Merge pull request #9634 from erik-krogh/jqueryParam

JS: add all jquery plugin parameters as source to js/html-constructed-from-input

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

@@ -34,7 +34,7 @@ module UnsafeHtmlConstruction {
    * A jQuery plugin options object, seen as a source for unsafe HTML constructed from input.
    */
   class JQueryPluginOptionsAsSource extends Source {
-    JQueryPluginOptionsAsSource() { this instanceof UnsafeJQueryPlugin::JQueryPluginOptions }
+    JQueryPluginOptionsAsSource() { this = any(JQuery::JQueryPluginMethod meth).getAParameter() }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected

@@ -1,4 +1,13 @@
 nodes
+| jquery-plugin.js:11:27:11:31 | stuff |
+| jquery-plugin.js:11:27:11:31 | stuff |
+| jquery-plugin.js:11:34:11:40 | options |
+| jquery-plugin.js:11:34:11:40 | options |
+| jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:12:31:12:41 | options.foo |
+| jquery-plugin.js:12:31:12:41 | options.foo |
+| jquery-plugin.js:14:31:14:35 | stuff |
+| jquery-plugin.js:14:31:14:35 | stuff |
 | main.js:1:55:1:55 | s |
 | main.js:1:55:1:55 | s |
 | main.js:2:29:2:29 | s |
@@ -53,6 +62,14 @@ nodes
 | typed.ts:17:29:17:29 | s |
 | typed.ts:17:29:17:29 | s |
 edges
+| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff |
+| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff |
+| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff |
+| jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff |
+| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:37 | options |
+| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo |
+| jquery-plugin.js:12:31:12:37 | options | jquery-plugin.js:12:31:12:41 | options.foo |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
 | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
@@ -105,6 +122,8 @@ edges
 | typed.ts:16:11:16:21 | s | typed.ts:17:29:17:29 | s |
 | typed.ts:16:15:16:21 | id("x") | typed.ts:16:11:16:21 | s |
 #select
+| jquery-plugin.js:12:31:12:41 | options.foo | jquery-plugin.js:11:34:11:40 | options | jquery-plugin.js:12:31:12:41 | options.foo | $@ based on $@ might later cause $@. | jquery-plugin.js:12:31:12:41 | options.foo | HTML construction | jquery-plugin.js:11:34:11:40 | options | library input | jquery-plugin.js:12:20:12:53 | "<span> ... /span>" | cross-site scripting |
+| jquery-plugin.js:14:31:14:35 | stuff | jquery-plugin.js:11:27:11:31 | stuff | jquery-plugin.js:14:31:14:35 | stuff | $@ based on $@ might later cause $@. | jquery-plugin.js:14:31:14:35 | stuff | HTML construction | jquery-plugin.js:11:27:11:31 | stuff | library input | jquery-plugin.js:14:20:14:47 | "<span> ... /span>" | cross-site scripting |
 | main.js:2:29:2:29 | s | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | $@ based on $@ might later cause $@. | main.js:2:29:2:29 | s | HTML construction | main.js:1:55:1:55 | s | library input | main.js:3:49:3:52 | html | cross-site scripting |
 | main.js:7:49:7:49 | s | main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | $@ based on $@ might later cause $@. | main.js:7:49:7:49 | s | XML parsing | main.js:6:49:6:49 | s | library input | main.js:8:48:8:66 | doc.documentElement | cross-site scripting |
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |

javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js

@@ -7,3 +7,9 @@
 }(function ($) {
     $("<span>" + $.trim("foo") + "</span>"); // OK
 }));
+
+$.fn.myPlugin = function (stuff, options) {
+    $("#foo").html("<span>" + options.foo + "</span>"); // NOT OK
+
+    $("#foo").html("<span>" + stuff + "</span>"); // NOT OK
+}