From 8b7dbf8b0f83cc49685eb9cd7285ce3cea77407d Mon Sep 17 00:00:00 2001
From: Asger F <asger@semmle.com>
Date: Wed, 22 May 2019 15:51:39 +0100
Subject: [PATCH] JS: Align DOM::locationRef with isDocumentURL

---
 javascript/ql/src/semmle/javascript/DOM.qll          | 10 +++++++++-
 .../src/semmle/javascript/security/dataflow/DOM.qll  | 12 +-----------
 .../test/library-tests/DOM/Customizations.expected   |  1 +
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
index f107d85253b..1fc51a6d841 100644
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -326,7 +326,15 @@ module DOM {
 
     private class DefaultRange extends Range {
       DefaultRange() {
-        this = domValueRef().getAPropertyRead("location")
+        exists(string propName | this = documentRef().getAPropertyRead(propName) |
+          propName = "documentURI" or
+          propName = "documentURIObject" or
+          propName = "location" or
+          propName = "referrer" or
+          propName = "URL"
+        )
+        or
+        this = DOM::domValueRef().getAPropertyRead("baseUri")
         or
         this = DataFlow::globalVarRef("location")
       }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
index 268cb93d5d5..90f4d5fd5c2 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -38,17 +38,7 @@ predicate isDocument(Expr e) { DOM::documentRef().flowsToExpr(e) }
 
 /** Holds if `e` could refer to the document URL. */
 predicate isDocumentURL(Expr e) {
-  exists(string propName | e = DOM::documentRef().getAPropertyRead(propName).asExpr() |
-    propName = "documentURI" or
-    propName = "documentURIObject" or
-    propName = "location" or
-    propName = "referrer" or
-    propName = "URL"
-  )
-  or
-  e = DOM::domValueRef().getAPropertyRead("baseUri").asExpr()
-  or
-  e.accessesGlobal("location")
+  DOM::locationRef().flowsToExpr(e)
 }
 
 /**
diff --git a/javascript/ql/test/library-tests/DOM/Customizations.expected b/javascript/ql/test/library-tests/DOM/Customizations.expected
index 20d9f1c1615..1e364cd6daa 100644
--- a/javascript/ql/test/library-tests/DOM/Customizations.expected
+++ b/javascript/ql/test/library-tests/DOM/Customizations.expected
@@ -1,5 +1,6 @@
 test_documentRef
 | customization.js:2:13:2:31 | customGetDocument() |
 test_locationRef
+| customization.js:3:3:3:14 | doc.location |
 test_domValueRef
 | customization.js:4:3:4:28 | doc.get ... 'test') |