JavaScript: Add flow summary extraction queries.

2018-07-30 16:33:48 +01:00 · 2018-07-30 16:33:48 +01:00 · f4fed3657d
--- a/javascript/config/suites/javascript/flow-summaries
+++ b/javascript/config/suites/javascript/flow-summaries
@ -0,0 +1,3 @@
+ semmlecode-javascript-queries/Security/Summaries/ExtractSourceSummaries.ql
+ semmlecode-javascript-queries/Security/Summaries/ExtractSinkSummaries.ql
+ semmlecode-javascript-queries/Security/Summaries/ExtractFlowStepSummaries.ql
--- a/javascript/ql/src/Security/Summaries/AllConfigurations.qll
+++ b/javascript/ql/src/Security/Summaries/AllConfigurations.qll
@ -0,0 +1,36 @@
+/**
+ * Imports the standard library and all taint-tracking configuration classes from the security queries.
+ */
+
+import javascript
+
+import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm
+import semmle.javascript.security.dataflow.CleartextLogging
+import semmle.javascript.security.dataflow.CleartextStorage
+import semmle.javascript.security.dataflow.ClientSideUrlRedirect
+import semmle.javascript.security.dataflow.CodeInjection
+import semmle.javascript.security.dataflow.CommandInjection
+import semmle.javascript.security.dataflow.ConditionalBypass
+import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials
+import semmle.javascript.security.dataflow.DifferentKindsComparisonBypass
+import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
+import semmle.javascript.security.dataflow.FileAccessToHttp
+import semmle.javascript.security.dataflow.HardcodedCredentials
+import semmle.javascript.security.dataflow.InsecureRandomness
+import semmle.javascript.security.dataflow.InsufficientPasswordHash
+import semmle.javascript.security.dataflow.NosqlInjection
+import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
+import semmle.javascript.security.dataflow.RegExpInjection
+import semmle.javascript.security.dataflow.RemotePropertyInjection
+import semmle.javascript.security.dataflow.RequestForgery
+import semmle.javascript.security.dataflow.ServerSideUrlRedirect
+import semmle.javascript.security.dataflow.SqlInjection
+import semmle.javascript.security.dataflow.StackTraceExposure
+import semmle.javascript.security.dataflow.StoredXss as StoredXss
+import semmle.javascript.security.dataflow.TaintedFormatString
+import semmle.javascript.security.dataflow.TaintedPath
+import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTampering
+import semmle.javascript.security.dataflow.UnsafeDeserialization
+import semmle.javascript.security.dataflow.XmlBomb
+import semmle.javascript.security.dataflow.XpathInjection
+import semmle.javascript.security.dataflow.Xxe
--- a/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
@ -0,0 +1,32 @@
+/**
+ * @name Extract flow step summaries
+ * @description Extracts flow step summaries, that is, tuples `(p1, lbl1, p2, lbl2, cfg)`
+ *              representing the fact that data with flow label `lbl1` may flow from a
+ *              user-controlled exit node of portal `p1` to an escaping entry node of portal `p2`,
+ *              and have label `lbl2` at that point. Moreover, the path from `p1` to `p2` contains
+ *              no sanitizers specified by configuration `cfg`.
+ * @kind flow-step-summary
+ * @id js/step-summary-extraction
+ */
+
+import AllConfigurations
+import PortalExitSource
+import PortalEntrySink
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p1, Portal p2, DataFlow::FlowLabel lbl1, DataFlow::FlowLabel lbl2
+where cfg.hasFlowPath(source, sink) and
+      p1 = source.getNode().(PortalExitSource).getPortal() and
+      p2 = sink.getNode().(PortalEntrySink).getPortal() and
+      lbl1 = sink.getPathSummary().getStartLabel() and
+      lbl2 = sink.getPathSummary().getEndLabel() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasCall() = false and
+      sink.getPathSummary().hasReturn() = false and
+      // restrict to steps flow function parameters to returns
+      p1.(ParameterPortal).getBasePortal() = p2.(ReturnPortal).getBasePortal() and
+      // restrict to data/taint flow
+      lbl1 instanceof DataFlow::StandardFlowLabel
+select p1.toString(), lbl1.toString(),
+       p2.toString(), lbl2.toString(),
+       cfg.toString()
--- a/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
@ -0,0 +1,19 @@
+/**
+ * @name Extract sink summaries
+ * @description Extracts sink summaries, that is, tuples `(p, lbl, cfg)` representing the fact 
+ *              that data with flow label `lbl` may flow from a user-controlled exit node of portal
+ *              `p` to a known sink for configuration `cfg`.
+ * @kind sink-summary
+ * @id js/sink-summary-extraction
+ */
+
+import AllConfigurations
+import PortalExitSource
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p
+where cfg.hasFlowPath(source, sink) and
+      p = source.getNode().(PortalExitSource).getPortal() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasReturn() = false
+select p.toString(), source.getPathSummary().getStartLabel().toString(), cfg.toString()
--- a/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
@ -0,0 +1,19 @@
+/**
+ * @name Extract source summaries
+ * @description Extracts source summaries, that is, tuples `(p, lbl, cfg)` representing the fact
+ *              that data may flow from a known source for configuration `cfg` to an escaping entry
+ *              node of portal `p`, and have flow label `lbl` at that point.
+ * @kind source-summary
+ * @id js/source-summary-extraction
+ */
+
+import AllConfigurations
+import PortalEntrySink
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p
+where cfg.hasFlowPath(source, sink) and
+      p = sink.getNode().(PortalEntrySink).getPortal() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasCall() = false
+select p.toString(), sink.getPathSummary().getEndLabel().toString(), cfg.toString()
--- a/javascript/ql/src/Security/Summaries/PortalEntrySink.qll
+++ b/javascript/ql/src/Security/Summaries/PortalEntrySink.qll
@ -0,0 +1,24 @@
+import javascript
+import semmle.javascript.dataflow.Portals
+
+/**
+ * An escaping entry node of a portal, viewed as an additional sink node for any flow
+ * configuration currently in scope.
+ */
+class PortalEntrySink extends DataFlow::AdditionalSink {
+  Portal p;
+
+  PortalEntrySink() {
+    this = p.getAnEntryNode(true)
+  }
+
+  override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
+    cfg instanceof TaintTracking::Configuration and
+    lbl = any(DataFlow::FlowLabel l)
+  }
+
+  /** Gets the portal of which this is an entry node. */
+  Portal getPortal() {
+    result = p
+  }
+}
--- a/javascript/ql/src/Security/Summaries/PortalExitSource.qll
+++ b/javascript/ql/src/Security/Summaries/PortalExitSource.qll
@ -0,0 +1,24 @@
+import javascript
+import semmle.javascript.dataflow.Portals
+
+/**
+ * A remote exit node of a portal, viewed as an additional source node for any flow
+ * configuration currently in scope.
+ */
+class PortalExitSource extends DataFlow::AdditionalSource {
+  Portal p;
+
+  PortalExitSource() {
+    this = p.getAnExitNode(true)
+  }
+
+  override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
+    cfg instanceof TaintTracking::Configuration and
+    lbl = any(DataFlow::FlowLabel l)
+  }
+
+  /** Gets the portal of which this is an exit node. */
+  Portal getPortal() {
+    result = p
+  }
+}
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@ -246,7 +246,7 @@ class TaintKind = FlowLabel;
 /**
 * A standard flow label, that is, either `FlowLabel::data()` or `FlowLabel::taint()`.
 */
-private class StandardFlowLabel extends FlowLabel {
+class StandardFlowLabel extends FlowLabel {
  StandardFlowLabel() { this = "data" or this = "taint" }
 }

@ -790,6 +790,11 @@ class PathNode extends TPathNode {
  /** Gets the underlying data flow tracking configuration of this path node. */
  DataFlow::Configuration getConfiguration() { result = cfg }

+  /** Gets the summary of the path underlying this path node. */
+  PathSummary getPathSummary() {
+    result = summary
+  }
+
  /** Gets a successor node of this path node. */
  PathNode getASuccessor() {
    exists(DataFlow::Node succ, PathSummary newSummary |
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@ -285,6 +285,11 @@ class PathSummary extends TPathSummary {
  /** Indicates whether the path represented by this summary contains any call steps. */
  boolean hasCall() { result = hasCall }

+  /** Gets the flow label describing the value at the start of this flow path. */
+  FlowLabel getStartLabel() {
+    result = start
+  }
+
  /** Gets the flow label describing the value at the end of this flow path. */
  FlowLabel getEndLabel() { result = end }

--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
@ -0,0 +1,162 @@
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | Xxe |
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref
@ -0,0 +1 @@
+Security/Summaries/ExtractFlowStepSummaries.ql
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
@ -0,0 +1,38 @@
+| (member (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) name) | data | RegExpInjection |
+| (member (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) name) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) codeInjection) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) codeInjection) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) commandInjection) 0) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) commandInjection) 0) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) redirect) 0) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) redirect) 0) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) remotePropeInjection) 1) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) remotePropeInjection) 1) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) sqlInj) 0) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) sqlInj) 0) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) taintedPath) 0) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) taintedPath) 0) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) unsafeDes) 0) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) unsafeDes) 0) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xpathInj) 0) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xpathInj) 0) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xxe) 0) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xxe) 0) | taint | XmlBomb |
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref
@ -0,0 +1 @@
+Security/Summaries/ExtractSinkSummaries.ql
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
@ -0,0 +1,37 @@
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ClientSideUrlRedirect |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CodeInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CommandInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ConditionalBypass |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CorsMisconfigurationForCredentials |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | DifferentKindsComparisonBypass |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | DomBasedXss |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | NosqlInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ReflectedXss |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RegExpInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RemotePropertyInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RequestForgery |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ServerSideUrlRedirect |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | SqlInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | TaintedFormatString |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | TaintedPath |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | UnsafeDeserialization |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | XmlBomb |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | XpathInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | Xxe |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | ClientSideUrlRedirect |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CodeInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CommandInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | ConditionalBypass |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CorsMisconfigurationForCredentials |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | DomBasedXss |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | NosqlInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RegExpInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RemotePropertyInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RequestForgery |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | SqlInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | TaintedFormatString |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | TaintedPath |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | UnsafeDeserialization |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | XmlBomb |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | XpathInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | Xxe |
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref
@ -0,0 +1 @@
+Security/Summaries/ExtractSourceSummaries.ql
--- a/javascript/ql/test/query-tests/Security/Summaries/index.js
+++ b/javascript/ql/test/query-tests/Security/Summaries/index.js
@ -0,0 +1,187 @@
+var http = require('http'),
+    url = require('url');
+
+function listenForHeaders(cb) {
+  http.createServer(function (req, res) {
+    let cmd = url.parse(req.url, true).query.path;
+    cb(cmd); // sink
+    res.write('Hello World!');
+    res.end();
+  }).listen(8080);
+};
+
+function codeInjection(input) {
+  eval("url[" + input + "]");  
+}
+
+function commandInjection(input) {
+  require("child_process").exec("ls " + input);  
+}
+
+function multiple(input) {
+  codeInjection(input);
+  commandInjection(input);
+}
+
+function taintedPath(input) {
+  require("/tmp/" + input);
+}
+
+function regexpInj(data) {
+  new RegExp("^"+ data.name + "$", "i");
+}
+
+function xpathInj(userName) {
+  const xpath = require('xpath');
+  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
+  badXPathExpr.select({
+    node: root
+  });
+}
+
+function xxe(input) {
+  const expat = require('node-expat');
+  var parser = new expat.Parser();
+  parser.write(input); 
+}
+
+
+function xmlBomb(input) {
+  const libxmljs = require('libxmljs');  
+  libxmljs.parseXml(input, { noent: true });
+
+}
+
+function hashPass(input) {  
+  require('crypto').createCipher('aes192').write(input);
+  codeInjection(input)
+}
+
+function unsafeDes(input) {
+  const jsyaml = require("js-yaml");  
+  let data;
+  return jsyaml.load(input);
+}
+
+function remoteProp(input1, input2, input3) {
+  var obj = url[input1]; 
+  obj[input2] = input3;  
+}
+
+function reflected(userID) {
+  var express = require('express');
+
+  var app = express();
+
+  app.get('/user/:id', function(req, res) {    
+      res.send("Unknown user: " + userID);   
+  });  
+}
+
+function redirect(input) {
+  var https = require('https');
+  var url = require('url');
+
+  var server = https.createServer(function(req, res) {    
+    res.writeHead(302, { Location: '/' + input});
+  }).listen(8080)
+  
+}
+
+function sqlInj(input) {  
+  var mysql      = require('mysql');
+  var connection = mysql.createConnection({
+    host     : 'localhost',
+    user     : 'me',
+    password : 'secret',
+    database : 'my_db'
+  });   
+  connection.connect();
+  connection.query('SELECT ' + input + ' AS solution', function (error, results, fields) {
+    if (error) throw error;
+    console.log('The solution is: ', results[0].solution);
+  });
+}
+
+function createError () {
+  var err, status;  
+  for (i = 0; i < 1000; i++) {    
+    err = {};
+    status = err.a || err.b || err.c || err.d || err;          
+  }
+    
+  err.a = err.b = status 
+
+  return err;
+}
+
+function forLoop(input) {
+  var intObj = {};
+  var res = 0;
+  for (var i = 0; i < input.x.length; i++) {
+    res += intObj.x + input.x[i];
+  }
+  if (res < 1000) {
+    intObj.res = res;
+    return intObj;
+  } else 
+    return res;
+}
+
+function notASink(foo) {
+  return foo;
+}
+
+// this call should not make parameter `foo` a command injection sink
+eval(notASink(42));
+
+function cookieSource() {
+  return document.cookie;
+}
+
+function notACookieSource(x) {
+  return x;
+}
+
+// this call should not make the return value of `notACookieSource` a remote flow source
+notACookieSource(document.cookie);
+
+function invoke(cb, x) {
+  cb(x);
+}
+
+// this call should not make the first argument to `cb` above a remote flow source
+invoke((x)=>x, document.cookie);
+
+function g(x) {
+  h(x);
+}
+
+function h(y) {
+  return y;
+}
+
+module.exports = {
+    codeInjection: codeInjection,
+    commandInjection: commandInjection,
+    remotePropeInjection: remoteProp,
+    multiple: multiple,
+    taintedPath: taintedPath,
+    sqlInj: sqlInj,
+    listen: listenForHeaders,
+    createError: createError,
+    regexpInj: regexpInj,
+    xpathInj: xpathInj,
+    xmlBomb: xmlBomb,
+    hashPass: hashPass,
+    xxe: xxe,
+    unsafeDes: unsafeDes,
+    redirect: redirect,
+    reflected: reflected,
+    notASink: notASink,
+    cookieSource: cookieSource,
+    notACookieSource: notACookieSource,
+    invoke: invoke,
+    g: g,
+    h: h
+}
--- a/javascript/ql/test/query-tests/Security/Summaries/package.json
+++ b/javascript/ql/test/query-tests/Security/Summaries/package.json
@ -0,0 +1,10 @@
+{
+  "name": "infer-sources",
+  "version": "0.0.1",
+  "dependencies": {
+    "mysql": "2.15.0",
+    "xpath": "0.0.27",
+    "libxmljs": "0.19.1"
+  },
+  "main": "index.js"
+}
				`@ -0,0 +1 @@`
				`Security/Summaries/ExtractFlowStepSummaries.ql`
				`@ -0,0 +1 @@`
				`Security/Summaries/ExtractSourceSummaries.ql`