Added test cases for firebase both client and server sides.

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -62,6 +62,17 @@
 | dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value |
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
 | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:6:15:6:33 | req.param("wobble") | user-provided value |
+| firebase-client.js:7:59:7:65 | x.val() | firebase-client.js:7:59:7:65 | x.val() | firebase-client.js:7:59:7:65 | x.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:7:59:7:65 | x.val() | user-provided value |
+| firebase-client.js:8:59:8:79 | x.expor ... message | firebase-client.js:8:59:8:71 | x.exportVal() | firebase-client.js:8:59:8:79 | x.expor ... message | Cross-site scripting vulnerability due to $@. | firebase-client.js:8:59:8:71 | x.exportVal() | user-provided value |
+| firebase-client.js:10:63:10:82 | parentSnapshot.val() | firebase-client.js:10:63:10:82 | parentSnapshot.val() | firebase-client.js:10:63:10:82 | parentSnapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:10:63:10:82 | parentSnapshot.val() | user-provided value |
+| firebase-client.js:14:54:14:70 | bioSnapshot.val() | firebase-client.js:14:54:14:70 | bioSnapshot.val() | firebase-client.js:14:54:14:70 | bioSnapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:14:54:14:70 | bioSnapshot.val() | user-provided value |
+| firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | firebase-client.js:18:20:18:38 | childSnapshot.val() | firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | Cross-site scripting vulnerability due to $@. | firebase-client.js:18:20:18:38 | childSnapshot.val() | user-provided value |
+| firebase-client.js:25:59:25:65 | x.val() | firebase-client.js:25:59:25:65 | x.val() | firebase-client.js:25:59:25:65 | x.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:25:59:25:65 | x.val() | user-provided value |
+| firebase-client.js:26:59:26:79 | x.expor ... message | firebase-client.js:26:59:26:71 | x.exportVal() | firebase-client.js:26:59:26:79 | x.expor ... message | Cross-site scripting vulnerability due to $@. | firebase-client.js:26:59:26:71 | x.exportVal() | user-provided value |
+| firebase-client.js:28:63:28:82 | parentSnapshot.val() | firebase-client.js:28:63:28:82 | parentSnapshot.val() | firebase-client.js:28:63:28:82 | parentSnapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:28:63:28:82 | parentSnapshot.val() | user-provided value |
+| firebase-client.js:33:52:33:65 | snapshot.val() | firebase-client.js:33:52:33:65 | snapshot.val() | firebase-client.js:33:52:33:65 | snapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:33:52:33:65 | snapshot.val() | user-provided value |
+| firebase-client.js:38:56:38:67 | userData.bio | firebase-client.js:37:22:37:35 | snapshot.val() | firebase-client.js:38:56:38:67 | userData.bio | Cross-site scripting vulnerability due to $@. | firebase-client.js:37:22:37:35 | snapshot.val() | user-provided value |
+| firebase-client.js:44:55:44:74 | parentSnapshot.val() | firebase-client.js:44:55:44:74 | parentSnapshot.val() | firebase-client.js:44:55:44:74 | parentSnapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:44:55:44:74 | parentSnapshot.val() | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value |
@@ -352,6 +363,15 @@ edges
 | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml | provenance |  |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | provenance |  |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | provenance | Config |
+| firebase-client.js:8:59:8:71 | x.exportVal() | firebase-client.js:8:59:8:79 | x.expor ... message | provenance |  |
+| firebase-client.js:18:13:18:38 | data | firebase-client.js:19:64:19:67 | data | provenance |  |
+| firebase-client.js:18:20:18:38 | childSnapshot.val() | firebase-client.js:18:13:18:38 | data | provenance |  |
+| firebase-client.js:19:64:19:67 | data | firebase-client.js:19:64:19:76 | data.username | provenance |  |
+| firebase-client.js:19:64:19:76 | data.username | firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | provenance |  |
+| firebase-client.js:26:59:26:71 | x.exportVal() | firebase-client.js:26:59:26:79 | x.expor ... message | provenance |  |
+| firebase-client.js:37:11:37:35 | userData | firebase-client.js:38:56:38:63 | userData | provenance |  |
+| firebase-client.js:37:22:37:35 | snapshot.val() | firebase-client.js:37:11:37:35 | userData | provenance |  |
+| firebase-client.js:38:56:38:63 | userData | firebase-client.js:38:56:38:67 | userData.bio | provenance |  |
 | jquery.js:2:7:2:40 | tainted | jquery.js:4:5:4:11 | tainted | provenance |  |
 | jquery.js:2:7:2:40 | tainted | jquery.js:5:13:5:19 | tainted | provenance |  |
 | jquery.js:2:7:2:40 | tainted | jquery.js:6:11:6:17 | tainted | provenance |  |
@@ -954,6 +974,26 @@ nodes
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | semmle.label | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href |
 | express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") |
+| firebase-client.js:7:59:7:65 | x.val() | semmle.label | x.val() |
+| firebase-client.js:8:59:8:71 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-client.js:8:59:8:79 | x.expor ... message | semmle.label | x.expor ... message |
+| firebase-client.js:10:63:10:82 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:14:54:14:70 | bioSnapshot.val() | semmle.label | bioSnapshot.val() |
+| firebase-client.js:18:13:18:38 | data | semmle.label | data |
+| firebase-client.js:18:20:18:38 | childSnapshot.val() | semmle.label | childSnapshot.val() |
+| firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | semmle.label | `<div>$ ... </div>` |
+| firebase-client.js:19:64:19:67 | data | semmle.label | data |
+| firebase-client.js:19:64:19:76 | data.username | semmle.label | data.username |
+| firebase-client.js:25:59:25:65 | x.val() | semmle.label | x.val() |
+| firebase-client.js:26:59:26:71 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-client.js:26:59:26:79 | x.expor ... message | semmle.label | x.expor ... message |
+| firebase-client.js:28:63:28:82 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:33:52:33:65 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-client.js:37:11:37:35 | userData | semmle.label | userData |
+| firebase-client.js:37:22:37:35 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-client.js:38:56:38:63 | userData | semmle.label | userData |
+| firebase-client.js:38:56:38:67 | userData.bio | semmle.label | userData.bio |
+| firebase-client.js:44:55:44:74 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
 | jquery.js:2:7:2:40 | tainted | semmle.label | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:5:4:11 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -154,6 +154,26 @@ nodes
 | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | semmle.label | '<h2><a ... ></h2>' |
 | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href |
 | express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") |
+| firebase-client.js:7:59:7:65 | x.val() | semmle.label | x.val() |
+| firebase-client.js:8:59:8:71 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-client.js:8:59:8:79 | x.expor ... message | semmle.label | x.expor ... message |
+| firebase-client.js:10:63:10:82 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:14:54:14:70 | bioSnapshot.val() | semmle.label | bioSnapshot.val() |
+| firebase-client.js:18:13:18:38 | data | semmle.label | data |
+| firebase-client.js:18:20:18:38 | childSnapshot.val() | semmle.label | childSnapshot.val() |
+| firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | semmle.label | `<div>$ ... </div>` |
+| firebase-client.js:19:64:19:67 | data | semmle.label | data |
+| firebase-client.js:19:64:19:76 | data.username | semmle.label | data.username |
+| firebase-client.js:25:59:25:65 | x.val() | semmle.label | x.val() |
+| firebase-client.js:26:59:26:71 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-client.js:26:59:26:79 | x.expor ... message | semmle.label | x.expor ... message |
+| firebase-client.js:28:63:28:82 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:33:52:33:65 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-client.js:37:11:37:35 | userData | semmle.label | userData |
+| firebase-client.js:37:22:37:35 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-client.js:38:56:38:63 | userData | semmle.label | userData |
+| firebase-client.js:38:56:38:67 | userData.bio | semmle.label | userData.bio |
+| firebase-client.js:44:55:44:74 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
 | hana.js:11:37:11:40 | rows | semmle.label | rows |
 | hana.js:11:37:11:51 | rows[0].comment | semmle.label | rows[0].comment |
 | hana.js:16:37:16:40 | rows | semmle.label | rows |
@@ -820,6 +840,15 @@ edges
 | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:71:13:71:61 | droppedHtml | provenance |  |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | provenance |  |
 | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | provenance | Config |
+| firebase-client.js:8:59:8:71 | x.exportVal() | firebase-client.js:8:59:8:79 | x.expor ... message | provenance |  |
+| firebase-client.js:18:13:18:38 | data | firebase-client.js:19:64:19:67 | data | provenance |  |
+| firebase-client.js:18:20:18:38 | childSnapshot.val() | firebase-client.js:18:13:18:38 | data | provenance |  |
+| firebase-client.js:19:64:19:67 | data | firebase-client.js:19:64:19:76 | data.username | provenance |  |
+| firebase-client.js:19:64:19:76 | data.username | firebase-client.js:19:56:19:84 | `<div>$ ... </div>` | provenance |  |
+| firebase-client.js:26:59:26:71 | x.exportVal() | firebase-client.js:26:59:26:79 | x.expor ... message | provenance |  |
+| firebase-client.js:37:11:37:35 | userData | firebase-client.js:38:56:38:63 | userData | provenance |  |
+| firebase-client.js:37:22:37:35 | snapshot.val() | firebase-client.js:37:11:37:35 | userData | provenance |  |
+| firebase-client.js:38:56:38:63 | userData | firebase-client.js:38:56:38:67 | userData.bio | provenance |  |
 | hana.js:11:37:11:40 | rows | hana.js:11:37:11:51 | rows[0].comment | provenance |  |
 | hana.js:16:37:16:40 | rows | hana.js:16:37:16:51 | rows[0].comment | provenance |  |
 | hana.js:19:37:19:40 | rows | hana.js:19:37:19:51 | rows[0].comment | provenance |  |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/firebase-client.js

@@ -0,0 +1,46 @@
+import firebase from 'firebase/app';
+import 'firebase/database';
+
+
+firebase.database().ref("/userMessages/message1").once("value")
+  .then((x) => {
+    document.getElementById("messageDisplay").innerHTML = x.val(); // $ Alert
+    document.getElementById("messageDisplay").innerHTML = x.exportVal().message; // $ Alert
+    x.ref.parent.parent.once('value', parentSnapshot => {
+        document.getElementById("messageDisplay").innerHTML = parentSnapshot.val(); // $ Alert
+    });
+
+    x.ref.parent.child('bio').once('value', (bioSnapshot) => {
+      document.getElementById('userBio').innerHTML = bioSnapshot.val(); // $ Alert
+    });
+
+    x.forEach((childSnapshot) => {
+      const data = childSnapshot.val(); // $ Source
+      document.getElementById("userList").innerHTML += `<div>${data.username}</div>`; // $ Alert
+    });
+  })
+  .catch();
+
+firebase.database().ref('/users').on('value', (x) => {
+    document.getElementById("messageDisplay").innerHTML = x.val(); // $ Alert
+    document.getElementById("messageDisplay").innerHTML = x.exportVal().message; // $ Alert
+    x.ref.parent.parent.once('value', parentSnapshot => {
+        document.getElementById("messageDisplay").innerHTML = parentSnapshot.val(); // $ Alert
+    });
+});
+
+firebase.database().refFromURL("https://example.com").once("value", (snapshot) => {
+    document.getElementById("content").innerHTML = snapshot.val(); // $ Alert
+});
+
+firebase.database().ref("users").child("12345").once("value", (snapshot) => {
+    const userData = snapshot.val(); // $ Source
+    document.getElementById("userProfile").innerHTML = userData.bio; // $ Alert
+});
+
+firebase.database().ref("users/12345/profile").once("value", (snapshot) => {
+    const rootref = snapshot.ref.root;
+    rootref.once("value", (parentSnapshot) => {
+      document.getElementById("userData").innerHTML = parentSnapshot.val(); // $ Alert
+    });
+});

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -27,6 +27,12 @@
 | express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value |
 | express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value |
 | express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value |
+| firebase-server.js:7:10:7:16 | x.val() | firebase-server.js:7:10:7:16 | x.val() | firebase-server.js:7:10:7:16 | x.val() | This code execution depends on a $@. | firebase-server.js:7:10:7:16 | x.val() | user-provided value |
+| firebase-server.js:8:10:8:22 | x.exportVal() | firebase-server.js:8:10:8:22 | x.exportVal() | firebase-server.js:8:10:8:22 | x.exportVal() | This code execution depends on a $@. | firebase-server.js:8:10:8:22 | x.exportVal() | user-provided value |
+| firebase-server.js:10:14:10:33 | parentSnapshot.val() | firebase-server.js:10:14:10:33 | parentSnapshot.val() | firebase-server.js:10:14:10:33 | parentSnapshot.val() | This code execution depends on a $@. | firebase-server.js:10:14:10:33 | parentSnapshot.val() | user-provided value |
+| firebase-server.js:14:10:14:23 | x.before.val() | firebase-server.js:14:10:14:23 | x.before.val() | firebase-server.js:14:10:14:23 | x.before.val() | This code execution depends on a $@. | firebase-server.js:14:10:14:23 | x.before.val() | user-provided value |
+| firebase-server.js:15:10:15:22 | x.after.val() | firebase-server.js:15:10:15:22 | x.after.val() | firebase-server.js:15:10:15:22 | x.after.val() | This code execution depends on a $@. | firebase-server.js:15:10:15:22 | x.after.val() | user-provided value |
+| firebase-server.js:17:14:17:38 | grandPa ... t.val() | firebase-server.js:17:14:17:38 | grandPa ... t.val() | firebase-server.js:17:14:17:38 | grandPa ... t.val() | This code execution depends on a $@. | firebase-server.js:17:14:17:38 | grandPa ... t.val() | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -144,6 +150,12 @@ nodes
 | express.js:36:15:36:19 | taint | semmle.label | taint |
 | express.js:42:30:42:32 | msg | semmle.label | msg |
 | express.js:43:10:43:12 | msg | semmle.label | msg |
+| firebase-server.js:7:10:7:16 | x.val() | semmle.label | x.val() |
+| firebase-server.js:8:10:8:22 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-server.js:10:14:10:33 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-server.js:14:10:14:23 | x.before.val() | semmle.label | x.before.val() |
+| firebase-server.js:15:10:15:22 | x.after.val() | semmle.label | x.after.val() |
+| firebase-server.js:17:14:17:38 | grandPa ... t.val() | semmle.label | grandPa ... t.val() |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -82,6 +82,12 @@ nodes
 | express.js:36:15:36:19 | taint | semmle.label | taint |
 | express.js:42:30:42:32 | msg | semmle.label | msg |
 | express.js:43:10:43:12 | msg | semmle.label | msg |
+| firebase-server.js:7:10:7:16 | x.val() | semmle.label | x.val() |
+| firebase-server.js:8:10:8:22 | x.exportVal() | semmle.label | x.exportVal() |
+| firebase-server.js:10:14:10:33 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-server.js:14:10:14:23 | x.before.val() | semmle.label | x.before.val() |
+| firebase-server.js:15:10:15:22 | x.after.val() | semmle.label | x.after.val() |
+| firebase-server.js:17:14:17:38 | grandPa ... t.val() | semmle.label | grandPa ... t.val() |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server.js

@@ -0,0 +1,19 @@
+const functions = require('firebase-functions');
+const admin = require('firebase-admin');
+
+admin.initializeApp();
+
+functions.database.ref('x').onCreate(x => {
+    eval(x.val()); // $ Alert[js/code-injection]
+    eval(x.exportVal()); // $ Alert[js/code-injection]
+    x.ref.parent.once('value', parentSnapshot => {
+        eval(parentSnapshot.val()); // $ Alert[js/code-injection]
+    });
+});
+functions.database.ref('x').onUpdate(x => {
+    eval(x.before.val()); // $ Alert[js/code-injection]
+    eval(x.after.val()); // $ Alert[js/code-injection]
+    x.ref.parent.parent.once('value', grandParentSnapshot => {
+        eval(grandParentSnapshot.val()); // $ Alert[js/code-injection]
+    });
+});