From f4fed3657d99826c2b24a5c210f729aa79c34991 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max@semmle.com>
Date: Mon, 30 Jul 2018 16:33:48 +0100
Subject: [PATCH] JavaScript: Add flow summary extraction queries.

---
 .../config/suites/javascript/flow-summaries   |   3 +
 .../Security/Summaries/AllConfigurations.qll  |  36 ++++
 .../Summaries/ExtractFlowStepSummaries.ql     |  32 +++
 .../Summaries/ExtractSinkSummaries.ql         |  19 ++
 .../Summaries/ExtractSourceSummaries.ql       |  19 ++
 .../Security/Summaries/PortalEntrySink.qll    |  24 +++
 .../Security/Summaries/PortalExitSource.qll   |  24 +++
 .../javascript/dataflow/Configuration.qll     |   7 +-
 .../dataflow/internal/FlowSteps.qll           |   5 +
 .../ExtractFlowStepSummaries.expected         | 162 +++++++++++++++
 .../Summaries/ExtractFlowStepSummaries.qlref  |   1 +
 .../Summaries/ExtractSinkSummaries.expected   |  38 ++++
 .../Summaries/ExtractSinkSummaries.qlref      |   1 +
 .../Summaries/ExtractSourceSummaries.expected |  37 ++++
 .../Summaries/ExtractSourceSummaries.qlref    |   1 +
 .../query-tests/Security/Summaries/index.js   | 187 ++++++++++++++++++
 .../Security/Summaries/package.json           |  10 +
 17 files changed, 605 insertions(+), 1 deletion(-)
 create mode 100644 javascript/config/suites/javascript/flow-summaries
 create mode 100644 javascript/ql/src/Security/Summaries/AllConfigurations.qll
 create mode 100644 javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
 create mode 100644 javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
 create mode 100644 javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
 create mode 100644 javascript/ql/src/Security/Summaries/PortalEntrySink.qll
 create mode 100644 javascript/ql/src/Security/Summaries/PortalExitSource.qll
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/index.js
 create mode 100644 javascript/ql/test/query-tests/Security/Summaries/package.json

diff --git a/javascript/config/suites/javascript/flow-summaries b/javascript/config/suites/javascript/flow-summaries
new file mode 100644
index 00000000000..bf449d8ff8d
--- /dev/null
+++ b/javascript/config/suites/javascript/flow-summaries
@@ -0,0 +1,3 @@
++ semmlecode-javascript-queries/Security/Summaries/ExtractSourceSummaries.ql
++ semmlecode-javascript-queries/Security/Summaries/ExtractSinkSummaries.ql
++ semmlecode-javascript-queries/Security/Summaries/ExtractFlowStepSummaries.ql
diff --git a/javascript/ql/src/Security/Summaries/AllConfigurations.qll b/javascript/ql/src/Security/Summaries/AllConfigurations.qll
new file mode 100644
index 00000000000..7bb133bfb81
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/AllConfigurations.qll
@@ -0,0 +1,36 @@
+/**
+ * Imports the standard library and all taint-tracking configuration classes from the security queries.
+ */
+
+import javascript
+
+import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm
+import semmle.javascript.security.dataflow.CleartextLogging
+import semmle.javascript.security.dataflow.CleartextStorage
+import semmle.javascript.security.dataflow.ClientSideUrlRedirect
+import semmle.javascript.security.dataflow.CodeInjection
+import semmle.javascript.security.dataflow.CommandInjection
+import semmle.javascript.security.dataflow.ConditionalBypass
+import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials
+import semmle.javascript.security.dataflow.DifferentKindsComparisonBypass
+import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
+import semmle.javascript.security.dataflow.FileAccessToHttp
+import semmle.javascript.security.dataflow.HardcodedCredentials
+import semmle.javascript.security.dataflow.InsecureRandomness
+import semmle.javascript.security.dataflow.InsufficientPasswordHash
+import semmle.javascript.security.dataflow.NosqlInjection
+import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
+import semmle.javascript.security.dataflow.RegExpInjection
+import semmle.javascript.security.dataflow.RemotePropertyInjection
+import semmle.javascript.security.dataflow.RequestForgery
+import semmle.javascript.security.dataflow.ServerSideUrlRedirect
+import semmle.javascript.security.dataflow.SqlInjection
+import semmle.javascript.security.dataflow.StackTraceExposure
+import semmle.javascript.security.dataflow.StoredXss as StoredXss
+import semmle.javascript.security.dataflow.TaintedFormatString
+import semmle.javascript.security.dataflow.TaintedPath
+import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTampering
+import semmle.javascript.security.dataflow.UnsafeDeserialization
+import semmle.javascript.security.dataflow.XmlBomb
+import semmle.javascript.security.dataflow.XpathInjection
+import semmle.javascript.security.dataflow.Xxe
diff --git a/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
new file mode 100644
index 00000000000..aac9894a49c
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
@@ -0,0 +1,32 @@
+/**
+ * @name Extract flow step summaries
+ * @description Extracts flow step summaries, that is, tuples `(p1, lbl1, p2, lbl2, cfg)`
+ *              representing the fact that data with flow label `lbl1` may flow from a
+ *              user-controlled exit node of portal `p1` to an escaping entry node of portal `p2`,
+ *              and have label `lbl2` at that point. Moreover, the path from `p1` to `p2` contains
+ *              no sanitizers specified by configuration `cfg`.
+ * @kind flow-step-summary
+ * @id js/step-summary-extraction
+ */
+
+import AllConfigurations
+import PortalExitSource
+import PortalEntrySink
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p1, Portal p2, DataFlow::FlowLabel lbl1, DataFlow::FlowLabel lbl2
+where cfg.hasFlowPath(source, sink) and
+      p1 = source.getNode().(PortalExitSource).getPortal() and
+      p2 = sink.getNode().(PortalEntrySink).getPortal() and
+      lbl1 = sink.getPathSummary().getStartLabel() and
+      lbl2 = sink.getPathSummary().getEndLabel() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasCall() = false and
+      sink.getPathSummary().hasReturn() = false and
+      // restrict to steps flow function parameters to returns
+      p1.(ParameterPortal).getBasePortal() = p2.(ReturnPortal).getBasePortal() and
+      // restrict to data/taint flow
+      lbl1 instanceof DataFlow::StandardFlowLabel
+select p1.toString(), lbl1.toString(),
+       p2.toString(), lbl2.toString(),
+       cfg.toString()
diff --git a/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
new file mode 100644
index 00000000000..4b45e8fbc4d
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Extract sink summaries
+ * @description Extracts sink summaries, that is, tuples `(p, lbl, cfg)` representing the fact 
+ *              that data with flow label `lbl` may flow from a user-controlled exit node of portal
+ *              `p` to a known sink for configuration `cfg`.
+ * @kind sink-summary
+ * @id js/sink-summary-extraction
+ */
+
+import AllConfigurations
+import PortalExitSource
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p
+where cfg.hasFlowPath(source, sink) and
+      p = source.getNode().(PortalExitSource).getPortal() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasReturn() = false
+select p.toString(), source.getPathSummary().getStartLabel().toString(), cfg.toString()
diff --git a/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
new file mode 100644
index 00000000000..0790e0dc153
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Extract source summaries
+ * @description Extracts source summaries, that is, tuples `(p, lbl, cfg)` representing the fact
+ *              that data may flow from a known source for configuration `cfg` to an escaping entry
+ *              node of portal `p`, and have flow label `lbl` at that point.
+ * @kind source-summary
+ * @id js/source-summary-extraction
+ */
+
+import AllConfigurations
+import PortalEntrySink
+
+from TaintTracking::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
+     Portal p
+where cfg.hasFlowPath(source, sink) and
+      p = sink.getNode().(PortalEntrySink).getPortal() and
+      // avoid constructing infeasible paths
+      sink.getPathSummary().hasCall() = false
+select p.toString(), sink.getPathSummary().getEndLabel().toString(), cfg.toString()
diff --git a/javascript/ql/src/Security/Summaries/PortalEntrySink.qll b/javascript/ql/src/Security/Summaries/PortalEntrySink.qll
new file mode 100644
index 00000000000..34688675cb4
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/PortalEntrySink.qll
@@ -0,0 +1,24 @@
+import javascript
+import semmle.javascript.dataflow.Portals
+
+/**
+ * An escaping entry node of a portal, viewed as an additional sink node for any flow
+ * configuration currently in scope.
+ */
+class PortalEntrySink extends DataFlow::AdditionalSink {
+  Portal p;
+
+  PortalEntrySink() {
+    this = p.getAnEntryNode(true)
+  }
+
+  override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
+    cfg instanceof TaintTracking::Configuration and
+    lbl = any(DataFlow::FlowLabel l)
+  }
+
+  /** Gets the portal of which this is an entry node. */
+  Portal getPortal() {
+    result = p
+  }
+}
diff --git a/javascript/ql/src/Security/Summaries/PortalExitSource.qll b/javascript/ql/src/Security/Summaries/PortalExitSource.qll
new file mode 100644
index 00000000000..d430be7801b
--- /dev/null
+++ b/javascript/ql/src/Security/Summaries/PortalExitSource.qll
@@ -0,0 +1,24 @@
+import javascript
+import semmle.javascript.dataflow.Portals
+
+/**
+ * A remote exit node of a portal, viewed as an additional source node for any flow
+ * configuration currently in scope.
+ */
+class PortalExitSource extends DataFlow::AdditionalSource {
+  Portal p;
+
+  PortalExitSource() {
+    this = p.getAnExitNode(true)
+  }
+
+  override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
+    cfg instanceof TaintTracking::Configuration and
+    lbl = any(DataFlow::FlowLabel l)
+  }
+
+  /** Gets the portal of which this is an exit node. */
+  Portal getPortal() {
+    result = p
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
index 019c4de5f54..570d72298bc 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -246,7 +246,7 @@ class TaintKind = FlowLabel;
 /**
  * A standard flow label, that is, either `FlowLabel::data()` or `FlowLabel::taint()`.
  */
-private class StandardFlowLabel extends FlowLabel {
+class StandardFlowLabel extends FlowLabel {
   StandardFlowLabel() { this = "data" or this = "taint" }
 }
 
@@ -790,6 +790,11 @@ class PathNode extends TPathNode {
   /** Gets the underlying data flow tracking configuration of this path node. */
   DataFlow::Configuration getConfiguration() { result = cfg }
 
+  /** Gets the summary of the path underlying this path node. */
+  PathSummary getPathSummary() {
+    result = summary
+  }
+
   /** Gets a successor node of this path node. */
   PathNode getASuccessor() {
     exists(DataFlow::Node succ, PathSummary newSummary |
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
index 0900b24769e..c25d265f0d3 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -285,6 +285,11 @@ class PathSummary extends TPathSummary {
   /** Indicates whether the path represented by this summary contains any call steps. */
   boolean hasCall() { result = hasCall }
 
+  /** Gets the flow label describing the value at the start of this flow path. */
+  FlowLabel getStartLabel() {
+    result = start
+  }
+
   /** Gets the flow label describing the value at the end of this flow path. */
   FlowLabel getEndLabel() { result = end }
 
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
new file mode 100644
index 00000000000..42c71f777dd
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
@@ -0,0 +1,162 @@
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) h) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) h)) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notACookieSource) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notACookieSource)) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | data | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | BrokenCryptoAlgorithm |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ClearTextStorage |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ClientSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ConditionalBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | CorsMisconfigurationForCredentials |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | DifferentKindsComparisonBypass |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | DomBasedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | FileAccessToHttp |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | InsecureRandomness |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | NosqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | RequestForgery |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | StackTraceExposure |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | TaintedFormatString |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) notASink) 0) | taint | (return (member (root https://www.npmjs.com/package/infer-sources) notASink)) | taint | Xxe |
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref
new file mode 100644
index 00000000000..8491bf549de
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.qlref
@@ -0,0 +1 @@
+Security/Summaries/ExtractFlowStepSummaries.ql
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
new file mode 100644
index 00000000000..b5cc0e152d6
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
@@ -0,0 +1,38 @@
+| (member (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) name) | data | RegExpInjection |
+| (member (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) name) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) codeInjection) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) codeInjection) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) commandInjection) 0) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) commandInjection) 0) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | data | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) hashPass) 0) | taint | InsufficientPasswordHash |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | data | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | data | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | taint | CodeInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) multiple) 0) | taint | CommandInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) redirect) 0) | data | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) redirect) 0) | taint | ServerSideUrlRedirect |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | data | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | data | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | taint | ReflectedXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) reflected) 0) | taint | StoredXss |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) | data | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) regexpInj) 0) | taint | RegExpInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) remotePropeInjection) 1) | data | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) remotePropeInjection) 1) | taint | RemotePropertyInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) sqlInj) 0) | data | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) sqlInj) 0) | taint | SqlInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) taintedPath) 0) | data | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) taintedPath) 0) | taint | TaintedPath |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) unsafeDes) 0) | data | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) unsafeDes) 0) | taint | UnsafeDeserialization |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | data | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | taint | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xmlBomb) 0) | taint | Xxe |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xpathInj) 0) | data | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xpathInj) 0) | taint | XpathInjection |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xxe) 0) | data | XmlBomb |
+| (parameter (member (root https://www.npmjs.com/package/infer-sources) xxe) 0) | taint | XmlBomb |
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref
new file mode 100644
index 00000000000..9b5d6745f2c
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.qlref
@@ -0,0 +1 @@
+Security/Summaries/ExtractSinkSummaries.ql
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
new file mode 100644
index 00000000000..9321894774a
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
@@ -0,0 +1,37 @@
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ClientSideUrlRedirect |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CodeInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CommandInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ConditionalBypass |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | CorsMisconfigurationForCredentials |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | DifferentKindsComparisonBypass |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | DomBasedXss |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | NosqlInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ReflectedXss |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RegExpInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RemotePropertyInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | RequestForgery |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | ServerSideUrlRedirect |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | SqlInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | TaintedFormatString |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | TaintedPath |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | UnsafeDeserialization |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | XmlBomb |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | XpathInjection |
+| (parameter (parameter (member (root https://www.npmjs.com/package/infer-sources) listen) 0) 0) | taint | Xxe |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | ClientSideUrlRedirect |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CodeInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CommandInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | ConditionalBypass |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | CorsMisconfigurationForCredentials |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | DomBasedXss |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | NosqlInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RegExpInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RemotePropertyInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | RequestForgery |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | SqlInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | TaintedFormatString |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | TaintedPath |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | UnsafeDeserialization |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | XmlBomb |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | XpathInjection |
+| (return (member (root https://www.npmjs.com/package/infer-sources) cookieSource)) | data | Xxe |
diff --git a/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref
new file mode 100644
index 00000000000..36bf7bd8369
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.qlref
@@ -0,0 +1 @@
+Security/Summaries/ExtractSourceSummaries.ql
diff --git a/javascript/ql/test/query-tests/Security/Summaries/index.js b/javascript/ql/test/query-tests/Security/Summaries/index.js
new file mode 100644
index 00000000000..bb43f9ede09
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/index.js
@@ -0,0 +1,187 @@
+var http = require('http'),
+    url = require('url');
+
+function listenForHeaders(cb) {
+  http.createServer(function (req, res) {
+    let cmd = url.parse(req.url, true).query.path;
+    cb(cmd); // sink
+    res.write('Hello World!');
+    res.end();
+  }).listen(8080);
+};
+
+function codeInjection(input) {
+  eval("url[" + input + "]");  
+}
+
+function commandInjection(input) {
+  require("child_process").exec("ls " + input);  
+}
+
+function multiple(input) {
+  codeInjection(input);
+  commandInjection(input);
+}
+
+function taintedPath(input) {
+  require("/tmp/" + input);
+}
+
+function regexpInj(data) {
+  new RegExp("^"+ data.name + "$", "i");
+}
+
+function xpathInj(userName) {
+  const xpath = require('xpath');
+  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
+  badXPathExpr.select({
+    node: root
+  });
+}
+
+function xxe(input) {
+  const expat = require('node-expat');
+  var parser = new expat.Parser();
+  parser.write(input); 
+}
+
+
+function xmlBomb(input) {
+  const libxmljs = require('libxmljs');  
+  libxmljs.parseXml(input, { noent: true });
+
+}
+
+function hashPass(input) {  
+  require('crypto').createCipher('aes192').write(input);
+  codeInjection(input)
+}
+
+function unsafeDes(input) {
+  const jsyaml = require("js-yaml");  
+  let data;
+  return jsyaml.load(input);
+}
+
+function remoteProp(input1, input2, input3) {
+  var obj = url[input1]; 
+  obj[input2] = input3;  
+}
+
+function reflected(userID) {
+  var express = require('express');
+
+  var app = express();
+
+  app.get('/user/:id', function(req, res) {    
+      res.send("Unknown user: " + userID);   
+  });  
+}
+
+function redirect(input) {
+  var https = require('https');
+  var url = require('url');
+
+  var server = https.createServer(function(req, res) {    
+    res.writeHead(302, { Location: '/' + input});
+  }).listen(8080)
+  
+}
+
+function sqlInj(input) {  
+  var mysql      = require('mysql');
+  var connection = mysql.createConnection({
+    host     : 'localhost',
+    user     : 'me',
+    password : 'secret',
+    database : 'my_db'
+  });   
+  connection.connect();
+  connection.query('SELECT ' + input + ' AS solution', function (error, results, fields) {
+    if (error) throw error;
+    console.log('The solution is: ', results[0].solution);
+  });
+}
+
+function createError () {
+  var err, status;  
+  for (i = 0; i < 1000; i++) {    
+    err = {};
+    status = err.a || err.b || err.c || err.d || err;          
+  }
+    
+  err.a = err.b = status 
+
+  return err;
+}
+
+function forLoop(input) {
+  var intObj = {};
+  var res = 0;
+  for (var i = 0; i < input.x.length; i++) {
+    res += intObj.x + input.x[i];
+  }
+  if (res < 1000) {
+    intObj.res = res;
+    return intObj;
+  } else 
+    return res;
+}
+
+function notASink(foo) {
+  return foo;
+}
+
+// this call should not make parameter `foo` a command injection sink
+eval(notASink(42));
+
+function cookieSource() {
+  return document.cookie;
+}
+
+function notACookieSource(x) {
+  return x;
+}
+
+// this call should not make the return value of `notACookieSource` a remote flow source
+notACookieSource(document.cookie);
+
+function invoke(cb, x) {
+  cb(x);
+}
+
+// this call should not make the first argument to `cb` above a remote flow source
+invoke((x)=>x, document.cookie);
+
+function g(x) {
+  h(x);
+}
+
+function h(y) {
+  return y;
+}
+
+module.exports = {
+    codeInjection: codeInjection,
+    commandInjection: commandInjection,
+    remotePropeInjection: remoteProp,
+    multiple: multiple,
+    taintedPath: taintedPath,
+    sqlInj: sqlInj,
+    listen: listenForHeaders,
+    createError: createError,
+    regexpInj: regexpInj,
+    xpathInj: xpathInj,
+    xmlBomb: xmlBomb,
+    hashPass: hashPass,
+    xxe: xxe,
+    unsafeDes: unsafeDes,
+    redirect: redirect,
+    reflected: reflected,
+    notASink: notASink,
+    cookieSource: cookieSource,
+    notACookieSource: notACookieSource,
+    invoke: invoke,
+    g: g,
+    h: h
+}
diff --git a/javascript/ql/test/query-tests/Security/Summaries/package.json b/javascript/ql/test/query-tests/Security/Summaries/package.json
new file mode 100644
index 00000000000..ac7b631f125
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/Summaries/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "infer-sources",
+  "version": "0.0.1",
+  "dependencies": {
+    "mysql": "2.15.0",
+    "xpath": "0.0.27",
+    "libxmljs": "0.19.1"
+  },
+  "main": "index.js"
+}
\ No newline at end of file