From 09f73d8d6f359f5681046bc5805e667d23228bdc Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Wed, 20 Nov 2024 17:36:43 +0100
Subject: [PATCH 1/3] JS: Add: test cases for toWellFormed

---
 .../TaintTracking/string-immutable-operations.js     | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js

diff --git a/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js b/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
new file mode 100644
index 000000000000..60f6c44088c9
--- /dev/null
+++ b/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
@@ -0,0 +1,12 @@
+function test() {
+    let x = source();
+    sink(x.toWellFormed()); // NOT OK -- Currently not tainted, but should be
+
+    const wellFormedX = x.toWellFormed();
+    sink(wellFormedX); // NOT OK -- Currently not tainted, but should be
+
+    const concatWellFormedX = "/" + wellFormedX + "!";
+    sink(concatWellFormedX); // NOT OK -- Currently not tainted, but should be
+
+    sink(source().toWellFormed()); // NOT OK -- Currently not tainted, but should be
+}

From afc2d3e6d25f24d6111072b555357151b3684222 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Wed, 20 Nov 2024 17:42:25 +0100
Subject: [PATCH 2/3] JS: Add: String.protytpe.toWellFormed to
 StringManipulationTaintStep

---
 .../ql/lib/semmle/javascript/dataflow/TaintTracking.qll   | 2 +-
 .../TaintTracking/BasicTaintTracking.expected             | 4 ++++
 .../TaintTracking/string-immutable-operations.js          | 8 ++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
index a19691e94480..6b6fc9c4b07d 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -612,7 +612,7 @@ module TaintTracking {
                 "italics", "link", "padEnd", "padStart", "repeat", "replace", "replaceAll", "slice",
                 "small", "split", "strike", "sub", "substr", "substring", "sup",
                 "toLocaleLowerCase", "toLocaleUpperCase", "toLowerCase", "toUpperCase", "trim",
-                "trimLeft", "trimRight"
+                "trimLeft", "trimRight", "toWellFormed"
               ]
             or
             // sorted, interesting, properties of Object.prototype
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index f81405a32a2f..3d4fd0b67f86 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -209,6 +209,10 @@ typeInferenceMismatch
 | static-capture-groups.js:2:17:2:24 | source() | static-capture-groups.js:27:14:27:22 | RegExp.$1 |
 | static-capture-groups.js:32:17:32:24 | source() | static-capture-groups.js:38:10:38:18 | RegExp.$1 |
 | static-capture-groups.js:42:12:42:19 | source() | static-capture-groups.js:43:14:43:22 | RegExp.$1 |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:3:10:3:25 | x.toWellFormed() |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:6:10:6:20 | wellFormedX |
+| string-immutable-operations.js:2:13:2:20 | source() | string-immutable-operations.js:9:10:9:26 | concatWellFormedX |
+| string-immutable-operations.js:11:10:11:17 | source() | string-immutable-operations.js:11:10:11:32 | source( ... ormed() |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:14:10:14:13 | data |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:18:10:18:13 | data |
 | string-replace.js:3:13:3:20 | source() | string-replace.js:21:6:21:41 | safe(). ...  taint) |
diff --git a/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js b/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
index 60f6c44088c9..79e93fab0025 100644
--- a/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
+++ b/javascript/ql/test/library-tests/TaintTracking/string-immutable-operations.js
@@ -1,12 +1,12 @@
 function test() {
     let x = source();
-    sink(x.toWellFormed()); // NOT OK -- Currently not tainted, but should be
+    sink(x.toWellFormed()); // NOT OK
 
     const wellFormedX = x.toWellFormed();
-    sink(wellFormedX); // NOT OK -- Currently not tainted, but should be
+    sink(wellFormedX); // NOT OK
 
     const concatWellFormedX = "/" + wellFormedX + "!";
-    sink(concatWellFormedX); // NOT OK -- Currently not tainted, but should be
+    sink(concatWellFormedX); // NOT OK
 
-    sink(source().toWellFormed()); // NOT OK -- Currently not tainted, but should be
+    sink(source().toWellFormed()); // NOT OK
 }

From 43eda58f83d4e81ecba1505a67b68e4a33e4b061 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Wed, 20 Nov 2024 17:44:36 +0100
Subject: [PATCH 3/3] Added change notes

---
 .../2024-11-20-ES2023-string-protytpe-toWellFormed.md         | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/ql/lib/change-notes/2024-11-20-ES2023-string-protytpe-toWellFormed.md

diff --git a/javascript/ql/lib/change-notes/2024-11-20-ES2023-string-protytpe-toWellFormed.md b/javascript/ql/lib/change-notes/2024-11-20-ES2023-string-protytpe-toWellFormed.md
new file mode 100644
index 000000000000..dda4d8787605
--- /dev/null
+++ b/javascript/ql/lib/change-notes/2024-11-20-ES2023-string-protytpe-toWellFormed.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint-steps for `String.prototype.toWellFormed`.