92:35 | data3 | aws.js:92:31:92:43 | data3.comment | provenance |  |
+| aws.js:95:35:95:38 | data | aws.js:95:35:95:46 | data.comment | provenance |  |
+| aws.js:99:31:99:35 | data4 | aws.js:99:31:99:43 | data4.comment | provenance |  |
+| aws.js:102:35:102:38 | data | aws.js:102:35:102:46 | data.comment | provenance |  |
+| aws.js:106:31:106:35 | data5 | aws.js:106:31:106:43 | data5.comment | provenance |  |
+| aws.js:109:35:109:38 | data | aws.js:109:35:109:46 | data.comment | provenance |  |
+| aws.js:113:31:113:35 | data6 | aws.js:113:31:113:43 | data6.comment | provenance |  |
+| aws.js:116:35:116:38 | data | aws.js:116:35:116:46 | data.comment | provenance |  |
 | classnames.js:7:47:7:69 | classNa ... w.name) | classnames.js:7:31:7:84 | `<span  ... <span>` | provenance |  |
 | classnames.js:7:58:7:68 | window.name | classnames.js:7:47:7:69 | classNa ... w.name) | provenance |  |
 | classnames.js:8:47:8:70 | classNa ... w.name) | classnames.js:8:31:8:85 | `<span  ... <span>` | provenance |  |
@@ -1375,6 +1447,30 @@ subpaths
 | aws-db.js:69:35:69:52 | data.updateResults | aws-db.js:69:35:69:38 | data | aws-db.js:69:35:69:52 | data.updateResults | Cross-site scripting vulnerability due to $@. | aws-db.js:69:35:69:38 | data | user-provided value |
 | aws-db.js:74:35:74:43 | data.Item | aws-db.js:74:35:74:38 | data | aws-db.js:74:35:74:43 | data.Item | Cross-site scripting vulnerability due to $@. | aws-db.js:74:35:74:38 | data | user-provided value |
 | aws-db.js:77:35:77:43 | data.Item | aws-db.js:77:35:77:38 | data | aws-db.js:77:35:77:43 | data.Item | Cross-site scripting vulnerability due to $@. | aws-db.js:77:35:77:38 | data | user-provided value |
+| aws.js:14:31:14:44 | result.comment | aws.js:14:31:14:36 | result | aws.js:14:31:14:44 | result.comment | Cross-site scripting vulnerability due to $@. | aws.js:14:31:14:36 | result | user-provided value |
+| aws.js:18:31:18:45 | result2.comment | aws.js:18:31:18:37 | result2 | aws.js:18:31:18:45 | result2.comment | Cross-site scripting vulnerability due to $@. | aws.js:18:31:18:37 | result2 | user-provided value |
+| aws.js:22:31:22:45 | result3.comment | aws.js:22:31:22:37 | result3 | aws.js:22:31:22:45 | result3.comment | Cross-site scripting vulnerability due to $@. | aws.js:22:31:22:37 | result3 | user-provided value |
+| aws.js:26:31:26:45 | result4.comment | aws.js:26:31:26:37 | result4 | aws.js:26:31:26:45 | result4.comment | Cross-site scripting vulnerability due to $@. | aws.js:26:31:26:37 | result4 | user-provided value |
+| aws.js:34:31:34:42 | data.comment | aws.js:34:31:34:34 | data | aws.js:34:31:34:42 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:34:31:34:34 | data | user-provided value |
+| aws.js:37:35:37:46 | data.comment | aws.js:37:35:37:38 | data | aws.js:37:35:37:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:37:35:37:38 | data | user-provided value |
+| aws.js:47:31:47:42 | data.comment | aws.js:47:31:47:34 | data | aws.js:47:31:47:42 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:47:31:47:34 | data | user-provided value |
+| aws.js:50:35:50:46 | data.comment | aws.js:50:35:50:38 | data | aws.js:50:35:50:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:50:35:50:38 | data | user-provided value |
+| aws.js:59:31:59:42 | data.comment | aws.js:59:31:59:34 | data | aws.js:59:31:59:42 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:59:31:59:34 | data | user-provided value |
+| aws.js:62:35:62:46 | data.comment | aws.js:62:35:62:38 | data | aws.js:62:35:62:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:62:35:62:38 | data | user-provided value |
+| aws.js:66:31:66:43 | data2.comment | aws.js:66:31:66:35 | data2 | aws.js:66:31:66:43 | data2.comment | Cross-site scripting vulnerability due to $@. | aws.js:66:31:66:35 | data2 | user-provided value |
+| aws.js:69:35:69:46 | data.comment | aws.js:69:35:69:38 | data | aws.js:69:35:69:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:69:35:69:38 | data | user-provided value |
+| aws.js:78:31:78:42 | data.comment | aws.js:78:31:78:34 | data | aws.js:78:31:78:42 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:78:31:78:34 | data | user-provided value |
+| aws.js:81:35:81:46 | data.comment | aws.js:81:35:81:38 | data | aws.js:81:35:81:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:81:35:81:38 | data | user-provided value |
+| aws.js:85:31:85:43 | data2.comment | aws.js:85:31:85:35 | data2 | aws.js:85:31:85:43 | data2.comment | Cross-site scripting vulnerability due to $@. | aws.js:85:31:85:35 | data2 | user-provided value |
+| aws.js:88:35:88:46 | data.comment | aws.js:88:35:88:38 | data | aws.js:88:35:88:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:88:35:88:38 | data | user-provided value |
+| aws.js:92:31:92:43 | data3.comment | aws.js:92:31:92:35 | data3 | aws.js:92:31:92:43 | data3.comment | Cross-site scripting vulnerability due to $@. | aws.js:92:31:92:35 | data3 | user-provided value |
+| aws.js:95:35:95:46 | data.comment | aws.js:95:35:95:38 | data | aws.js:95:35:95:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:95:35:95:38 | data | user-provided value |
+| aws.js:99:31:99:43 | data4.comment | aws.js:99:31:99:35 | data4 | aws.js:99:31:99:43 | data4.comment | Cross-site scripting vulnerability due to $@. | aws.js:99:31:99:35 | data4 | user-provided value |
+| aws.js:102:35:102:46 | data.comment | aws.js:102:35:102:38 | data | aws.js:102:35:102:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:102:35:102:38 | data | user-provided value |
+| aws.js:106:31:106:43 | data5.comment | aws.js:106:31:106:35 | data5 | aws.js:106:31:106:43 | data5.comment | Cross-site scripting vulnerability due to $@. | aws.js:106:31:106:35 | data5 | user-provided value |
+| aws.js:109:35:109:46 | data.comment | aws.js:109:35:109:38 | data | aws.js:109:35:109:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:109:35:109:38 | data | user-provided value |
+| aws.js:113:31:113:43 | data6.comment | aws.js:113:31:113:35 | data6 | aws.js:113:31:113:43 | data6.comment | Cross-site scripting vulnerability due to $@. | aws.js:113:31:113:35 | data6 | user-provided value |
+| aws.js:116:35:116:46 | data.comment | aws.js:116:35:116:38 | data | aws.js:116:35:116:46 | data.comment | Cross-site scripting vulnerability due to $@. | aws.js:116:35:116:38 | data | user-provided value |
 | hana.js:11:37:11:51 | rows[0].comment | hana.js:11:37:11:40 | rows | hana.js:11:37:11:51 | rows[0].comment | Cross-site scripting vulnerability due to $@. | hana.js:11:37:11:40 | rows | user-provided value |
 | hana.js:16:37:16:51 | rows[0].comment | hana.js:16:37:16:40 | rows | hana.js:16:37:16:51 | rows[0].comment | Cross-site scripting vulnerability due to $@. | hana.js:16:37:16:40 | rows | user-provided value |
 | hana.js:19:37:19:51 | rows[0].comment | hana.js:19:37:19:40 | rows | hana.js:19:37:19:51 | rows[0].comment | Cross-site scripting vulnerability due to $@. | hana.js:19:37:19:40 | rows | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/aws.js

@@ -0,0 +1,118 @@
+const AWS = require('aws-sdk');
+const { AthenaClient } = require('@aws-sdk/client-athena');
+const { S3Client } = require('@aws-sdk/client-s3');
+const { RDSDataClient } = require('@aws-sdk/client-rds-data');
+const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
+const express = require('express');
+
+const app = express();
+
+// AWS V3 Common tests
+app.post('/aws-v3-common', async (req, res) => {
+    const athenaClient = new AthenaClient({});
+    const result = await athenaClient.send({});
+    document.body.innerHTML = result.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    const s3Client = new S3Client({});
+    const result2 = await s3Client.send({});
+    document.body.innerHTML = result2.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    const rdsDataClient = new RDSDataClient({});
+    const result3 = await rdsDataClient.send({});
+    document.body.innerHTML = result3.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    const dynamoClient = new DynamoDBClient({});
+    const result4 = await dynamoClient.send({});
+    document.body.innerHTML = result4.comment; // $ Alert[js/xss-additional-sources-dom-test]
+});
+
+// Athena Client V2 tests
+app.post('/athena-v2', async (req, res) => {
+    const athena = new AWS.Athena();
+
+    const data = await athena.getQueryResults({}).promise();
+    document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+
+    athena.getQueryResults({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+});
+
+// S3 Client V2 tests
+app.post('/s3-v2', async (req, res) => {
+    const s3 = new AWS.S3();
+    
+
+    const data = await s3.getObject({}).promise();
+    document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+
+    s3.getObject({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+});
+
+// RDS Data Client V2 tests
+app.post('/rds-data-v2', async (req, res) => {
+    const rdsData = new AWS.RDSDataService();
+    
+    const data = await rdsData.executeStatement({}).promise();
+    document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+
+    rdsData.executeStatement({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data2 = await rdsData.batchExecuteStatement({}).promise();
+    document.body.innerHTML = data2.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    rdsData.batchExecuteStatement({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+});
+
+// DynamoDB Client V2 tests
+app.post('/dynamodb-v2', async (req, res) => {
+    const dynamodb = new AWS.DynamoDB();
+    
+    const data = await dynamodb.executeStatement({}).promise();
+    document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.executeStatement({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data2 = await dynamodb.batchExecuteStatement({}).promise();
+    document.body.innerHTML = data2.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.batchExecuteStatement({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data3 = await dynamodb.query({}).promise();
+    document.body.innerHTML = data3.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.query({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data4 = await dynamodb.scan({}).promise();
+    document.body.innerHTML = data4.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.scan({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data5 = await dynamodb.getItem({}).promise();
+    document.body.innerHTML = data5.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.getItem({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+    
+    const data6 = await dynamodb.batchGetItem({}).promise();
+    document.body.innerHTML = data6.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    
+    dynamodb.batchGetItem({}, function(err, data) {
+        document.body.innerHTML = data.comment; // $ Alert[js/xss-additional-sources-dom-test]
+    });
+});